Solaris 11.3扩展权限配置文件执行返回EOVERFLOW

时间:2016-03-08 16:11:00

标签: security solaris privileges

使用包含java个扩展属性的长列表的配置文件运行file_read时出现以下错误:

# pfexec /usr/jdk/instances/jdk1.8.0/bin/java -cp /vagrant HelloWorld
/usr/jdk/instances/jdk1.8.0/bin/java: Value too large for defined data type

当我使用truss运行它时,我看到exec错误消息是:

execve("/usr/jdk/instances/jdk1.8.0/bin/java", 0xFCEA4B60, 0xFCEA4B74) Err#79 EOVERFLOW

execve的手册页未列出EOVERFLOW作为可能的回复。

它似乎与我放置在配置文件中的file_read扩展属性的数量有关。以下是如何重现该问题。 HelloWorld.java来源非常简单,但有助于确保从ppriv -v pid正确分配权限

public class HelloWorld {
  public static void main( String[] args ) {
    System.out.println("Sleeping");
    try {
      Thread.sleep(50000);
    } catch( Exception e ) {
    }
    System.out.println("Hello World");
  }
}

profiles命令中似乎存在错误,profiles命令不愿意生成足够大的file_read列表 贡品。要创建配置文件,您必须按如下方式编辑生成的/etc/security/exec_attr

# profiles -p test 'set desc=testing; add cmd=/usr/jdk/instances/jdk1.8.0/bin/java; set privs=basic; end; commit'
# usermod -P+test root

手动编辑/etc/security/exec_attr并使用以下内容实现java的最小权限集,而不会出现任何权限错误(为了便于阅读而添加了反斜杠,并允许在exec_attr文件中执行):< / p> 

test:solaris:cmd:::/usr/jdk/instances/jdk1.8.0/bin/java:privs=\
{file_read}\:/lib/amd64/libc.so.1,\
{file_read}\:/lib/amd64/libcryptoutil.so.1,\
{file_read}\:/lib/amd64/libdl.so.1,\
{file_read}\:/lib/amd64/libdoor.so.1,\
{file_read}\:/lib/amd64/libelf.so.1,\
{file_read}\:/lib/amd64/libgen.so.1,\
{file_read}\:/lib/amd64/libkstat.so.1,\
{file_read}\:/lib/amd64/libm.so.1,\
{file_read}\:/lib/amd64/libm.so.2,\
{file_read}\:/lib/amd64/libmp.so.2,\
{file_read}\:/lib/amd64/libnsl.so.1,\
{file_read}\:/lib/amd64/libnvpair.so.1,\
{file_read}\:/lib/amd64/libscf.so.1,\
{file_read}\:/lib/amd64/libsocket.so.1,\
{file_read}\:/lib/amd64/libthread.so.1,\
{file_read}\:/lib/amd64/libucrypto.so.1,\
{file_read}\:/lib/amd64/libuutil.so.1,\
{file_read}\:/lib/amd64/libz.so.1,\
{file_read}\:/proc/*,\
{file_read}\:/system/volatile/name_service_door,\
{file_read}\:/system/volatile/tzsync,\
{file_read}\:/tmp,\
{file_read}\:/tmp/hsperfdata_root,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/bin/java,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/jvm.cfg,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/libjava.so,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/libverify.so,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/libzip.so,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/server/libjvm.so,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/ext,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/ext/meta-index,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/meta-index,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/resources.jar,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/rt.jar,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/lib/amd64/jli/libjli.so,\
{file_read}\:/usr/lib/amd64/libCrun.so.1,\
{file_read}\:/usr/lib/amd64/libdemangle.so.1,\
{file_read}\:/usr/lib/amd64/libsched.so.1,\
{file_read}\:/usr/lib/amd64/libsmbios.so.1,\
{file_read}\:/usr/share/lib/zoneinfo/US/Eastern,\
{file_read}\:/vagrant/HelloWorld.class;limitprivs=file_read

为了产生错误,我添加了{file_read}\:/absolute/path条目,直到生成错误。我使用预先存在的文件,通过调用find /usr/lib -name '*.jar'生成并添加它们,直到它失败并显示EOVERFLOW

在我的情况下,以下文件列表就足够了。删除它们中的任何一个就足以让它再次工作。

{file_read}\:/usr/lib/rad/java/authentication.jar,\
{file_read}\:/usr/lib/rad/java/authentication_1.jar,\
{file_read}\:/usr/lib/rad/java/config.jar,\
{file_read}\:/usr/lib/rad/java/config_1.jar,\
{file_read}\:/usr/lib/rad/java/container.jar,\
{file_read}\:/usr/lib/rad/java/container_1.jar,\
{file_read}\:/usr/lib/rad/java/control.jar,\
{file_read}\:/usr/lib/rad/java/control_1.jar,\
{file_read}\:/usr/lib/rad/java/dlmgr.jar,\
{file_read}\:/usr/lib/rad/java/dlmgr_1.jar,\
{file_read}\:/usr/lib/rad/java/errors.jar,\
{file_read}\:/usr/lib/rad/java/errors_1.jar,\
{file_read}\:/usr/lib/rad/java/evscntl.jar,\
{file_read}\:/usr/lib/rad/java/evscntl_1.jar,\
{file_read}\:/usr/lib/rad/java/files.jar,\
{file_read}\:/usr/lib/rad/java/files_1.jar,\
{file_read}\:/usr/lib/rad/java/kstat.jar,\
{file_read}\:/usr/lib/rad/java/kstat_1.jar,\
{file_read}\:/usr/lib/rad/java/modules.jar,\
{file_read}\:/usr/lib/rad/java/modules_1.jar,\
{file_read}\:/usr/lib/rad/java/network.jar,\
{file_read}\:/usr/lib/rad/java/network_1.jar,\
{file_read}\:/usr/lib/rad/java/pam.jar,\
{file_read}\:/usr/lib/rad/java/pam_1.jar,\
{file_read}\:/usr/lib/rad/java/panels.jar,\
{file_read}\:/usr/lib/rad/java/panels_1.jar,\
{file_read}\:/usr/lib/rad/java/rad.jar,\
{file_read}\:/usr/lib/rad/java/smf.jar,\
{file_read}\:/usr/lib/rad/java/smf_1.jar,\
{file_read}\:/usr/lib/rad/java/smf_old.jar,\
{file_read}\:/usr/lib/rad/java/smf_old_1.jar,\
{file_read}\:/usr/lib/rad/java/time.jar,\
{file_read}\:/usr/lib/rad/java/time_1.jar,\
{file_read}\:/usr/lib/rad/java/usermgr.jar,\
{file_read}\:/usr/lib/rad/java/usermgr_1.jar,\
{file_read}\:/usr/lib/rad/java/zfsmgr.jar,\
{file_read}\:/usr/lib/rad/java/zfsmgr_1.jar,\
{file_read}\:/usr/lib/rad/java/zonemgr.jar,\
{file_read}\:/usr/lib/rad/java/zonemgr_1.jar,\
{file_read}\:/usr/lib/rad/java/zonesbridge.jar,\
{file_read}\:/usr/lib/rad/java/zonesbridge_1.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/engines.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/metricdata.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/core.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/scripts.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/ocmcert.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/OraPrereq.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/OraCheckPoint.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/OraInstallerNet.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/OraInstaller.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/share.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/xmlparserv2.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/OCMRFCreator.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/OpsCenterHarvester.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emCCR.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emgcharvester.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emocmclnt-14.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emocmclnt.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emocmcommon.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emocmdsf.jar

确保通过执行profiles -l

反映您的个人资料更改

这只是Solaris 11.3下的两个错误吗?一个在profiles命令(可以解决),另一个在内核中? (这不容易解决)

1 个答案:

答案 0 :(得分:1)

首先,为什么不使用像{file_read}\:/usr/lib/rad/java/*这样的通配符? 这将限制条目数量。此外,当我们谈论{file_read}时,拥有如此多的文件将非常昂贵。

规则数量有限,但有一个(未记录的)可调参数: xpol_rules_max您可以/etc/system添加以下行set xpol_rules_max=100或使用mdb -wk动态添加# mdb -wk Loading modules: [ unix genunix specfs dtrace mac cpu.generic uppc pcplusmp zvpsm scsi_vhci zfs sata sd ip hook neti arp usba kssl sockfs lofs random idm cpc crypto fcip fctl nfs ufs logindmux ptm sppp ] > xpol_rules_max/x xpol_rules_max: xpol_rules_max: 64 > xpol_rules_max/w 100 xpol_rules_max: 0x64 = 0x100 ,如下所示:

git log --no-merges --stat --author="Pattern" --name-only --pretty=format:"" '*.css'
相关问题
最新问题