ufsdump, solaris 9 & RBAC not working correctly

From: Chris Hoogendyk (hoogendyk@bio.umass.edu)
Date: Thu Apr 28 2005 - 09:55:54 EDT

• Next message: Loris Serena: "How to know when a patch has been applied."
• Previous message: Darren Cuddy: "Cluster Gui interface not available"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've found brief discussions on a couple of lists attributing the error

   Unable to create temporary directory in any of the
   directories listed below:
     /tmp/
     /var/tmp/
     /
   Please correct this problem and rerun the program.

to a "bug" in ufsdump in Solaris 9. One person said he replace the
Solaris 9 ufsdump binary with the Solaris 8 ufsdump binary and it worked
without the error.

the error seems to be cause by the creation of a directory with 0
permissions on /tmp and then an attempt to create a subdirectory under
that. root can do it, but if you run ufsdump as non-root, it cannot,
even though ufsdump is suid root.

in one thread, Casper Dik said
   "The only thing ufsdump/ufsrestore use set-uid root for is
    to use rcmd(3) for remote tape style dumping. They
    do not run with euid == 0 when doing anything else."

I don't really get that. I thought suid was suid.

Anyway, I've created a role "backup" with the following specs:

   # grep backup /etc/passwd
   backup:x:7000:7000:Tape Backup:/u1/home/.backup:/bin/pfksh

   # grep backup /etc/user_attr
   backup::::type=role;profiles=Dump

   # grep Dump /etc/security/prof_attr
   Dump:::Tape Backup User:

   # grep Dump /etc/security/exec_attr
   Dump:suser:cmd:::/usr/lib/fs/ufs/ufsdump:euid=0;gid=sys
   Dump:suser:cmd:::/usr/lib/fs/ufs/fssnap:euid=0;gid=sys

If I 'su - backup' and do a ufsdump, I still get the same error
described above. Presumably, I'm not only running ufsdump as root as per
the role, but ufsdump is also suid root.

I know the role is working, because I got a permission denied on the
fssnap before I had it set up, and now the fssnap works. In both cases,
I'm using the full path to the binary and not the symlink.

I really want to use RBAC rather than run this whole thing as root.

Any ideas?

---------------

Chris Hoogendyk

-
    O__ ---- Systems Administrator
   c/ /'_ --- Biology Department
  (*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst

<hoogendyk@bio.umass.edu>

---------------
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Loris Serena: "How to know when a patch has been applied."
• Previous message: Darren Cuddy: "Cluster Gui interface not available"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:30:36 EDT