(file) Return to notes.txt CVS log (file) (dir) Up to [Pegasus] / pegasus / src / Executor
File: [Pegasus] / pegasus / src / Executor / notes.txt (download)
Revision: 1.1.2.7, Tue Jan 2 03:18:59 2007 UTC (17 years, 5 months ago) by mike
Branch: PEP286_PRIVILEGE_SEPARATION_BRANCH
Changes since 1.1.2.6: +22 -0 lines 
PEP#: 286
TITLE: Privilege Separation

DESCRIPTION: Ongoing privilege separation work.


    1.  The user that runs cimervermain is determined as follows.

        (1) Look for serverUser configuration option on command line.

        (2) Look for serverUser configuration option in planned configuration
            file.

        (3) Use the owner of the cimservermain program (if not root).

        (4) Use "pegasus" (the default user).

    2.  All files but the repository are owned by root. The cimservermain
        process may read any of the root owned files, but it must ask the
        executor to modify the file system.

    3.  Cimservermain must own the repository and all files beneath.
        The executor automatically sets ownership for these files upon
        startup.

    4.  Provider agent is run as root, whenever the same user as server is
        requested.
    
    5.  Executor checks whether Pegasus repository exists and errors out
        if not.

    7.  Cimservermain owns the local-domain socket file (/tmp/cimxml.socket).

    8.  For logging purposes, the executor uses "cimexecutor" as its syslog
        identifier.

    9.  Setting up PAM authentiction (non-standalone).

        First compile with PEGASUS_PAM_AUTHENTICATION. 
        
        Next install the PAM configuration file.

            % cd $PEGASUS_ROOT
            % cp rpm/wbem /etc/pam.d
            % chmod 0644 /etc/pam.d/wbem

    10. Setting up standalone PAM authentication.

        Compile with PEGASUS_PAM_AUTHENTICATION and 
        PEGASUS_USE_PAM_STANDALONE_PROC.

    11. Running the SSL tests.

        Run server like this:

            % cimserver enableHttpsConnection=true enableAuthentication=true sslClientVerificationMode=optional sslTrustStoreUserName=root

        Run test like this:

        % make -f TestMakefile run_SSL_TS1
        % chown pegasus.pegasus /opt/pegasus/cimserver_trust
        % chown pegasus.pegasus /opt/pegasus/crl


    12. Interesting functions.

        SSL_CTX_use_PrivateKey_file()

        EVP_PKEY *PEM_read_PrivateKey(
            FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u);

        int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
No CVS admin address has been configured
 Powered by
ViewCVS 0.9.2