Hi,
It looks like this is good direction (at least for services).
BUT, where to change it for my account? My uid/gid are 1961/1961, i have
moved to rsyslog (to have proper date time entries), so:
$ grep -E "2013-12-04.*missing privilege.*euid.*1961" /var/adm/messages
| awk '{print $9}' | sort | uniq -c | sort -rn
7880 VBoxSVC[1959]:
2154 gnome-keyring-da[1860]:
92 pipes[20299]:
79 smplayer[2775]:
27 glslideshow[20233]:
27 drempels[18653]:
26 starwars[19386]:
26 plasma[20162]:
26 lavalite[19988]:
26 cubenetic[20089]:
26 carousel[19011]:
25 matrixview[19744]:
25 busyspheres[20208]:
24 timetunnel[18652]:
24 polyhedra[19732]:
24 klein[20374]:
24 hufo_smoke[20211]:
24 flux[20210]:
24 feedback[20300]:
24 bubble3d[18985]:
23 thunderbird[20380]:
23 surfaces[20091]:
23 surfaces[19683]:
23 rubikblocks[19174]:
23 rubikblocks[19106]:
23 jigglypuff[20140]:
23 jigglypuff[20092]:
23 hufo_tunnel[19153]:
23 hufo_tunnel[18683]:
23 glsnake[19273]:
23 glhanoi[20298]:
23 gflux[20323]:
23 flurry[19766]:
23 firefox[22420]:
23 firefox[22379]:
23 firefox[21735]:
23 firefox[20381]:
23 cyclone[20090]:
23 cubestorm[19707]:
23 cubestorm[18871]:
23 cubestorm[18706]:
23 boxed[19966]:
23 boing[19010]:
23 blinkbox[20014]:
23 atunnel[19175]:
20 screen[1991]:
12 pm-checkforupdat[19177]:
12 pkg[19872]:
12 pkg[19773]:
8 zpool[20571]:
8 dbus-daemon[1833]:
4 thunderbird[20377]:
4 firefox[20379]:
1 locate[21857]:
So, any idea if I should try to fix those? If yes, what would be proper
approach?
Thank you. Regards.
On 11/29/13 16:33, Predrag Zecevic [Unix Systems Administrator] wrote:
Hi Jim,
I have added 'Solarix' as profile to my user record in /etc/user_attr
file...
Your idea looks OK:
$ pfexec svcprop -p start/privileges hal
svcprop: Couldn't find property `start/privileges' for instance
`svc:/system/hal:default'.
Let me try:
$ pfexec svccfg -s hal setprop start/privileges = astring: basic,sys_mount
$ pfexec svcadm refresh hal
$ pfexec svcadm restart hal
$ pfexec svcprop -p start/privileges hal
basic,sys_mount
But, after USB has beene inserted:
---8<------</var/adm/messages>---
Nov 29 16:23:20 solarix usba: [ID 912658 kern.info] USB 2.0 device
(usb1307,165) operating at hi speed (USB 2.x) on USB 2.0 root hub:
storage@4, scsa2usb0 at bus address 2
Nov 29 16:23:20 solarix usba: [ID 349649 kern.info] USBest
Technology Mass Storage Device 000000000003EA
Nov 29 16:23:20 solarix genunix: [ID 936769 kern.info] scsa2usb0 is
/pci@0,0/pci1028,23d@1d,7/storage@4
Nov 29 16:23:20 solarix genunix: [ID 408114 kern.info]
/pci@0,0/pci1028,23d@1d,7/storage@4 (scsa2usb0) online
Nov 29 16:23:20 solarix scsi: [ID 583861 kern.info] sd0 at scsa2usb0:
target 0 lun 0
Nov 29 16:23:20 solarix genunix: [ID 936769 kern.info] sd0 is
/pci@0,0/pci1028,23d@1d,7/storage@4/disk@0,0
Nov 29 16:23:20 solarix genunix: [ID 408114 kern.info]
/pci@0,0/pci1028,23d@1d,7/storage@4/disk@0,0 (sd0) online
Nov 29 16:23:20 solarix unix: [ID 954099 kern.info] NOTICE: IRQ19 is
being shared by drivers with different interrupt levels.
Nov 29 16:23:20 solarix This may result in reduced system performance.
Nov 29 16:23:20 solarix unix: [ID 954099 kern.info] NOTICE: IRQ19 is
being shared by drivers with different interrupt levels.
Nov 29 16:23:20 solarix This may result in reduced system performance.
Nov 29 16:23:48 solarix last message repeated 5 times
Nov 29 16:23:52 solarix genunix: [ID 864859 kern.notice] NOTICE:
dbus-daemon[1923]: missing privilege "proc_audit" (euid = 1961, syscall
= 186) needed at secpolicy_audit_getattr+0x4c
Nov 29 16:23:53 solarix last message repeated 2 times
Nov 29 16:23:53 solarix genunix: [ID 864859 kern.notice] NOTICE:
dbus-daemon[1923]: missing privilege "proc_audit" (euid = 1961, syscall
= 186) needed at secpolicy_audit_getattr+0x4c
Nov 29 16:23:53 solarix last message repeated 2 times
Nov 29 16:23:53 solarix genunix: [ID 864859 kern.notice] NOTICE:
gvfsd-computer[2719]: missing privilege "proc_audit" (euid = 1961,
syscall = 186) needed at secpolicy_audit_getattr+0x4c
---8<---
i have another set of missing privileges and programs.
It looks to me, this approach will lead to solution...
Now:
$ pfexec svcs -p svc:/system/dbus:default
STATE STIME FMRI
online 13:01:32 svc:/system/dbus:default
13:01:32 290 dbus-daemon
### This ALSO need some start/privileges ?
$ pfexec svcprop -p start/privileges svc:/system/dbus:default
svcprop: Couldn't find property `start/privileges' for instance
`svc:/system/dbus:default'.
And for gvfsd-computer I am not sure what to do:
$ pkg search gvfsd-computer
INDEX ACTION VALUE PACKAGE
basename file usr/lib/gvfsd-computer
pkg:/library/gnome/gvfs@0.5.11-0.151.1.8
It could be that gdm is starting it?
$ pfexec svcs -p gdm
STATE STIME FMRI
online 13:02:06 svc:/application/graphical-login/gdm:default
13:02:06 1540 gdm-binary
$ svcprop -p start/privileges gdm
svcprop: Couldn't find property `start/privileges' for instance
`svc:/application/graphical-login/gdm:default'.
So, may i AT ALL use similar logic here?
Regards.
On 11/29/13 16:14, Jim Klimov wrote:
See below
On 2013-11-29 15:46, Predrag Zecevic [Unix Systems Administrator] wrote:
Hi,
I cannot mount USB devices anymore in my /hipster installation (I mean
automatically mount withing JDS/GNOME).
> ...
Nov 29 15:04:00 solarix genunix: [ID 864859 kern.notice] NOTICE:
hald-addon-stora[2482]: missing privilege "sys_mount" (euid = 0, syscall
= 255) needed at secpolicy_fs_owner+0x2e
It looks like hald-addon-storage has some privilege problems, so I have
added it (Profile is called 'Solarix' and I am trying to get collected
there all missing privileges - plenty of them). But for now, I would
like to focus on this one:
/etc/security/exec_attr:Solarix:solaris:cmd:::/usr/lib/hal/hald-addon-storage:privs=sys_mount
What else I have to check/change 0 what I am missing?
How do you then reference the "Solarix" profile?
I'd say that you need to look into the "hal" service definition:
root@openindiana:~# ps -ef | grep hal
root 359 297 0 Nov 27 ? 0:12
/usr/lib/hal/hald-addon-acpi
root 397 297 0 Nov 27 ? 0:00
/usr/lib/hal/hald-addon-storage
root 297 290 0 Nov 27 ? 0:00 hald-runner
root 344 297 0 Nov 27 ? 0:00
/usr/lib/hal/hald-addon-network-discovery
root 346 297 0 Nov 27 ? 0:00
/usr/lib/hal/hald-addon-cpufreq
root 290 1 0 Nov 27 ? 0:08 /usr/lib/hal/hald
--daemon=yes
root@openindiana:~# svcs -p hal
STATE STIME FMRI
online Nov_27 svc:/system/hal:default
Nov_27 290 hald
Nov_27 297 hald-runner
Nov_27 344 hald-addon-netw
Nov_27 346 hald-addon-cpuf
Nov_27 359 hald-addon-acpi
Nov_27 397 hald-addon-stor
Here we see that hald-addon-storage is spawned by hald-runner by hald,
and they all are part of the "hal" SMF service. You might need to add
the privileges involved to the startup method as part of its context,
i.e.
svccfg -s hal setprop start/privileges = astring: basic,sys_mount
svcadm refresh hal
svcadm restart hal
Would this help?
HTH,
//Jim
_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
--
Predrag Zečević, Technical Support Analyst, 2e Systems GmbH
Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894
Mobile: +49 174 3109 288, Skype: predrag.zecevic
E-mail: predrag.zece...@2e-systems.com
Headquarter: 2e Systems GmbH, Königsteiner Str. 87,
65812 Bad Soden am Taunus, Germany
Company registration: Amtsgericht Königstein (Germany), HRB 7303
Managing director: Phil Douglas
http://www.2e-systems.com/ - Making your business fly!
[***]===---
hard, adj.: The quality of your own data; also how it is to believe
those of other people.
_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss