Privilege Debugging

Privilege debugging mode is described in Trusted Solaris Administrator's Procedures. This is a summary of the steps for enabling privilege debugging and using runpd(1M) under privilege debugging mode to test an application.

1. Privilege debugging mode allows an application to succeed when it does not have the privileges it needs and tells you which privileges are missing.

2. In the /etc/system file, set the tsol_privs_debug variable to 1. This file is ADMIN_LOW and the owner is root.

3. In the /etc/syslog.conf file, uncomment the kern.debug; local0.debug line. This file is ADMIN_LOW and the owner is sys.

4. Touch the /var/log/privdebug.log file. This file is ADMIN_HIGH and the owner is root.

5. Reboot your system.

6. Assume an administrative role with runpd(1M) in the profile.

7. Use the runpd() command to invoke the executable and find out which privileges, if any, are missing. The following command line invokes the executable file in Zelda's confidential home directory. Information on missing privileges displays at the command line and is logged to the /var/log/privdebug.log file.

phoenix# runpd /export/home/.MLD.Zelda/.SLD.2/executable

runpd terminated with a status of 1

process runpd pid 822 lacking privilege file_mac_search to 
perform special method upon resource VNODE (Jan 29 12:45)

process runpd pid 822 lacking privilege file_mac_read to 
perform read method upon resource VNODE (Jan 29 12:45)

1. Interpret privilege numbers in the /var/log/privdebug.log file. The privilege number appears after the word privilege. Process 822 lacks privilege numbers 11 and 10 which correspond to file_mac_search and file_mac_read.

Jan 29 12:45:39 phoenix unix DEBUG: runpd pid 822 lacking 
privilege 11 to 5 79

Jan 29 12:45:39 phoenix unix DEBUG: runpd pid 822 lacking 
privilege 10 to 2 79