31.12 Security Best Practices for zAPIs

The zAPIs for NSS create the character special device /dev/zapi. Because zAPIs run at a level beneath where auditing tools track access and use, you should consider restricting access on the /dev/zapi directory to the root user and setting the device’s POSIX permissions to mode=0400.

If you are using AppArmor, add the following line to the AppArmor profile of any program that uses zAPIs for NSS:

/dev/zapi r,

You should grant root access only to members of the administrative group called wheel. The root user is a member of the wheel group by default. Users in the wheel group can access the device by using the su or sudo commands to obtain root privileges for any necessary tasks.

To add a user to the wheel group:

  1. Log in as the root user.

  2. In a terminal console, enter

    usermod -G wheel username

    Replace username with the username of the user being added to the wheel group.

Regardless of the POSIX access rights set for the device, the OES trustee model is enforced for the trustees and trustee access rights you define on /dev/zapi for individual users.

The key is specific to a user rather than a user-process pair. Therefore, two processes running as the same user can use the same key without requiring the second process to actually open the file. This behavior is the same as for zAPIs running for NSS on NetWare.