Information Technology Reference
In-Depth Information
6.1.2.1 Containers Security Boundary
The basis for a Container's security boundary is Solaris 10 privileges. Thus under-
standing the robust security boundary around Containers starts with an under-
standing of Solaris privileges.
Oracle Solaris implements two sorts of rights management. User rights manage-
ment determines which privileged commands a nonprivileged user might execute.
Consider the popular
sudo
program as an example of this kind of rights man-
agement. Process rights management determines which low-level, fine-grained,
system-call-level actions a process can carry out.
Oracle Solaris privileges implement process rights management. Privileges are
associated with specific actions—usually actions that are not typically permit-
ted for non-root users. For example, there is a Solaris privilege associated with
modification of the system's time clock. Normally, only the root user is permit-
ted to change the clock. Solaris privileges reduce security risks: Instead of giving
a person the root password just so that the person can modify the system time
clock, that person's user account is given the appropriate privilege. The user is
not permitted to perform any other actions typically reserved for the root user.
Instead, the Solaris privileges allow the system administrator to grant a process
just enough privilege to carry out its function but no more, thereby reducing the
system's exposure to security breach or accident.
Thus, in contrast to the situation noted with earlier versions of Solaris and with
many other UNIX-like operating systems, the root user in Oracle Solaris is able to
perform any operation not because its UID number is zero, but rather because it
has the required privileges. However, the root user can grant privileges to another
user, enabling specific users to perform specific tasks or sets of tasks.
When a process attempts to perform a privileged operation, the kernel deter-
mines whether the owner of the process has the privilege(s) required to perform
the operation. If the user, and therefore the user's process, has that privilege, the
kernel permits that user to perform the associated operation.
A Container has a specific configurable subset of all privileges. The default sub-
set provides normal operations for the Container, and prevents the Container's
processes from learning about or interacting with other Containers' users, pro-
cesses, and devices. The root user in the Container inherits all of the privileges
that the Container has. Non-root users in a Container have, by default, the same
set of privileges that non-root users of the global zone have.
The platform administrator—normally the root user of the global zone—can con-
figure Containers as necessary, including increasing or decreasing the maximum
set of privileges that a Container has. No user in that Container can exceed that
maximum set—not even the Container's root user. The root user of a Container
can modify the set of privileges of users in that Container, but cannot modify the
set of privileges that the Container can have. In other words, the maximum set of
Search WWH ::
Custom Search