Hi security experts, I'm working on applications that may need to address Solaris security issues, especially the privilege model. I have several questions about how to define an application's privileges.
1). First of all, does Solaris policy require new applications going to be integrated into Solaris to be privilege-aware? 2). How can I find what kind of privileges an application requires? I'm using ppriv(1) to debug my application and I got such error messages: [i]-bash-3.2$ /usr/sbin/wusbadm list -v -------- wusbadm[1568]: missing privilege "ALL" (euid = 227722, syscall = 5) needed at devfs_unlocked_access+0x5f[/i] I guess the ppriv gives the real complaint, not fake ones. The normal user needs all privilege set to open(2) for this case. Right? truss(1) output: [[omitted]] write(1, " - - - - - - - -\n", 9) = 9 getdents64(3, 0xD1284000, 8192) = 672 wusbadm[1566]: missing privilege "ALL" (euid = 227722, syscall = 5) needed at devfs_unlocked_access+0x5f open("/dev/usb/whost0", O_RDWR) Err#13 EACCES [ALL] getdents64(3, 0xD1284000, 8192) = 0 _exit(0) It seems I need to gain additional privileges to access the device node. But I'm using the default device policy for this driver, # getdevpolicy /dev/usb/whost0 /dev/usb/whost0 read_priv_set=none write_priv_set=none Does the whost0 really require ALL privileges? 3). For an SMF service, how to define its privileges? I notice some services define their privilege set. What kind of methods or tools can be used to select proper privileges? Please reply me directly as I'm not in this list. Thanks a lot, Lei Chen This message posted from opensolaris.org