sudo and RBAC, or which privilege to pick

Robert Milkowski's recently posted how to use sudo with Solaris privileges, see Sudo and Solaris Privileges.

milek    ALL=()PRIVS="basic,sys_admin" NOPASSWD:/usr/sbin/fmadm faulty

Solaris 11.3 SRU 21 currently has 87 privileges (see ppriv -l. But why do I need "sys_admin" for fmadm?

Well the fmadm(1M) manpage says so. ;-)

The fmadm utility requires the user to possess the SYS_ADMIN privilege.

But how to check if we don't know which privilege is needed? Let's start with a small non-blackbox example.

$ cat p.c
#include <assert.h>
#include <priv.h>
#include <stdio.h>

int
main(void)
{
    priv_set_t *sp = priv_allocset();
    assert(sp != NULL);

    int ret = getppriv(PRIV_EFFECTIVE, sp);
    assert(ret == 0);

    if (!priv_ismember(sp, PRIV_SYS_ADMIN)) {
        printf("Nope\n");
    }

    priv_freeset(sp);
    return 0;
}

$ cc -m64 -g -Wall p.c

$ apptrace -v priv_ismember ./a.out
-> a.out    -> libc.so.1:boolean_t priv_ismember(const priv_set_t * = 0xffff80ffbf690290, const char * = 0x400cde "sys_admin")
        arg0 = (const priv_set_t *) 0xffff80ffbf690290
        arg1 = (const char *) 0x400cde "sys_admin"
Nope

When we try the same with fmadm faulty there are no priv_ismember calls. But we see a lot of door calls and we recall there's a fault manager daemon running.

$ svcs -p svc:/system/fmd:default
STATE          STIME    FMRI
online         Jul_19   svc:/system/fmd:default
               Jul_19        998 fmd

Let's fire up DTrace to check if there are any priv_ismember calls in /usr/lib/fm/fmd/fmd.

# cat priv.d
#!/usr/sbin/dtrace -Cs

#include <sys/priv_const.h>

#pragma D option quiet

pid$target::priv_ismember:entry
{
    trace(stringof(copyinstr(arg1)));
}

# ./priv.d -p 998

$ fmadm faulty
fmadm: failed to get case list from fmd: operation requires additional privilege

# ./priv.d -p 998
sys_admin

And there's our priv_ismember call checking for the "PRIV_SYS_ADMIN" privilege.

Links

• privileges(5)
• apptrace(1)