Information Technology Reference
In-Depth Information
Solaris services that listen to the network except for
sshd
. We will access the
Container from the global zone with the
zlogin
command, so we can disable that
service as well. The service
rpc/bind
doesn't allow connections, but would show
up in a port scan, so we'll disable it, too.
GZ#
zoneadm -z timelord boot
GZ#
zlogin timelord
timelord#
netservices limited
timelord#
svcadm disable rpc/bind
timelord#
svcadm disable ssh
timelord#
exit
GZ#
zoneadm -z timelord halt
The next step is to remove unnecessary privileges. It can be challenging to
determine the complete set of privileges needed by a program unless you can exer-
cise all of the code in the program. However, we can make some educated guesses.
We know that this Container will not be using NFS, so we can remove the
sys_nfs
privilege. Also, we choose not to support system accounting or audit-
ing, although we could use those services if we wished. With that choice, we can
remove the privileges
sys_audit
and
sys_acct
.
We can use
zonecfg
to remove those three privileges.
GZ#
zonecfg -z timelord
zonecfg:timelord>
set limitpriv=default,!sys_nfs,!sys_audit,!sys_acct
zonecfg:timelord>
exit
At this point, the Container is configured without unnecessary privileges and
without network services. Next, we must discover the privileges needed to run our
application. Our first attempt to run the application may succeed. If that happens,
there is no need to change the list of privileges that the Container has. If the at-
tempt fails, however, we can determine the missing privileges with
privdebug
, a
Perl script.
The
privdebug
script uses the DTrace facility. It watches the kernel verify that
processes have the privileges needed to perform privileged operations. When it de-
tects one of these privilege checks, it displays the name of the privilege and the suc-
cess or failure of the verification. This script will work only within the global zone.
For this example, we will use
ntpdate
(1M) to synchronize the system's time
clock with time servers on the Internet. For
ntpdate
to run, it needs network
access, which must be enabled with
zonecfg
. As discussed in Chapter 6, the two
choices for network configuration are shared-IP and exclusive-IP. For this exam-
ple, we will use shared-IP to prevent an intruder from successfully modifying the
network configuration or launching attacks on other systems.
Search WWH ::
Custom Search