Notes from a Carbon Based Life Form

I was presented with a question a while back. Is there a way to have a non-global zone set the time and date of a Solaris 10 system? The answer I came it with is "Sort of." Here's why:

I looked at setting up an RBAC profile assiging the command /usr/bin/rdate, with uid=0 and privs=sys_time, but that didn't work. There is no way to assign an RBAC profile from a global zone to a user from a non-global zone, and there is no way to assign an RBAC profile directly to a zone. (That's a neat idea, though, isn't it?)

Then I thought about using an ssh key to permit passphrase-less authentication from a user in the non-global zone, to the global zone to log in and run a command (set up in an RBAC profile) to allow them to set the date. Here's my solution to this problem:

First, I create the proxy user, and then I set up the RBAC profile in the global zone:

1. Create the user account (I use proxy, because I also use this account for other purposes):

bash-3.00# useradd -u 600 -g 10 -c "Special Proxy User" -s /usr/bin/rbash -d /export/home/proxy -m proxy
bash-3.00# passwd proxy
New Password: ********
Re-enter new Password: ********
passwd: password successfully changed for proxy

4. Add this line to /etc/security/exec_attr:
Proxy:solaris:cmd:::/usr/bin/rdate:uid=0;privs=sys_time

Now, if you were to su to proxy and run rdate 192.43.244.18 you would effect a setting of the time and date on your system, hopefully without errors.

Now, to set up the access from the non-global zone, `su` to the proxy user account, and generate an ssh-key. I'm using a commented, 1024-bit Diffie-Hellman key, just for example purposes. Yours can be whatever bit-level and algorithm you prefer.

bash-3.00# su - proxy
bash-3.00$ ssh-keygen -f .ssh/rdate.key -t dsa -b 1024 -C "Rdate Command Key"
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in .ssh/rdate.key.
Your public key has been saved in .ssh/rdate.key.pub.
The key fingerprint is:
e4:02:8e:94:b7:c5:87:30:ca:fe:ce:c3:09:98:26:e3 Rdate Command Key

Once the key, is generated, copy the contents of your public key file to your authorized_keys file:

bash-3.00$ cp .ssh/rdate.key.pub .ssh/authorized_keys

ssh-dss AAAAB3NzaC1kc3MAAACBANhSeknty5MNVDTg7o8fJ3WYhsDd2k/RaFIWPXvROLCgP4BduWFw
AJw/bTRVLVah5Jk52EIbKtst4hZ2EJdVtIxOo/WI+6IE5c8shDoo2JjMl3Qkyim8kIl/g8aOi094yZe7
oYcrL8+Zo5I/PaNLOS6JN6VFa3lp1zAbEMeHaoQBAAAAFQD0X4fWRQBVF7z9J2TblQsCaaCJJwAAAIBt
DBmKQ/OyOd5fMbp8e8PXCasv84smq3vrHNZzDjA+pSVfQHcQ87s79IiHBWtZwawVZlzAZzk9kykZBZjl
lRPVAFm2dFZbDtadmOk9L2yK/oj6k9h5POBXEJS4HZ7ry1vDsgFV5kOqFppeMtynbhgE2YsYK64nzeFQ
nAr1uJQJXQAAAIEAtfaiakkVWQlgZnu89LTEPYOmUbM4MziGpKqZyaBBpjyT/6ugTGahuRKI4br0ESCV
jxmKqGkR1O5jOSNBvMr2zbWRpnVgCM8ThDH1OuvPdZu2aSAX2KCnIga+Wzj8/uWCCDHRj+2D0l7vGgQX
ImJMlJ4Sa9xyOMJH8qU6Un0Gscs= Rdate Command Key

command="pfexec rdate 192.43.244.18" ssh-dss AAAAB3NzaC1kc3MAAACBANhSeknty5MNVDT
g7o8fJ3WYhsDd2k/RaFIWPXvROLCgP4BduWFwAJw/bTRVLVah5Jk52EIbKtst4hZ2EJdVtIxOo/WI+6I
E5c8shDoo2JjMl3Qkyim8kIl/g8aOi094yZe7oYcrL8+Zo5I/PaNLOS6JN6VFa3lp1zAbEMeHaoQBAAA
AFQD0X4fWRQBVF7z9J2TblQsCaaCJJwAAAIBtDBmKQ/OyOd5fMbp8e8PXCasv84smq3vrHNZzDjA+pSV
fQHcQ87s79IiHBWtZwawVZlzAZzk9kykZBZjllRPVAFm2dFZbDtadmOk9L2yK/oj6k9h5POBXEJS4HZ7
ry1vDsgFV5kOqFppeMtynbhgE2YsYK64nzeFQnAr1uJQJXQAAAIEAtfaiakkVWQlgZnu89LTEPYOmUbM
4MziGpKqZyaBBpjyT/6ugTGahuRKI4br0ESCVjxmKqGkR1O5jOSNBvMr2zbWRpnVgCM8ThDH1OuvPdZu
2aSAX2KCnIga+Wzj8/uWCCDHRj+2D0l7vGgQXImJMlJ4Sa9xyOMJH8qU6Un0Gscs= Rdate Command
Key

As root, in the global zone, lets apply a restrictive shell, and limit the PATH with a profile that's owned by root (this helps limit destructive potential, if someone were to try to use the passphrase-less ssh-key for no good:

bash-3.00# cp /usr/bin/bash /usr/bin/rbash
usermod -s /usr/bin/rbash proxy
echo "export PATH=\"~/bin\"" > /export/home/proxy/.profile
chmod 444 /export/home/proxy/.profile
chown root /export/home/proxy/.profile

Play around with an rbash shell, and you'll see that commands are restricted to what's in the path, and you can't have a '/' in any commands to be run.

Now, you could use a script like Brendan Gregg's zcp to copy files from the global zone to the non-global zone, but sometimes if it's just a little file like this, I'll just go ahead an copy it to the non-global zone's TMP directory.

cp /export/home/proxy/.ssh/rdate* /zones/zone1/root/tmp/

Now, let's log into the zone, and setup a script that can set the date and time
for the whole system.

zlogin -e @ -C zone1

mkdir /etc/proxy
mv /tmp/rdate* /etc/proxy/
cd /etc/proxy
vi setdate
-----------------------------------------------------------------------
#!/bin/sh
# quick script to set the date
/usr/bin/ssh -T -a -i /etc/proxy/rdate.key proxy@<global zone IP>
-----------------------------------------------------------------------

So there you are. A simple command you can run in a non-global zone, to set the date and time for the entire system, which until zones support a separate clock from the global, is as best you can get. (Timezone's not included)

However, you're not really setting the time in the non-global zone, you're causing a process to log into the global zone and set the time there.

If you're primary concern is an application that runs in a zone, that needs permission to set the time/date, then this should work for you, as long as you don't have any objections to using ssh keys this way, from a philosophical or security-minded point of view.

So, really:
Q: Can you set the time and date from a non-global zone?
A: No. but you can automate setting it in the global zone, from a non-global zone.

If you're behind a firewall that doesn't allow access to anywhere on port 37, and thus your Global zone also cannot set the time and date from a Time Server, then you'll need to set up some kind of dynamic ssh tunnel to ssh one step further out, and tunnel that rdate command through that ssh tunnel.