Before I start, this is not about security, it's probably the antithesis of security. So I'd recommend starting by reading about how using privileges can break the security of your system.
There are three tools that I regularly use that require escalated privileges: dtrace, cpustat, and busstat. You can read up on the way that Solaris manages privileges. But if you know what you want to do, the process to figure out how to get the necessary privileges is reasonable straightforward.
To find out what privileges you have you can use the
ppriv -v $$ command. This will report all the privileges for the current shell.
To find out what privileges are stopping you from running a command, you should run it under
ppriv -eD command. For example:
ppriv -eD cpustat -c instruction_counts 1 1 cpustat: missing privilege "sys_resource" (euid = 84945, syscall = 128) needed at rctl_rlimit_set+0x98 cpustat: missing privilege "cpc_cpu" (euid = 84945, syscall = 5) needed at kcpc_open+0x4 ...
It is also possible to list all the privileges on the system using
ppriv -l. This is helpful if the privilege is has a name that maps onto what you want to do. The privileges for dtrace are good examples of this:
$ ppriv -l|grep dtrace dtrace_kernel dtrace_proc dtrace_user
You can then use
usermod -K ... to assign the necessary privileges to a user. For example:
$ usermod -K defaultpriv=basic,sys_resource,cpc_cpu username
Information about privileges for users is recorded in /etc/user_attr, so it is possible to directly edit that file to add or remove privileges.
Using this approach you can determine that busstat needs sys_config, cpustat needs sys_resource and cpc_cpu, and dtrace needs dtrace_kernel, dtrace_proc, and dtrace_user.
Post a Comment