\u041f\u043e\u044f\u0432\u0438\u043b\u0430\u0441\u044c \u0437\u0430\u0434\u0430\u0447\u0430: \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u044e\u0437\u0435\u0440\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0431\u044b \u043d\u0438\u0447\u0435\u0433\u043e \u043d\u0435 \u043c\u043e\u0433 \u0441\u0434\u0435\u043b\u0430\u0442\u044c, \u043a\u0440\u043e\u043c\u0435 \u043a\u0430\u043a \u0447\u0438\u0442\u0430\u0442\u044c \u0444\u0430\u0439\u043b (\u0432 \u0438\u0434\u0435\u0430\u043b\u0435 \u0442\u043e\u043b\u044c\u043a\u043e 1 )), \u043d\u043e \u044d\u0442\u043e \u043e\u043a\u0430\u0437\u0430\u043b\u043e\u0441\u044c \u043d\u0435\u0432\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u043c, \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e \u043f\u043e\u043a\u0430).<\/p>\n
\u0412 Solaris<\/strong> \u0437\u0430 \u043f\u0440\u0430\u0432\u0430 \u044e\u0437\u0435\u0440\u0443 \u043e\u0442\u0432\u0435\u0447\u0430\u0435\u0442 RBAC<\/strong>. \u041e\u043d \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043a\u0430\u043a \u0440\u0430\u0441\u0448\u0438\u0440\u0438\u0442\u044c \u043f\u0440\u0430\u0432\u0430, \u0442\u0430\u043a \u0438 \u0441\u0443\u0437\u0438\u0442\u044c. \u041f\u043e \u0434\u0435\u0444\u043e\u043b\u0442\u0443 \u043d\u043e\u0432\u043e\u043c\u0443 \u044e\u0437\u0435\u0440\u0443 \u043f\u0440\u0438\u0441\u0432\u0430\u0438\u0432\u0430\u0435\u0442\u0441\u044f 2 \u043f\u0440\u043e\u0444\u0438\u043b\u044f: All<\/strong> \u0438\u00a0Basic Solaris User<\/strong>:<\/p>\n <\/p>\n \u0421\u043e\u0437\u0434\u0430\u0434\u0438\u043c \u043d\u043e\u0432\u044b\u0439 \u043f\u0440\u043e\u0444\u0438\u043b\u044c Restrict User<\/strong>, \u0430 \u043d\u0443\u0436\u043d\u044b\u0435 \u0431\u0443\u0434\u0435\u043c \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0442\u044c \u043f\u043e \u043c\u0435\u0440\u0435 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u0438. \u0427\u0442\u043e \u0431\u044b \u0447\u0438\u0442\u0430\u0442\u044c \u0444\u0430\u0439\u043b\u044b, \u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u043e \u043d\u0443\u0436\u043d\u044b \u043f\u0440\u0430\u0432\u0430 file_read<\/strong>. \u0418 \u0442\u0430\u043a:<\/p>\n \u0422\u0435\u043f\u0435\u0440\u044c \u0441\u043e\u0437\u0434\u0430\u0434\u0438\u043c \u044e\u0437\u0435\u0440\u0430 test<\/strong> \u0438 \u0443\u043a\u0430\u0436\u0435\u043c \u043d\u0443\u0436\u043d\u044b\u0439 \u043f\u0440\u043e\u0444\u0438\u043b\u044c:<\/p>\n \u041f\u0440\u043e\u0431\u0443\u0435\u043c \u043f\u0435\u0440\u0435\u043a\u043b\u044e\u0447\u0438\u0442\u044c\u0441\u044f \u043d\u0430 test<\/strong>:<\/p>\n \u041a\u0430\u043a \u0432\u0438\u0434\u0438\u043c, \u043d\u0435 \u0445\u0432\u0430\u0442\u0430\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u043b\u0435\u0433\u0438\u0439 proc_exec<\/strong>, \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u0438 \u043f\u0440\u043e\u0431\u0443\u0435\u043c:<\/p>\n \u0423\u0436\u0435 \u043b\u0443\u0447\u0448\u0435, \u0437\u0430\u043b\u043e\u0433\u0438\u043d\u0438\u043b\u0438\u0441\u044c, \u043d\u043e \u0437\u0430\u043f\u0443\u0441\u0442\u0438\u0442\u044c \u043d\u0438\u0447\u0435\u0433\u043e \u043d\u0435 \u043c\u043e\u0436\u0435\u043c. \u0414\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c proc_fork<\/strong> \u0438 \u043f\u0440\u043e\u0431\u0443\u0435\u043c:<\/p>\n \u0421\u0432\u043e\u0435\u0439 \u0446\u0435\u043b\u0438 \u043c\u044b \u0434\u043e\u0441\u0442\u0438\u0433\u043b\u0438<\/p>\n \u0412 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0439, \u043c\u043e\u0436\u043d\u043e \u0437\u0430\u0434\u0430\u0442\u044c \u044e\u0437\u0435\u0440\u0443 \u043e\u0431\u043e\u043b\u043e\u0447\u043a\u0443 “Restricted<\/strong> bash<\/strong>” – \/usr\/bin\/rbash<\/strong>. \u041d\u043e \u0435\u0451 \u043b\u0435\u0433\u043a\u043e \u043e\u0431\u043e\u0439\u0442\u0438, \u0435\u0441\u043b\u0438 \u0437\u0430\u043f\u0443\u0441\u0442\u0438\u0442\u044c bash<\/strong> \u043d\u0435\u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0435\u043d\u043d\u043e \u0438\u0437 rbash’a<\/strong>.<\/p>\n \u0412\u043e\u0442 \u043a\u0430\u043a\u0438\u0435 \u0431\u0443\u0434\u0443\u0442 \u0434\u0435\u0439\u0441\u0442\u0432\u043e\u0432\u0430\u0442\u044c \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f:<\/p>\n \u0414\u043b\u044f \u043f\u0440\u043e\u0441\u043c\u043e\u0442\u0440\u0430 basic<\/strong> \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c \u043a\u043e\u043c\u0430\u043d\u0434\u0443:<\/p>\n \u0415\u0441\u043b\u0438 \u043d\u0443\u0436\u043d\u043e \u043f\u043e\u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435, \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u043c \u043a\u043b\u044e\u0447 ‘-v<\/strong>‘:<\/p>\n \u041f\u043e\u044f\u0432\u0438\u043b\u0430\u0441\u044c \u0437\u0430\u0434\u0430\u0447\u0430: \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u044e\u0437\u0435\u0440\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0431\u044b \u043d\u0438\u0447\u0435\u0433\u043e \u043d\u0435 \u043c\u043e\u0433 \u0441\u0434\u0435\u043b\u0430\u0442\u044c, \u043a\u0440\u043e\u043c\u0435 \u043a\u0430\u043a \u0447\u0438\u0442\u0430\u0442\u044c \u0444\u0430\u0439\u043b (\u0432 \u0438\u0434\u0435\u0430\u043b\u0435 \u0442\u043e\u043b\u044c\u043a\u043e 1 )), \u043d\u043e \u044d\u0442\u043e \u043e\u043a\u0430\u0437\u0430\u043b\u043e\u0441\u044c \u043d\u0435\u0432\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u043c, \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e \u043f\u043e\u043a\u0430). \u0412 Solaris \u0437\u0430 \u043f\u0440\u0430\u0432\u0430 \u044e\u0437\u0435\u0440\u0443 \u043e\u0442\u0432\u0435\u0447\u0430\u0435\u0442 RBAC. \u041e\u043d \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043a\u0430\u043a \u0440\u0430\u0441\u0448\u0438\u0440\u0438\u0442\u044c \u043f\u0440\u0430\u0432\u0430, \u0442\u0430\u043a \u0438 \u0441\u0443\u0437\u0438\u0442\u044c. \u041f\u043e \u0434\u0435\u0444\u043e\u043b\u0442\u0443 \u043d\u043e\u0432\u043e\u043c\u0443 \u044e\u0437\u0435\u0440\u0443 \u043f\u0440\u0438\u0441\u0432\u0430\u0438\u0432\u0430\u0435\u0442\u0441\u044f 2 \u043f\u0440\u043e\u0444\u0438\u043b\u044f: All \u0438\u00a0Basic Solaris User: $ profiles skeletor skeletor: […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24],"tags":[],"class_list":["post-4101","post","type-post","status-publish","format-standard","hentry","category-solaris"],"_links":{"self":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/4101","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4101"}],"version-history":[{"count":7,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/4101\/revisions"}],"predecessor-version":[{"id":6393,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/4101\/revisions\/6393"}],"wp:attachment":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4101"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4101"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4101"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}$ profiles skeletor
\nskeletor:
\nBasic Solaris User
\nAll<\/code><\/p>\n# profiles -p \"Restrict User\"
\nprofiles:Restrict User>set\u00a0name=Restrict User
\nprofiles:Restrict User>set\u00a0desc=Restrict user
\nprofiles:Restrict User>set\u00a0privs=file_read
\nprofiles:Restrict User>set\u00a0defaultpriv=file_read
\nprofiles:Restrict User>commit
\nprofiles:Restrict User>exit<\/code><\/p>\n# useradd -P \"Restrict User\" test<\/code><\/p>\n# ppriv -e -D su - test
\nsu[1992]: missing privilege \"proc_exec\" (euid = 60005, syscall = 59) for \"\/usr\/bin\/bash\" needed at exec_common+0x392
\nsu: Insufficient privilege to execute shell<\/code><\/p>\n# profiles -p \"Restrict User\"
\nprofiles:Restrict User>add\u00a0privs=proc_exec
\nprofiles:Restrict User>add\u00a0defaultpriv=proc_exec
\nprofiles:Restrict User>commit
\nprofiles:Restrict User>exit
\n# ppriv -e -D su - test
\nbash[1995]: missing privilege \"proc_fork\" (euid = 60005, syscall = 142) needed at cfork+0x72
\n-bash: fork: Not owner
\n-bash-4.1$ ls
\nbash[1995]: missing privilege \"proc_fork\" (euid = 60005, syscall = 142) needed at cfork+0x72
\n-bash: fork: Not owner
\n-bash-4.1$ <\/code><\/p>\n# profiles -p \"Restrict User\"
\nprofiles:Restrict User>add\u00a0privs=proc_fork
\nprofiles:Restrict User>add\u00a0defaultpriv=proc_fork
\nprofiles:Restrict User>commit
\nprofiles:Restrict User>exit
\n# ppriv -e -D su - test
\nquota[1999]: missing privilege \"sys_config\" (euid = 60005, syscall = 54) needed at zfs_secpolicy_config+0x1a
\nOracle Corporation SunOS 5.11 11.1 December 2013
\n-bash-4.1$ tail \/var\/log\/syslog.1
\nJul 9 20:40:41 solaris11.local sendmail[1039]: [ID 702911 mail.info] starting daemon (8.14.5+Sun): SMTP+queueing@00:15:00
\nJul 26 16:08:14 solaris11.local sendmail[932]: [ID 702911 mail.warning] gethostbyaddr(10.5.5.219) failed: 1
\n-bash-4.1$ netcat localhost 22
\nnc[2008]: missing privilege \"net_access\" (euid = 60005, syscall = 68) needed at udp_do_open+0x38
\nnc[2008]: missing privilege \"net_access\" (euid = 60005, syscall = 68) needed at udp_do_open+0x38
\nnc[2008]: missing privilege \"net_access\" (euid = 60005, syscall = 230) needed at tcp_create_common+0x5f
\nnetcat: failed to create socket: Permission denied
\nnc[2008]: missing privilege \"net_access\" (euid = 60005, syscall = 230) needed at tcp_create_common+0x5f
\nnetcat: failed to create socket: Permission denied
\n-bash-4.1$ ls -la
\ntotal 6
\ndrwxr-xr-x 2 test root 2 Mar 30 2013 .
\ndrwxr-xr-x 6 root root 6 Apr 2 2013 ..
\n-bash-4.1$ mkdir 1
\nmkdir[2015]: missing privilege \"file_write\" (euid = 60005, syscall = 102) for \"\/export\/home\/test\/1\" needed at fop_mkdir+0x128
\nmkdir: Failed to make directory \"1\"; Permission denied<\/code><\/p>\n o changing directories with cd\n\n o setting or unsetting the values of SHELL, PATH, ENV, or\n BASH_ENV\n\n o specifying command names containing \/\n\n o specifying a file name containing a \/ as an argument to\n the . builtin command\n\n o Specifying a filename containing a slash as an argument\n to the -p option to the hash builtin command\n\n o importing function definitions from the shell environ-\n ment at startup\n\n o parsing the value of SHELLOPTS from the shell environ-\n ment at startup\n\n o redirecting output using the >, >|, <>, >&, &>, and >>\n redirection operators\n\n o using the exec builtin command to replace the shell\n with another command\n\n o adding or deleting builtin commands with the -f and -d\n options to the enable builtin command\n\n o Using the enable builtin command to enable disabled\n shell builtins\n\n o specifying the -p option to the command builtin command\n\n o turning off restricted mode with set +r or set +o res-\n tricted.\n<\/pre>\n
# ppriv -l basic\ndax_access\nfile_link_any\nfile_read\nfile_write\nnet_access\nproc_exec\nproc_fork\nproc_info\nproc_self\nproc_session\nsys_ib_info\n<\/pre>\n
# ppriv -lv basic\ndax_access\n Allows a process to perform all operations supported by the DAX\n hardware.\nfile_link_any\n Allows a process to create hardlinks to files owned by a uid\n different from the process' effective uid.\n...\n<\/pre>\n","protected":false},"excerpt":{"rendered":"