NDMP RBAC Configuration


1. NDMP Service

This document describes the RBAC configuration for the NDMP service, which consists
of the ndmpd(1) daemon and two utility programs: ndmpadm(1M) and ndmpstat(1M).
The following actions require ndmp specific authorization:

- Managing the NDMP service state such as starting, stopping or refreshing 
  the service.
- Changing NDMP property values stored in SMF, which are normally set
  by ndmpadm(1M) and read by ndmpd(1).
- Reading protected properties (Refer to the ndmp_design document section
  "4.3 SMF Properties").

The following ndmp specific authorizations have been added to the auth_attr(4) 
file to support these activites:

	solaris.smf.manage.ndmp:::Manage NDMP Service States::help=SmfNDMPStates.html
	solaris.smf.value.ndmp:::Change Values of NDMP Service Properties::help=SmfValueNDMP.html
	solaris.smf.read.ndmp:::Read Permission for Protected NDMP Properties::help=AuthReadNDMP.html


2. NDMP Service Management

NDMP service management includes those activities that change the state of the
service such as starting, stopping or refreshing the daemon.  The following
authorizations will permit a user to manage the NDMP service:

	solaris.smf.manage.ndmp


3. NDMP Service Property Management

NDMP service properties are defined, with default values, in the service 
manifest file.  Users are not allowed to add or remove the NDMP properties from 
the property groups but appropriately authorized users can change the values
of these properties.  The values of these properties are set or viewed using
ndmpadm(1M).  There are two NDMP service property groups:

- Regular properties group: no special authorization is needed to view the
  properties in this group.  The "solaris.smf.value.ndmp" authorization permits
  a user to change the property values in this property group:

	<property_group name='ndmpd' type='application'>
		<stability value='Evolving' />
		<propval name='debug-path' type='astring' value='/var/ndmp' />
		<propval name='dump-pathnode' type='boolean' value='false' />
		<propval name='tar-pathnode' type='boolean' value='false' />
		<propval name='ignore-ctime' type='boolean' value='false' />
		<propval name='token-maxseq' type='integer' value='9' />
		<propval name='version' type='integer' value='4' />
		<propval name='dar-support' type='boolean' value='false' />
		<propval name='backup-quarantine' type='boolean' value='false' />
		<propval name='restore-quarantine' type='boolean' value='false' />
		<propval name='overwrite-quarantine' type='boolean' value='false' />
		<!-- To Configure service parameters -->
		<propval name='value_authorization' type='astring'
			value='solaris.smf.value.ndmp' />
	</property_group>


- Protected properties group: the "solaris.smf.read.ndmp" authorization permits
  a user to view the NDMP service properties in this protected property group.
  The "solaris.smf.value.ndmp" authorization will permit the user to modify the
  values.  NDMP is dependent on PSARC/2007/177, which describes SMF protected
  properties.

	<property_group name='read' type='application'>
		<!-- To read protected parameters -->
		<propval name='read_authorization' type='astring'
			value='solaris.smf.read.ndmp' />
		<propval name='value_authorization' type='astring'
			value='solaris.smf.value.ndmp' />
		<propval name='cram-md5-username' type='astring' value='' />
		<propval name='cram-md5-password' type='astring' value='' />
		<propval name='cleartext-username' type='astring' value='' />
		<propval name='cleartext-password' type='astring' value='' />
	</property_group>

The default password values will be null-strings.  A non-null password is
required to allow a connection to the ndmpd service. Refer to ndmpadm(1M)
for more details on setting the password.


4. NDMP RBAC Profiles

The NDMP service provides both backup and restore operations and is designed
to be managed via SMF.  The Backup and restore operations each require a
different set of privileges.  The union of these privileges will be specified
in the method_credential in the service manifest.

In order to perform NDMP administration functions, for example, to use
ndmpadm(1M) or ndmpstat(1M), a user will need the NDMP management profile.
The NDMP Management profile also permits the NDMP service to be started,
stopped or refreshed.

NDMP Management:::Manage the NDMP service:auths=solaris.smf.manage.ndmp,
solaris.smf.value.ndmp,solaris.smf.read.ndmp:help=RtNDMPMngmnt.html

Note: both Media Backup and Media Restore profiles will contain the NDMP
Management profile, which grants users with these profiles the right to
perform NDMP management operations.  The System Administrator profile
already contains the Media Backup and Media Restore profiles.


5. NDMP Service Privileges

5.1. NDMP Service Daemon

The NDMP service daemon needs different sets of privileges during backup and restore. 

For backup the daemon needs to have sufficient privileges to be able to search all 
directories and permission to read all files.  The daemon does not need any 
special file system write privileges during backup. The privileges required for
NDMP Backup are:

	- PRIV_PROC_EXEC:	to support calls to exec(2)
	- PRIV_PROC_FORK:	to support calls to fork(2)
	- PRIV_PROC_AUDIT:	to support auditing
	- PRIV_FILE_DAC_READ:	to read all files/directories
	- PRIV_FILE_DAC_SEARCH:	to search all directories

During restore the daemon needs to have write privileges to update directories, file
content and files attributes, as well as the read and search privileges listed above.
NDMP Restore requires the following privileges:

	- PRIV_PROC_EXEC:	to support calls to exec(2)
	- PRIV_PROC_FORK:	to support calls to fork(2)
	- PRIV_PROC_AUDIT:	to support auditing
	- PRIV_FILE_DAC_READ:	to read all files/directories
	- PRIV_FILE_DAC_SEARCH:	to search all directories
	- PRIV_FILE_DAC_WRITE:	to write to all files/directories
	- PRIV_FILE_LINK_ANY:	to create hardlinks to other's files
	- PRIV_FILE_CHOWN:	to change UID or GID
	- PRIV_FILE_CHOWN_SELF: to give away files
	- PRIV_FILE_SETID:	to change owner without clearing set-uid bit
	- PRIV_FILE_OWNER:	to change file/dir modification/access time
	- PRIV_SYS_LINKDIR:	to link/unlink directories

The NDMP service manifest will specify the union of the above privilege
lists in the method_context for the start method.

In order to perform the required operations the NDMP service daemon will run as
root:sys.  User root is required at startup to write to /var/run which is only
writable as root, and during its normal operation to be able to overwrite files
owned by root and to update directories that are only writable by root.  Group
sys will allow access to /dev/rmt and /dev/scsi/changer.

	<exec_method
		type='method'
		name='start'
		exec='/lib/svc/method/svc-ndmp'
		timeout_seconds='60' >
		<method_context>
			 <method_credential
				 user='root' group='sys'
				 privileges='basic,proc_audit,proc_setid,proc_owner,
				 file_chown,file_chown_self,file_dac_read,file_dac_search,
				 file_dac_write,file_owner,file_setid,sys_linkdir'
			/>
		</method_context>
	</exec_method>

The daemon will surrender privileges unnecessary for NDMP runtime operation
after process startup, for example, PRIV_PROC_EXEC, PRIV_PROC_FORK,
PRIV_PROC_SETID and PRIV_PROC_OWNER.


5.2. NDMP Service Administration and Statistics Reporting

ndmpadm(1M) and ndmpstat(1M) do not require any privileges.