ufsdump, solaris 9 & RBAC not working correctly

From: Chris Hoogendyk (hoogendyk_at_bio.umass.edu)
Date: 04/28/05

  • Next message: Loris Serena: "How to know when a patch has been applied." 
    Date: Thu, 28 Apr 2005 09:55:54 -0400
To: Sun Managers List <sunmanagers@sunmanagers.org>

    I've found brief discussions on a couple of lists attributing the error

       Unable to create temporary directory in any of the
       directories listed below:
         /tmp/
         /var/tmp/
         /
       Please correct this problem and rerun the program.

    to a "bug" in ufsdump in Solaris 9. One person said he replace the
    Solaris 9 ufsdump binary with the Solaris 8 ufsdump binary and it worked
    without the error.

    the error seems to be cause by the creation of a directory with 0
    permissions on /tmp and then an attempt to create a subdirectory under
    that. root can do it, but if you run ufsdump as non-root, it cannot,
    even though ufsdump is suid root.

    in one thread, Casper *** said
       "The only thing ufsdump/ufsrestore use set-uid root for is
        to use rcmd(3) for remote tape style dumping. They
        do not run with euid == 0 when doing anything else."

    I don't really get that. I thought suid was suid.

    Anyway, I've created a role "backup" with the following specs:

       # grep backup /etc/passwd
       backup:x:7000:7000:Tape Backup:/u1/home/.backup:/bin/pfksh

       # grep backup /etc/user_attr
       backup::::type=role;profiles=Dump

       # grep Dump /etc/security/prof_attr
       Dump:::Tape Backup User:

       # grep Dump /etc/security/exec_attr
       Dump:suser:cmd:::/usr/lib/fs/ufs/ufsdump:euid=0;gid=sys
       Dump:suser:cmd:::/usr/lib/fs/ufs/fssnap:euid=0;gid=sys

    If I 'su - backup' and do a ufsdump, I still get the same error
    described above. Presumably, I'm not only running ufsdump as root as per
    the role, but ufsdump is also suid root.

    I know the role is working, because I got a permission denied on the
    fssnap before I had it set up, and now the fssnap works. In both cases,
    I'm using the full path to the binary and not the symlink.

    I really want to use RBAC rather than run this whole thing as root.

    Any ideas?

    ---------------

    Chris Hoogendyk

    -
        O__ ---- Systems Administrator
       c/ /'_ --- Biology Department
      (*) \(*) -- 140 Morrill Science Center
    ~~~~~~~~~~ - University of Massachusetts, Amherst

    <hoogendyk@bio.umass.edu>

    ---------------
    _______________________________________________
    sunmanagers mailing list
    sunmanagers@sunmanagers.org
    http://www.sunmanagers.org/mailman/listinfo/sunmanagers

  • Next message: Loris Serena: "How to know when a patch has been applied."