Use this debugging procedure when a command or process is failing. After finding the first privilege failure and fixing it, you might need to run the ppriv -eD command command again to find additional privilege requirements.
% ppriv -eD touch /etc/acct/yearly
touch[5245]: missing privilege "file_dac_write"
(euid = 130, syscall = 224) needed at zfs_zaccess+0x258
touch: cannot create /etc/acct/yearly: Permission denied
You find the name of the syscall number in the /etc/name_to_sysnum file.
% grep 224 /etc/name_to_sysnum creat64 224
In this example, the creat64() call is failing. To succeed, the process must be assigned the right to create a file in the /etc/acct/yearly directory.
The truss command can debug privilege use in a regular shell. For example, the following command debugs the failing touch process:
% truss -t creat touch /etc/acct/yearly
creat64("/etc/acct/yearly", 0666)
Err#13 EACCES [file_dac_write
]
touch: /etc/acct/yearly cannot create
The extended /proc interfaces report the missing file_dac_write privilege after the error code in truss output.
Example 7-6 Using the ppriv Command to Examine Privilege Use in a Profile ShellIn this example, the jdoe user can assume the role objadmin. The objadmin role includes the Object Access Management rights profile. This rights profile allows the objadmin role to change permissions on files that objadmin does not own.
In the following excerpt, jdoe fails to change the permissions on the useful.script file:
jdoe% ls -l useful.script
-rw-r--r-- 1 aloe staff 2303 Apr 10 10:10 useful.script
jdoe%
chown objadmin useful.script
chown: useful.script: Not owner
jdoe%
ppriv -eD chown objadmin useful.script
chown[11444]: missing privilege "file_chown"
(euid = 130, syscall = 16) needed at zfs_zaccess+0x258
chown: useful.script: Not owner
When jdoe assumes the objadmin role, the permissions on the file are changed:
jdoe% su - objadmin Password: xxxxxxxx # ls -l useful.script -rw-r--r-- 1 aloe staff 2303 Apr 10 10:10 useful.script # chown objadmin useful.script # ls -l useful.script -rw-r--r-- 1 objadmin staff 2303 Apr 10 10:10 useful.script # chgrp admin useful.script # ls -l objadmin.script -rw-r--r-- 1 objadmin admin 2303 Apr 10 10:11 useful.scriptExample 7-7 Changing a File Owned by the root User
This example illustrates the protections against privilege escalation. For a discussion, see Privilege Escalation and Kernel Privileges. The file is owned by the root user. The less powerful role, objadmin role needs all privileges to change the file's ownership, so the operation fails.
jdoe% su - objadmin
Password: xxxxxxxx
# cd /etc; ls -l system
-rw-r--r-- 1 root sys 1883 Oct 10 10:20 system
# chown objadmin system
chown: system: Not owner
# ppriv -eD chown objadmin system
chown[11481]: missing privilege "ALL"
(euid = 101, syscall = 16) needed at zfs_zaccess+0x258
chown: system: Not owner