[OpenIndiana-discuss] JDS: USB automount problem
Predrag Zecevic [Unix Systems Administrator]
predrag.zecevic at 2e-systems.com
Wed Dec 4 09:58:15 UTC 2013
Hi,
It looks like this is good direction (at least for services).
BUT, where to change it for my account? My uid/gid are 1961/1961, i have
moved to rsyslog (to have proper date time entries), so:
$ grep -E "2013-12-04.*missing privilege.*euid.*1961" /var/adm/messages
| awk '{print $9}' | sort | uniq -c | sort -rn
7880 VBoxSVC[1959]:
2154 gnome-keyring-da[1860]:
92 pipes[20299]:
79 smplayer[2775]:
27 glslideshow[20233]:
27 drempels[18653]:
26 starwars[19386]:
26 plasma[20162]:
26 lavalite[19988]:
26 cubenetic[20089]:
26 carousel[19011]:
25 matrixview[19744]:
25 busyspheres[20208]:
24 timetunnel[18652]:
24 polyhedra[19732]:
24 klein[20374]:
24 hufo_smoke[20211]:
24 flux[20210]:
24 feedback[20300]:
24 bubble3d[18985]:
23 thunderbird[20380]:
23 surfaces[20091]:
23 surfaces[19683]:
23 rubikblocks[19174]:
23 rubikblocks[19106]:
23 jigglypuff[20140]:
23 jigglypuff[20092]:
23 hufo_tunnel[19153]:
23 hufo_tunnel[18683]:
23 glsnake[19273]:
23 glhanoi[20298]:
23 gflux[20323]:
23 flurry[19766]:
23 firefox[22420]:
23 firefox[22379]:
23 firefox[21735]:
23 firefox[20381]:
23 cyclone[20090]:
23 cubestorm[19707]:
23 cubestorm[18871]:
23 cubestorm[18706]:
23 boxed[19966]:
23 boing[19010]:
23 blinkbox[20014]:
23 atunnel[19175]:
20 screen[1991]:
12 pm-checkforupdat[19177]:
12 pkg[19872]:
12 pkg[19773]:
8 zpool[20571]:
8 dbus-daemon[1833]:
4 thunderbird[20377]:
4 firefox[20379]:
1 locate[21857]:
So, any idea if I should try to fix those? If yes, what would be proper
approach?
Thank you. Regards.
On 11/29/13 16:33, Predrag Zecevic [Unix Systems Administrator] wrote:
> Hi Jim,
>
> I have added 'Solarix' as profile to my user record in /etc/user_attr
> file...
>
> Your idea looks OK:
>
> $ pfexec svcprop -p start/privileges hal
> svcprop: Couldn't find property `start/privileges' for instance
> `svc:/system/hal:default'.
>
> Let me try:
> $ pfexec svccfg -s hal setprop start/privileges = astring: basic,sys_mount
> $ pfexec svcadm refresh hal
> $ pfexec svcadm restart hal
>
> $ pfexec svcprop -p start/privileges hal
> basic,sys_mount
>
>
> But, after USB has beene inserted:
> ---8<------</var/adm/messages>---
> Nov 29 16:23:20 solarix usba: [ID 912658 kern.info] USB 2.0 device
> (usb1307,165) operating at hi speed (USB 2.x) on USB 2.0 root hub:
> storage at 4, scsa2usb0 at bus address 2
> Nov 29 16:23:20 solarix usba: [ID 349649 kern.info] USBest
> Technology Mass Storage Device 000000000003EA
> Nov 29 16:23:20 solarix genunix: [ID 936769 kern.info] scsa2usb0 is
> /pci at 0,0/pci1028,23d at 1d,7/storage at 4
> Nov 29 16:23:20 solarix genunix: [ID 408114 kern.info]
> /pci at 0,0/pci1028,23d at 1d,7/storage at 4 (scsa2usb0) online
> Nov 29 16:23:20 solarix scsi: [ID 583861 kern.info] sd0 at scsa2usb0:
> target 0 lun 0
> Nov 29 16:23:20 solarix genunix: [ID 936769 kern.info] sd0 is
> /pci at 0,0/pci1028,23d at 1d,7/storage at 4/disk at 0,0
> Nov 29 16:23:20 solarix genunix: [ID 408114 kern.info]
> /pci at 0,0/pci1028,23d at 1d,7/storage at 4/disk at 0,0 (sd0) online
> Nov 29 16:23:20 solarix unix: [ID 954099 kern.info] NOTICE: IRQ19 is
> being shared by drivers with different interrupt levels.
> Nov 29 16:23:20 solarix This may result in reduced system performance.
> Nov 29 16:23:20 solarix unix: [ID 954099 kern.info] NOTICE: IRQ19 is
> being shared by drivers with different interrupt levels.
> Nov 29 16:23:20 solarix This may result in reduced system performance.
> Nov 29 16:23:48 solarix last message repeated 5 times
> Nov 29 16:23:52 solarix genunix: [ID 864859 kern.notice] NOTICE:
> dbus-daemon[1923]: missing privilege "proc_audit" (euid = 1961, syscall
> = 186) needed at secpolicy_audit_getattr+0x4c
> Nov 29 16:23:53 solarix last message repeated 2 times
> Nov 29 16:23:53 solarix genunix: [ID 864859 kern.notice] NOTICE:
> dbus-daemon[1923]: missing privilege "proc_audit" (euid = 1961, syscall
> = 186) needed at secpolicy_audit_getattr+0x4c
> Nov 29 16:23:53 solarix last message repeated 2 times
> Nov 29 16:23:53 solarix genunix: [ID 864859 kern.notice] NOTICE:
> gvfsd-computer[2719]: missing privilege "proc_audit" (euid = 1961,
> syscall = 186) needed at secpolicy_audit_getattr+0x4c
> ---8<---
>
> i have another set of missing privileges and programs.
> It looks to me, this approach will lead to solution...
>
> Now:
> $ pfexec svcs -p svc:/system/dbus:default
> STATE STIME FMRI
> online 13:01:32 svc:/system/dbus:default
> 13:01:32 290 dbus-daemon
>
> ### This ALSO need some start/privileges ?
>
> $ pfexec svcprop -p start/privileges svc:/system/dbus:default
> svcprop: Couldn't find property `start/privileges' for instance
> `svc:/system/dbus:default'.
>
> And for gvfsd-computer I am not sure what to do:
> $ pkg search gvfsd-computer
> INDEX ACTION VALUE PACKAGE
> basename file usr/lib/gvfsd-computer
> pkg:/library/gnome/gvfs at 0.5.11-0.151.1.8
>
> It could be that gdm is starting it?
> $ pfexec svcs -p gdm
> STATE STIME FMRI
> online 13:02:06 svc:/application/graphical-login/gdm:default
> 13:02:06 1540 gdm-binary
>
> $ svcprop -p start/privileges gdm
> svcprop: Couldn't find property `start/privileges' for instance
> `svc:/application/graphical-login/gdm:default'.
>
> So, may i AT ALL use similar logic here?
>
> Regards.
>
>
> On 11/29/13 16:14, Jim Klimov wrote:
>> See below
>>
>> On 2013-11-29 15:46, Predrag Zecevic [Unix Systems Administrator] wrote:
>>> Hi,
>>>
>>> I cannot mount USB devices anymore in my /hipster installation (I mean
>>> automatically mount withing JDS/GNOME).
>> > ...
>>> Nov 29 15:04:00 solarix genunix: [ID 864859 kern.notice] NOTICE:
>>> hald-addon-stora[2482]: missing privilege "sys_mount" (euid = 0, syscall
>>> = 255) needed at secpolicy_fs_owner+0x2e
>>>
>>> It looks like hald-addon-storage has some privilege problems, so I have
>>> added it (Profile is called 'Solarix' and I am trying to get collected
>>> there all missing privileges - plenty of them). But for now, I would
>>> like to focus on this one:
>>> /etc/security/exec_attr:Solarix:solaris:cmd:::/usr/lib/hal/hald-addon-storage:privs=sys_mount
>>>
>>>
>>>
>>>
>>> What else I have to check/change 0 what I am missing?
>>
>> How do you then reference the "Solarix" profile?
>>
>> I'd say that you need to look into the "hal" service definition:
>> root at openindiana:~# ps -ef | grep hal
>> root 359 297 0 Nov 27 ? 0:12
>> /usr/lib/hal/hald-addon-acpi
>> root 397 297 0 Nov 27 ? 0:00
>> /usr/lib/hal/hald-addon-storage
>> root 297 290 0 Nov 27 ? 0:00 hald-runner
>> root 344 297 0 Nov 27 ? 0:00
>> /usr/lib/hal/hald-addon-network-discovery
>> root 346 297 0 Nov 27 ? 0:00
>> /usr/lib/hal/hald-addon-cpufreq
>> root 290 1 0 Nov 27 ? 0:08 /usr/lib/hal/hald
>> --daemon=yes
>>
>> root at openindiana:~# svcs -p hal
>> STATE STIME FMRI
>> online Nov_27 svc:/system/hal:default
>> Nov_27 290 hald
>> Nov_27 297 hald-runner
>> Nov_27 344 hald-addon-netw
>> Nov_27 346 hald-addon-cpuf
>> Nov_27 359 hald-addon-acpi
>> Nov_27 397 hald-addon-stor
>>
>> Here we see that hald-addon-storage is spawned by hald-runner by hald,
>> and they all are part of the "hal" SMF service. You might need to add
>> the privileges involved to the startup method as part of its context,
>> i.e.
>>
>> svccfg -s hal setprop start/privileges = astring: basic,sys_mount
>> svcadm refresh hal
>> svcadm restart hal
>>
>> Would this help?
>> HTH,
>> //Jim
>>
>> _______________________________________________
>> OpenIndiana-discuss mailing list
>> OpenIndiana-discuss at openindiana.org
>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>
>
--
Predrag Zečević, Technical Support Analyst, 2e Systems GmbH
Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894
Mobile: +49 174 3109 288, Skype: predrag.zecevic
E-mail: predrag.zecevic at 2e-systems.com
Headquarter: 2e Systems GmbH, Königsteiner Str. 87,
65812 Bad Soden am Taunus, Germany
Company registration: Amtsgericht Königstein (Germany), HRB 7303
Managing director: Phil Douglas
http://www.2e-systems.com/ - Making your business fly!
[***]===---
hard, adj.: The quality of your own data; also how it is to believe
those of other people.
More information about the OpenIndiana-discuss
mailing list