NDMP RBAC setup and security issues
Reza Sabdar
07/19/07


1. NDMP service

NDMP service consists of the ndmpd(1) daemon and two utility
programs, ndmpadm(1M) and ndmpstat(1M), for administration and displaying
statistics. These services and utilities are driven by
authorization to allow the following activities:

- Managing the NDMP service state such as start/stopping the service
- Changing the values of SMF properties in the service. These values
  are normally set by ndmpadm(1M) and read by ndmpd(1)
- Read permission for protected SMF properties (Refer to ndmp_design document
  section "4.3 SMF Properties").

To implement this the following authorizations have been added to the auth_attr(4)
file:

solaris.smf.manage.ndmp:::Manage NDMP Service States::help=SmfNdmpStates.html
solaris.smf.value.ndmp:::Change Values of NDMP Service Properties::help=SmfValueNdmp.html
solaris.smf.read.ndmp:::Read Permission for Protected NDMP Properties::help=SmfReadNdmp.html



2. NDMP Service Management

NDMP service management includes those activities that change the state of the
service such as start and stopping the daemon. NDMP service management requires
the user to have the following authorizations:

 "solaris.smf.manage.ndmp"
 "solaris.smf.value.ndmp"



3. NDMP Service Property Management

These properties are defined in the service manifest file with proper default
values. These properties are fixed and users are not allowed to add/remove the
properties from the property group. The authorized users can only change the
values of these properties. The values of these properties are set or viewed 
using ndmpadm(1M) command. There are two property groups for NDMP service 
properties:

- Regular properties group: no special authorization is needed to view the
  properties in this group. To set or change the values in this group the user
  has to have "solaris.smf.value.ndmp" authorization:

	<property_group name='ndmpd' type='application'>
		<stability value='Evolving' />
		<propval name='debug-path' type='astring' value='/var/ndmp' />
		<propval name='dump-pathnode' type='boolean' value='false' />
		<propval name='tar-pathnode' type='boolean' value='false' />
		<propval name='ignore-ctime' type='boolean' value='false' />
		<propval name='token-maxseq' type='astring' value='9' />
		<propval name='version' type='astring' value='4' />
		<propval name='dar-support' type='boolean' value='false' />
		<propval name='backup-quarantine' type='boolean' value='false' />
		<propval name='restore-quarantine' type='boolean' value='false' />
		<propval name='overwrite-quarantine' type='boolean' value='false' />
		<!-- To Configure service parameters -->
		<propval name='value_authorization' type='astring'
			value='solaris.smf.value.ndmp' />
	</property_group>

- Protected properties group: these properties cannot be viewed unless the user
  has "solaris.smf.read.ndmp" authorization. The user still needs proper authorization
  to change the values which is "solaris.smf.value.ndmp". The protected properties
  implementation is dependent on PSARC/2007/177:

	<property_group name='read' type='application'>
		<!-- To read protected parameters -->
		<propval name='read_authorization' type='astring'
			value='solaris.smf.read.ndmp' />
		<propval name='value_authorization' type='astring'
			value='solaris.smf.value.ndmp' />
		<propval name='admin-user' type='astring' value='admin' />
		<propval name='admin-passwd' type='astring' value='' />
	</property_group>

  The default value for admin-passwd is set to null-string which will be 
  interpreted as "no connections allowed" unless the password is set to some
  non-null value by the admin. Refer to ndmpadm(1M) for more details on setting
  the password.



4. NDMP RBAC Profiles

The NDMP service contains both Backup and Restore operations. Since these operations
require different privileges, at least two rights profiles needs to be created. 
Another profile will also be needed for local administration and management of 
the service as following:

NDMP Backup:::Backup files using NDMP:auths=solaris.smf.manage.ndmp,solaris.smf.value.ndmp,solaris.smf.read.ndmp:help=RtNdmpBackup.html
NDMP Restore:::Restore files using NDMP:auths=solaris.smf.manage.ndmp,solaris.smf.value.ndmp,solaris.smf.read.ndmp:help=RtNdmpRestore.html
NDMP Management:::Manage the NDMP service:auths=solaris.smf.manage.ndmp,solaris.smf.value.ndmp,solaris.smf.read.ndmp:help=RtNdmpManage.html

All above services are defined to be part of "System Administrator" profile.



5. NDMP Service Execution Attributes

NDMP service contains the following three commands:
- ndmpd(1): the NDMP service daemon
- ndmpadm(1M): the NDMP service administration interface
- ndmpstat(1M): the NDMP statistics reporting tools



5.1 NDMP Service Daemon

This daemon needs to do different operations during backup and restore. 

- Backup Privileges

For backup the daemon needs to have sufficient privileges to be able to search all 
directories and permission to read all files. The daemon does not need any 
special write privileges to the disk during backup. The privileges required for
NDMP Backup are:
	- PRIV_PROC_EXEC: for calling exec(2)
	- PRIV_PROC_FORK: for calling fork(2)
	- PRIV_PROC_AUDIT: for generating audit data if enabled
	- PRIV_FILE_DAC_READ: to read all files/directories
	- PRIV_FILE_DAC_SEARCH: to search all directories

Backup privileges are specified in the following entry in the exec_attr(4) file:

NDMP Backup:cmd:solaris::/usr/lib/ndmp/ndmpd:privs=proc_exec,proc_fork,proc_audit,
  file_dac_read,file_dac_search;uid=bin;gid=sys


- Restore Privileges

During restore the daemon needs to have write privileges to the
directories, files and attributes of the files in addition to backup privileges
necessary to access the directories and search paths. NDMP Restore requires the following
privileges:
	- PRIV_PROC_EXEC: for calling exec(2)
	- PRIV_PROC_FORK: for calling fork(2)
	- PRIV_PROC_AUDIT: for generating audit data if enabled
	- PRIV_FILE_DAC_READ: to read all files/directories
	- PRIV_FILE_DAC_SEARCH: to search all directories
	- PRIV_FILE_DAC_WRITE: to write to all files/directories
	- PRIV_FILE_LINK_ANY: to create hardlinks to other's files
	- PRIV_FILE_CHOWN: to change file's owner UID or GID
	- PRIV_FILE_CHOWN_SELF: to give away its files
	- PRIV_FILE_SETID: to change owner without set-uid bit cleared
	- PRIV_FILE_OWNER: to change file's or dir's modification/access times
	- PRIV_SYS_LINKDIR: to link/unlink directories

Restore privileges are specified in the following entries in the exec_attr(4) file:

NDMP Restore:cmd:solaris::/usr/lib/ndmp/ndmpd:privs=proc_exec,proc_fork,proc_audit,
  file_dac_read,file_dac_search,file_dac_write,file_link_any,file_chown,
  file_owner,file_setuid,sys_link_dir;uid=bin;gid=sys;



5.2 NDMP Service Administration

Administration and management of the service is done by ndmpadm(1M) command.
This command does not need any special privileges. The following entry is added
to the exec_attr(4) file:

NDMP Management:cmd:solaris::/usr/sbin/ndmpadm:privs=none



5.3 NDMP Statistics Report

Statistical report of NDMP service activity is done by ndmpstat(1M) command.
This command does not need any special privileges. The following entry is added
to the exec_attr(4) file:

NDMP Management:cmd:solaris::/usr/sbin/ndmpstat:privs=none