Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

How to Determine Which Privileges a Program Requires

Use this debugging procedure when a command or process is failing. After finding the first privilege failure and fixing it, you might need to run the ppriv -eD command command again to find additional privilege requirements.

  1. Type the command that is failing as an argument to the ppriv debugging command.
    $ ppriv -eD touch /etc/acct/yearly
    
    touch[5245]: missing privilege "file_dac_write"
         (euid = 130, syscall = 224) needed at zfs_zaccess+0x258
    touch: cannot create /etc/acct/yearly: Permission denied 
  2. Use the syscall number from the debugging output to determine which system call is failing.

    You find the name of the syscall number in the /etc/name_to_sysnum file.

    $ grep 224 /etc/name_to_sysnum
    
    creat64                 224

    In this example, the creat64() call is failing. To succeed, the process must be assigned the right to create a file in the /etc/acct/yearly directory.

Example 80  Using the truss Command to Examine Privilege Use

The truss command can debug privilege use in a regular shell. For example, the following command debugs the failing touch process:

$ truss -t creat touch /etc/acct/yearly

creat64("/etc/acct/yearly", 0666)            
                       Err#13 EACCES [file_dac_write
]
touch: /etc/acct/yearly cannot create

The extended /proc interfaces report the missing file_dac_write privilege after the error code in truss output.

Example 81  Using the ppriv Command to Examine Privilege Use in a Profile Shell

In this example, the jdoe user can assume the role objadmin. The objadmin role includes the Object Access Management rights profile. This rights profile allows the objadmin role to change permissions on files that objadmin does not own.

In the following excerpt, jdoe fails to change the permissions on the useful.script file:

jdoe$ ls -l useful.script

-rw-r--r--  1 aloe  staff  2303 Apr 10 10:10 useful.script
jdoe$ 
chown objadmin useful.script

chown: useful.script: Not owner
jdoe$ 
ppriv -eD chown objadmin useful.script

chown[11444]: missing privilege "file_chown" 
            (euid = 130, syscall = 16) needed at zfs_zaccess+0x258
chown: useful.script: Not owner

When jdoe assumes the objadmin role, the permissions on the file are changed:

jdoe$ su - objadmin
Password: xxxxxxxx

$ ls -l useful.script
-rw-r--r--  1 aloe  staff  2303 Apr 10 10:10 useful.script

$ chown objadmin useful.script
$ ls -l useful.script
-rw-r--r--  1 objadmin  staff  2303 Apr 10 10:10 useful.script
$ chgrp admin useful.script

$ ls -l objadmin.script
-rw-r--r--  1 objadmin  admin  2303 Apr 10 10:11 useful.script
Example 82  Changing a File Owned by the root User

This example illustrates the protections against privilege escalation. For a discussion, see Privilege Escalation and Kernel Privileges. The file is owned by the root user. The less powerful role, objadmin role needs all privileges to change the file's ownership, so the operation fails.

jdoe$ su - objadmin
Password: xxxxxxxx

$ cd /etc; ls -l system
-rw-r--r--  1 root  sys   1883 Oct 10 10:20 system

$ chown objadmin system
chown: system: Not owner
$ ppriv -eD chown objadmin system
chown[11481]: missing privilege "ALL" 
     (euid = 101, syscall = 16) needed at zfs_zaccess+0x258
chown: system: Not owner