Mike DeMarco wrote:
> ppriv -eD /usr/sbin/ifconfig iwk0 plumb
> ifconfig[1902]: missing privilege "ALL" (euid = 504, syscall = 5) needed at
> devfs_unlocked_access+0x7d
> ifconfig[1902]: missing privilege "ALL" (euid = 504, syscall = 5) needed at
> devfs_unlocked_access+0x7d
> ifconfig[1902]: missing privilege "ALL" (euid = 504, syscall = 5) needed at
> devfs_unlocked_access+0x7d
> ifconfig: cannot open link "iwk0": Permission denied
>
> How do I define "ALL" in user_attr?
> This does not make sense to me, Enlightenment needed.
Using the keyword "all" as in "privs=all". :-)
There are some operations that require all privileges, rather than a
single specific privilege. Generally these are operations that can allow
you to acquire arbitrary privileges, so the operations require that you
already have all privileges in order to prevent escalation. Two common
examples are opening /dev/kmem (you could alter process privileges by
changing kernel data structures) or modifying root-owned files (which
may control system configuration).
The other way to specify all privileges is to specify uid=0 for a
command that is not privilege aware, like ifconfig. That's what the
Network Management profile does for ifconfig:
Network Management:solaris:cmd:::/sbin/ifconfig:uid=0
So the best answer to your question is to add Network Management to the
user's list of profiles in user_attr and then invoke ifconfig from a
profile shell or using pfexec.
Scott
