Bug #980
open
svc.configd should be less trusting of cross-zone callers
0%
Description
svc.configd will accept door calls from anyone with permission on the door, but its authentication scheme is based on the authorizations contained in the name service of the local zone. If the name service isn't synced, this will lead to confusion at best. At present, this is only a nit, but with Joyent's changes (#945/#947) it becomes much more obvious that a cross-zone call is something you can do, and we should probably fix it.
I propose that svc.configd should require that a caller have all privileges if it is coming from a zone other than that in which configd is running.
Due to this same basic issue with regard to the filesystem, by default only root may enter the zone root from the NGZ, so the GZ admin would have to put effort into getting themselves into this mess (giving at least file_dac_search and probably others to a GZ user), so I don't consider it pressing.
Updated by Rich Lowe about 12 years ago
- Assignee deleted (
Rich Lowe) - Difficulty changed from Medium to Bite-size
I'm not working at this at present, but it should be pretty easy. The configd sources contain a ucred_is_privileged that does what we want (actually, we don't need the zone magic, so something like:
#include <err.h>
#include <priv.h>
#include <sys/types.h>
#include <ucred.h>
#include <unistd.h>
boolean_t
is_full(ucred_t *ucp)
{
const priv_set_t *psp;
if ((psp = ucred_getprivset(ucp, PRIV_EFFECTIVE)) == NULL)
err(1, "failed to get privset");
return (priv_isfullset(psp));
}
is as effective)
The only annoying part is figuring out how to fit this into configd's perm_granted without breaking anything (the zone information is also in the ucred).