On 09/10/08 02:24, prasad wrote: > What is the relationship between privileges and file permissions? > I am getting a permission denied error due to lack of file_dac_* privilege. > > Here's one of my simple cases... > > I have the following entry in /etc/security/exec_attr: > App Log > Management:solaris:cmd:::/u01/apps/bin/logLvl:euid=app;egid=app;privs=all > > where /u01/apps/bin/logLvl has read and execute permissions (0500) only for > the user app. > > This entry in /etc/security/prof_attr: > App Log Management:::Manage App Logs: > > This entry in /etc/user_attr: > pjlv::::type=normal;profiles=App Management > > So when I am logged in as pjlv, my understanding was that I could run > /u01/apps/bin/logLvl without issues but it's failing in this manner: > > $ pfexec /u01/apps/bin/logLvl > pfexec: Permission denied > > $ pfexec ppriv -De /u01/apps/bin/logLvl > ppriv[6658]: missing privilege "file_dac_execute" (euid = 2000, syscall = 59) > needed at ufs_access+0x3c > ppriv: /u01/apps/dncs/bin/logLvl: Permission denied > > > My questions are: > * Why is it that I don't have execute privilege? Should privs=all take care > of this?
EBSAK: "Error Between Seat and Keyboard" ;-) Your user_attr entry adds the profile "App Management" while you've defined "App Log Management" in exec_attr. Joep
