You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2014/10/03 01:52:34 UTC
[jira] [Commented] (TS-3103) improve privilege elevation
[ https://issues.apache.org/jira/browse/TS-3103?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14157454#comment-14157454 ]
ASF subversion and git services commented on TS-3103:
-----------------------------------------------------
Commit 549108ea80913975e52e4d5a9b4fc1404fbecf2a in trafficserver's branch refs/heads/master from [~jpeach@apache.org]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=549108e ]
TS-3103: use scoped ElevateAccess to elevate privileges
Rather than using explicit root privilege escalation, elevate
privilege using the scope ElevateAccess wrapper.
> improve privilege elevation
> ---------------------------
>
> Key: TS-3103
> URL: https://issues.apache.org/jira/browse/TS-3103
> Project: Traffic Server
> Issue Type: Improvement
> Components: Core, Security
> Reporter: James Peach
> Assignee: James Peach
> Fix For: 5.2.0
>
>
> Improve privilege elevation so that we have a single function that alters process credentials, and does it correctly.
> Here is the behavior I plan to implement:
> 1. traffic_manager runs with real root credentials, but
> effective credentials as given by proxy.config.admin.user_id.
> It will elevate back to root to perform privileged operations.
> 2. traffic_server is started with real root credentials,
> but attempts to permanently drop to an unprivileged user early
> in the startup process. The unprivileged user account for
> traffic_server is also given by proxy.config.admin.user_id.
> when traffic_server drops privilege, it does so permanently.
> 3. traffic_server may elevate privilege depending on the
> value of proxy.config.ssl.cert.load_elevated and
> proxy.config.plugin.load_elevated. This elevation will only
> be supported on platforms that have per-thread capabilities.
> traffic_server will check at startup whether to retain
> sufficient capabilities to allow it to elevate later. This
> means that the *.load_elevated configurations will not be
> reloadable.
> 4. After traffic_server drops privilege, we will continue to abort
> with a fatal error if the real or effective user ID is root. This
> behavior can be avoided by defining BIG_SECURITY_HOLE=1 at build
> time.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)