Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Sun
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: (mis)using RBAC...

from [Glenn M. Brunette, Jr.] Network Security [Permanent Link]
Subject: Re: (mis)using RBAC...
Date: Fri, 15 Apr 2005 11:51:12 -0400 

Benjamin,

benjamin brumaire wrote:

On Solaris10 you should try to give the http daemon the privilege to open privileged port "PRIV_NET_PRIVADDR" so it doens't need to be start as root :) 

This is exactly the focus of the article to be published next month.
There are a few things you need to do besides just changing the UID
and privilege sets for this to work which is why I wrote it up as
a Sun BluePrints Cookbook.  In addition, you can also remove some
of the default (basic) privileges from the service since Apache will
not need them.  As a teaser, what you will be left with is something
like:

# svcprop -v -p start apache2
start/exec astring /lib/svc/method/http-apache2\ start
start/timeout_seconds count 60
start/type astring method
start/user astring webservd
start/group astring webservd
start/privileges astring basic,!proc_session,!proc_info,!file_link_any,net_privaddr
start/limit_privileges astring :default
start/use_profile boolean false
start/supp_groups astring :default
start/working_directory astring :default
start/project astring :default
start/resource_pool astring :default

I will make a note on my blog when the new article is published.

Take care,
g

--
Glenn M. Brunette, Jr.
Distinguished Engineer, Chief Security Architect
Client Solutions, Global Data Center Practice CTO
Sun Microsystems, Inc.

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: (mis)using RBAC..., Glenn M. Brunette, Jr.
Previous by Thread:  Re: (mis)using RBAC..., benjamin brumaire
Next by Thread:  Re: (mis)using RBAC..., Darren J Moffat
Indexes:  [Date] [Thread] [Top] [All Lists]