HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide
the Security Containment product is initially enabled, it creates the ifaces compartment and
assigns all network interfaces currently installed on the system to ifaces.)
Using the INIT Compartment
After the Security Containment product is enabled, you can use the following command to
determine the compartment you are running in:
getprocxsec -c
If you are not in the INIT compartment, you can use the privrun or privileged shell command
(privsh, privksh, privcsh) command to start a shell in the INIT compartment, as described
in the manpages for these commands.
Address Collisions with INADDR_ANY and IN6ADDR_ANY Sockets in the INIT Compartment
Because the INIT compartment has access to all network interfaces configured in other
compartments, it is possible for a socket owned by a process running in the INIT compartment
to bind to an IP address that is configured for another compartment. This occurs when an INIT
process socket binds to the wildcard IP address INADDR_ANY or IN6ADDR_ANY, which binds
the socket to the specified port number on all IP or IPv6 interfaces on the system. (Note that
sockets not in the INIT compartment can bind only to IP addresses for which they been explicitly
configured access.)
If a process in the INIT compartment and a process in another compartment attempt to use the
same port number and either process attempts to bind the socket to the INADDR_ANY or
IN6ADDR_ANY address, there will be an address collision. If both sockets have the SO_REUSEADDR
option set, both bind calls will succeed, but it is difficult to determine which socket will receive
a given connection request. If both sockets do not have the SO_REUSEADDR option set, the second
bind call will fail.
Address Collisions with sshd Daemons
One example of a network daemon that can have problems with address collisions is the sshd
daemon. By default, the sshd daemon binds its socket to TCP port 22 on the wildcard IP address
INADDR_ANY (or IN6ADDR_ANY, if the IPv6 address family is specified). If an sshd daemon is
runs in the INIT compartment with the default configuration and a second sshd daemon starts
in an SRP compartment and attempts to bind its socket to TCP port 22, the bind will succeed.
However, the sshd daemon running in the SRP compartment might never receive SSH connection
requests on its socket.
To prevent sshd address collisions, the srp_setup utility prompts for the system sshd
configuration file name (the configuration file that the sshd daemon running in the INIT
compartment would use) and checks if this file configures the daemon to listen on a wildcard
IP address. If so, srp_setup asks if you want to set the ListenAddress variable to specific
addresses instead of a wildcard IP address.
Best Practice Recommendations
Because of the INIT compartment properties, HP recommends that you:
• Run system services shared by compartments in the INIT compartment only, if possible.
By default, all SRP compartments are configured to allow Interprocess Communication (IPC)
with the INIT compartment.
• Manage system resources when logged in to the INIT compartment. If a utility manages
system-wide resources or configuration files, such as SMH, run the utility from the INIT
compartment.
• Run the SRP utilities (srp_setup and srp) when logged in to the INIT compartment, not
from an SRP compartment. In most cases, you must do this because the SRP utilities modify
system files that are not accessible from within an SRP compartment.
Planning Considerations and Best Practices 19