Return to notes.txt CVS log

Up to [Pegasus] / pegasus / src / Executor

PEP#: 286
TITLE: Privilege Separation

DESCRIPTION: Ongoing privilege separation work.

    1.  The user that runs cimervermain is determined by the 
        PEGASUS_CIMSERVERMAIN_USER constant defined in 
        <Pegasus/Common/Constants.h>

    2.  All files but the repository are owned by root. The cimservermain
        process may read the root owned files, but it must ask the executor 
        to modify them.

    3.  The executor gives ownership of the repository to the server user
        upon startup.

    4.  The Executor now checks whether Pegasus repository exists and errors 
        out if not.

    5.  Cimservermain owns the local-domain socket file (/tmp/cimxml.socket).

    6.  The executor will not start if a CIM server is already running.

    7.  For logging purposes, the executor uses "cimexecutor" as its syslog
        identifier.

    8.  Setting up PAM authentiction (non-standalone).

        First compile with PEGASUS_PAM_AUTHENTICATION. 
        
        Next install the PAM configuration file.

            % cd $PEGASUS_ROOT
            % cp rpm/wbem /etc/pam.d
            % chmod 0644 /etc/pam.d/wbem

    9.  To build for standalone PAM authentication, compile with these:

            PEGASUS_PAM_AUTHENTICATION
            PEGASUS_USE_PAM_STANDALONE_PROC

    10.  To run cimserver to use PAM, use these configuration parameters.

            enableAuthentication=true 

    11. To build SSL support, compile with these.
    
            OPENSSL_HOME=/usr
            PEGASUS_HAS_SSL=true

    12. To run cimerver to use SSL, use these configuration parameters.

            enableHttpsConnection=true 
            enableAuthentication=true 
            sslClientVerificationMode=optional 
            sslTrustStoreUserName=root

    13. To add a user to cimserver.passwd, use the following format (the given
        user must be a real system user).

            jsmith:AB5bZ.JX9fQzA

        Use the following program to generate the password (at least on
        Linux).

            #define _XOPEN_SOURCE
            #include <unistd.h>
            #include <stdio.h>

            int main()
            {
                printf("%s\n", crypt("changeme", "AB"));
                return 0;
            }

        Compile and link the program as follows.

            % gcc -o mkpasswd mkpasswd.cpp -lcrypt

    14. The KerberosAuthenticationHandler.h and all Kerberos authentication
        logic is not part of the Pegasus repository.

    15.  The CIMExportIndicationRequestMessage comes back into the server
         and is delivered to an indication consumer (which must be loaded).

    16. The following authentication schemes were rewritten and are now
        part of the executor.

            - PAM Basic Authentication
            - PAM Basic Authentication, using cimservera program.
            - Secure Local Authenticaiton

        The following authentication schemes still reside in cimservermain.

            - SSL certificate authentication
            - Secure Basic (uses cimserver.passwd file).