About Apache2 with RBAC

[gxmsgx]

Hi all,
I'm trying to configure Apache2 with RBAC for reduce some privileges and run this service only with user webservd
...but the parent process (root) still exists!

my steps:

[b]# svcadm -v disable -s apache2[/b]

[b]# svccfg -s apache2[/b]
svc:/network/http:apache2> setprop start/user = astring: webservd
svc:/network/http:apache2> setprop start/group = astring: webservd
svc:/network/http:apache2> setprop start/privileges = astring: basic,!proc_session,!proc_info,!file_link_any,net_privaddr
svc:/network/http:apache2> end

[b]# svcadm -v refresh apache2[/b]

[b]# svcprop apache2 | grep ^start[/b]
startd/ignore_error astring core,signal
start/exec astring /lib/svc/method/http-apache2\ start
start/timeout_seconds count 60
start/type astring method
[COLOR=blue]start/user astring webservd
start/group astring webservd
start/privileges astring basic,!proc_session,!proc_info,!file_link_any,net_privaddr[/color]

[b]# svcadm -v enable -s apache2[/b]

[b]# ps -ef | grep apache2[/b]
webservd  4205  4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
    [COLOR=red][b]root  4204     1 0 19:03:21 ? 0:00 /usr/apache2/bin/httpd -k start[/b][/color]
webservd  4209  4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
webservd  4208  4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
webservd  4206  4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
webservd  4207  4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start

...and obviously...

[b]# ppriv 4204[/b]
4204:	/usr/apache2/bin/httpd -k start
flags = <none>
	E: all
	I: basic
	P: all
	L: all

What's wrong?
Any idea?

PS: sorry about my english

 

[gxmsgx]

Solved,

--- Now the user webservd has the ability to restart the service (with svcadm disable/restart..etc).

--- All Apache files, logs, conf., pid etc. are only owned by user webservd because I didn't created other administrative roles (like svcadm or webdev)

--- Authorizations "sunw.smf.manage.http/apache2" and "sunw.smf.modify.application.http/apache2" have been applied to user webservd

# ps -ef | grep apache2
webservd  2599  2596   0 12:52:06 ?   0:00 /usr/apache2/bin/httpd -k start
webservd  2600  2596   0 12:52:06 ?   0:00 /usr/apache2/bin/httpd -k start
webservd  2597  2596   0 12:52:06 ?   0:00 /usr/apache2/bin/httpd -k start
webservd  2598  2596   0 12:52:06 ?   0:00 /usr/apache2/bin/httpd -k start
webservd  2601  2596   0 12:52:06 ?   0:00 /usr/apache2/bin/httpd -k start
[b]webservd  2596     1   0 12:52:05 ?   0:00 /usr/apache2/bin/httpd -k start[/b]

# ppriv 2596
2596:   /usr/apache2/bin/httpd -k start
flags = <none>
        E: basic,!file_link_any,net_privaddr,!proc_info,!proc_session
        I: basic,!file_link_any,net_privaddr,!proc_info,!proc_session
        P: basic,!file_link_any,net_privaddr,!proc_info,!proc_session
        L: all

# netstat -naf inet | grep '*.80'
     *.80                 *.*                0      0 49152      0 LISTEN