You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2014/10/03 01:52:35 UTC

[jira] [Resolved] (TS-3103) improve privilege elevation

     [ https://issues.apache.org/jira/browse/TS-3103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James Peach resolved TS-3103.
-----------------------------
    Resolution: Fixed

> improve privilege elevation
> ---------------------------
>
>                 Key: TS-3103
>                 URL: https://issues.apache.org/jira/browse/TS-3103
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: Core, Security
>            Reporter: James Peach
>            Assignee: James Peach
>             Fix For: 5.2.0
>
>
> Improve privilege elevation so that we have a single function that alters process credentials, and does it correctly.
> Here is the behavior I plan to implement:
>    1. traffic_manager runs with real root credentials, but
>       effective credentials as given by proxy.config.admin.user_id.
>       It will elevate back to root to perform privileged operations.
>    2. traffic_server is started with real root credentials,
>       but attempts to permanently drop to an unprivileged user early
>       in the startup process. The unprivileged user account for
>       traffic_server is also given by proxy.config.admin.user_id.
>       when traffic_server drops privilege, it does so permanently.
>    3. traffic_server may elevate privilege depending on the
>       value of proxy.config.ssl.cert.load_elevated and
>       proxy.config.plugin.load_elevated. This elevation will only
>       be supported on platforms that have per-thread capabilities.
>       traffic_server will check at startup whether to retain
>       sufficient capabilities to allow it to elevate later. This
>       means that the *.load_elevated configurations will not be
>       reloadable.
>    4. After traffic_server drops privilege, we will continue to abort
>       with a fatal error if the real or effective user ID is root. This
>       behavior can be avoided by defining BIG_SECURITY_HOLE=1 at build
>       time.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)