Hi security experts,
     I'm working on applications that may need to address Solaris security 
issues, especially the privilege model. I have several questions about how to 
define an application's privileges.

    1). First of all, does Solaris policy require new applications going to be 
integrated into Solaris to be privilege-aware?

    2). How can I find what kind of privileges an application requires?
I'm using ppriv(1) to debug my application and I got such error messages:

    [i]-bash-3.2$ /usr/sbin/wusbadm list -v
    --------
    wusbadm[1568]: missing privilege "ALL" (euid = 227722, syscall = 5) needed 
at devfs_unlocked_access+0x5f[/i]

I guess the ppriv gives the real complaint, not fake ones. The normal user 
needs all privilege set to open(2) for this case. Right?

truss(1) output:

    [[omitted]]
    write(1, " - - - - - - - -\n", 9)               = 9
    getdents64(3, 0xD1284000, 8192)                 = 672
    wusbadm[1566]: missing privilege "ALL" (euid = 227722, syscall = 5) needed 
at devfs_unlocked_access+0x5f
    open("/dev/usb/whost0", O_RDWR)                 Err#13 EACCES [ALL]
    getdents64(3, 0xD1284000, 8192)                 = 0
    _exit(0)

It seems I need to gain additional privileges to access the device node. But 
I'm using the default device policy for this driver,
    # getdevpolicy /dev/usb/whost0
    /dev/usb/whost0
            read_priv_set=none
            write_priv_set=none

Does the whost0 really require ALL privileges?

    3). For an SMF service, how to define its privileges? I notice some 
services define their privilege set. What kind of methods or tools can be used 
to select proper privileges?

Please reply me directly as I'm not in this list.

Thanks a lot,
Lei Chen
 
 
This message posted from opensolaris.org

Reply via email to