Project

General

Profile

Bug #3481

sbdadm RBAC missing privilege "file_dac_read"

Added by Piotr Jasiukajtis over 7 years ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
system data
Start date:
2013-01-18
Due date:
% Done:

0%

Estimated time:
Difficulty:
Bite-size
Tags:
needs-triage
Gerrit CR:

Description

'File System Management' RBAC profile is missing privileges for sbdadm command:

# useradd -m privtest
# usermod -P "ZFS File System Management","ZFS Storage Management","File System Management" privtest
# su - privtest

$ /usr/bin/pfexec zfs create -V 100m rpool/test3

$ /usr/bin/ppriv -e -D /usr/bin/pfexec /usr/sbin/sbdadm create-lu /dev/zvol/rdsk/rpool/test3
sbdadm[23012]: missing privilege "file_dac_read" (euid = 1951, syscall = 54) needed at devfs_unlocked_access+0x7b
sbdadm: permission denied

# /opt/DTT/dtruss -n sbdadm
PID/LWP    SYSCALL(args)                 = return
 23078/1:  systeminfo(0x5, 0x80479D8, 0x101)             = 6 0
 23078/1:  mmap(0x0, 0x20, 0x7)          = -17104896 0
 23078/1:  mmap(0x0, 0x1000, 0x7)                = -17170432 0
 23078/1:  mmap(0x0, 0x1000, 0x3)                = -17235968 0
 23078/1:  mmap(0x0, 0x1000, 0x3)                = -17301504 0
 23078/1:  memcntl(0xFEFB7000, 0x7D70, 0x4)              = 0 0
 23078/1:  memcntl(0x8050000, 0x14B0, 0x4)               = 0 0
 23078/1:  resolvepath("/usr/lib/ld.so.1\\0", 0x80476D8, 0x3FF)           = 12 0
 23078/1:  resolvepath("/usr/sbin/sbdadm\\0", 0x80476D8, 0x3FF)           = 16 0
 23078/1:  sysconfig(0x6, 0x0, 0x10)             = 4096 0
 23078/1:  stat64("/usr/sbin/sbdadm\\0", 0x8047A58, 0x1000)               = 0 0
 23078/1:  open("/var/ld/ld.config\\0", 0x0, 0x0)                 = -1 Err#2
 23078/1:  stat64("/lib/libc.so.1\\0", 0x8047208, 0xFFFFFFFF)             = 0 0
 23078/1:  resolvepath("/lib/libc.so.1\\0", 0x80472F8, 0x3FF)             = 14 0
 23078/1:  open("/lib/libc.so.1\\0", 0x0, 0x0)            = 3 0
 23078/1:  mmapobj(0x3, 0x20000, 0xFEFA0D88)             = 0 0
 23078/1:  close(0x3)            = 0 0
 23078/1:  mmap(0x0, 0x1000, 0x7)                = -18677760 0
 23078/1:  memcntl(0xFEE40000, 0x2BBE8, 0x4)             = 0 0
 23078/1:  mmap(0x10000, 0x6000, 0x7)            = -18743296 0
 23078/1:  setcontext(0x0, 0x80478B8, 0xFEE20000)                = 0 0
 23078/1:  getrlimit(0x3, 0x80478B0, 0x0)                = 0 0
 23078/1:  getpid(0x455F1A40, 0x0, 0x0)          = 23078 0
 23078/1:  setcontext(0x3, 0xFEE22AA0, 0x1C3)            = 0 0
 23078/1:  sysi86(0x29, 0xFEF79C24, 0x133F)              = 1 0
 23078/1:  brk(0x8065CE0)                = 0 0
 23078/1:  brk(0x8067CE0)                = 0 0
 23078/1:  fstat64(0x1, 0x803B480, 0x0)          = 0 0
 23078/1:  stat64("/lib/libstmf.so.1\\0", 0x803AAC8, 0x0)                 = -1 Err#2
 23078/1:  stat64("/usr/lib/libstmf.so.1\\0", 0x803AAC8, 0xFFFFFFFF)              = 0 0
 23078/1:  resolvepath("/usr/lib/libstmf.so.1\\0", 0x803ABB8, 0x3FF)              = 21 0
 23078/1:  open("/usr/lib/libstmf.so.1\\0", 0x0, 0x0)             = 3 0
 23078/1:  mmapobj(0x3, 0x20000, 0xFEE30C90)             = 0 0
 23078/1:  close(0x3)            = 0 0
 23078/1:  mmap(0x0, 0x1000, 0x7)                = -19005440 0
 23078/1:  memcntl(0xFEDF0000, 0x385C, 0x4)              = 0 0
 23078/1:  brk(0x8067CE0)                = 0 0
 23078/1:  brk(0x8069CE0)                = 0 0
 23078/1:  open("/devices/pseudo/stmf_sbd@0:admin\\0", 0x4, 0x0)          = 3 0
 23078/1:  ioctl(0x3, 0x5B0001, 0x803B4C0)               = -1 Err#13
 23078/1:  close(0x3)            = 0 0
 23078/1:  fstat64(0x2, 0x803A590, 0x0)          = 0 0
 23078/1:  write(0x2, "sbdadm\\0", 0x6)           = 6 0
 23078/1:  write(0x2, ": \\0", 0x2)               = 2 0
 23078/1:  write(0x2, "permission denied\\0", 0x11)               = 17 0
 23078/1:  write(0x2, "\\n\\0", 0x1)               = 1 0

I found adding "file_dac_read" is not sufficient, so I added euid=0 as a workaround/fix:

 # diff -u /.zfs/snapshot/2012-09-05-13\\:05\\:20//etc/security/exec_attr /etc/security/exec_attr
 --- /.zfs/snapshot/2012-09-05-13:05:20//etc/security/exec_attr  Mon Apr 16 15:20:35 2012
 +++ /etc/security/exec_attr     Fri Jan 18 13:19:32 2013
 @@ -68,7 +68,7 @@
  File System Management:solaris:cmd:::/usr/sbin/quotaon:uid=0;gid=sys
  File System Management:solaris:cmd:::/usr/sbin/raidctl:privs=sys_config,sys_devices;euid=0
  File System Management:solaris:cmd:::/usr/sbin/sasinfo:privs=sys_devices
 -File System Management:solaris:cmd:::/usr/sbin/sbdadm:privs=sys_devices
 +File System Management:solaris:cmd:::/usr/sbin/sbdadm:privs=sys_devices;euid=0
  File System Management:solaris:cmd:::/usr/sbin/stmfadm:privs=sys_devices
  File System Management:suser:cmd:::/usr/bin/eject:euid=0
  File System Management:suser:cmd:::/usr/bin/mkdir:euid=0

Also available in: Atom PDF