(file) Return to notes.txt CVS log (file) (dir) Up to [Pegasus] / pegasus / src / Executor
File: [Pegasus] / pegasus / src / Executor / notes.txt (download)
Revision: 1.1.2.11, Tue Jan 9 23:26:21 2007 UTC (17 years, 5 months ago) by mike
Branch: PEP286_PRIVILEGE_SEPARATION_BRANCH
Changes since 1.1.2.10: +3 -10 lines 
PEP#: 286
TITLE: Privilege Separation

DESCRIPTION: Ongoing privilege separation work.


    1.  The user that runs cimervermain is determined by the 
        PEGASUS_CIMSERVERMAIN_USER constant defined in 
        <Pegasus/Common/Constants.h>

    2.  All files but the repository are owned by root. The cimservermain
        process may read any of the root owned files, but it must ask the
        executor to modify them.

    3.  The executor gives ownership of the repository to the server user
        upon startup.

    4.  Executor checks whether Pegasus repository exists and errors out
        if not.

    5.  Cimservermain owns the local-domain socket file (/tmp/cimxml.socket).

    6.  For logging purposes, the executor uses "cimexecutor" as its syslog
        identifier.

    7.  Setting up PAM authentiction (non-standalone).

        First compile with PEGASUS_PAM_AUTHENTICATION. 
        
        Next install the PAM configuration file.

            % cd $PEGASUS_ROOT
            % cp rpm/wbem /etc/pam.d
            % chmod 0644 /etc/pam.d/wbem

    8.  To build for standalone PAM authentication, compile with these:

            PEGASUS_PAM_AUTHENTICATION
            PEGASUS_USE_PAM_STANDALONE_PROC

    9.  To run cimserver to use PAM, use these configuration parameters.

            enableAuthentication=true 

    10. To build SSL support, compile with these.
    
            OPENSSL_HOME=/usr
            PEGASUS_HAS_SSL=true

    11. To run cimerver to use SSL, use these configuration parameters.

            enableHttpsConnection=true 
            enableAuthentication=true 
            sslClientVerificationMode=optional 
            sslTrustStoreUserName=root

    12. To add a user to cimserver.passwd, use the following format (the given
        user must be a real system user).

            jsmith:AB5bZ.JX9fQzA

        Use the following program to generate the password (at least on
        Linux).

            #define _XOPEN_SOURCE
            #include <unistd.h>
            #include <stdio.h>

            int main()
            {
                printf("%s\n", crypt("changeme", "AB"));
                return 0;
            }

        Compile and link the program as follows.

            % gcc -o mkpasswd mkpasswd.cpp -lcrypt

    13. The KerberosAuthenticationHandler.h and all Kerberos authentication
        logic is not part of the Pegasus repository.

    14.  The CIMExportIndicationRequestMessage comes back into the server
         and is delivered to an indication consumer (which must be loaded).
No CVS admin address has been configured
 Powered by
ViewCVS 0.9.2