[OpenIndiana-discuss] Bugs 4043 and 4067

Udo Grabowski (IMK) udo.grabowski at kit.edu
Mon Jan 27 16:23:23 UTC 2014 

On 27/01/2014 15:22, Stephen S. Jones wrote:
> OpenIndiana Community (OpenHoosiers?),
> Bugs #4043 and #4067 recently were classified as complete and were closed.  From my perspective and through the most current updates, neither issue is resolved.
>
> My production hardware was running 151a7 and was updated last August to 151a8 until bugs 4042 and 4067 manifested themselves.  I backed out to a Boot Environment (BE) of 151a8 which did not manifest the bugs.  Since I cannot trust my productive hardware on unreliable updates, I have been testing updates on a VMWare virtual machine (vm).  This vm was installed using oi-dev-151a8-live-x86.iso on about 20 December and updated using # pkg update -v.
>
> Still, as in late last August, USB drives can be mounted but not unmounted as me, the only user, logged-in in gnome.  As root with su in the command-line, I can # umount /media/the-USB-drive.  Likewise, no trash can appears on the bottom gnome panel on the Desktop.  Neither "Trash" nor "Computer" can be accessed by their buttons under Places in a File Browser.  Also, "Computer" cannot be accessed by its icon in the Main Toolbar of a File Browser.  Other manifestations of the bugs exist including the ability to use alacarte to create and to edit gui launchers.
>
> As Predrag (wiki.oi on 25 Nov 2013), I am starting to believe that the errors are being caused by authorizations and privileges of the RBAC system.  As Milan suggested to Gary in comments at the bottom of bug 4067, I checked my RBAC profiles.  Issuing “profiles” reported that I do have “Console User” as well as “Suspend to RAM”, “Suspend to Disk” “Brightness”, “CPU Power Management”, “Network Autoconf User”, “Basic Solaris User”, and “All”.  Experimenting, I also assigned to myself the profiles of “Desktop Removable Media User”, “Primary Administrator”, and “Software Installation”.  The additional profiles had no effect.  Issuing “roles” indicates that I have the role of “root”.
>
> I had been a Solaris user and system administrator from Solaris 2.5.1 through Solaris 10.  I have been using OpenIndiana since 151a5.  Unbeknownst to me at the time, RBAC became a regular part of Solaris with version 10.  Here with OI 151a9, I am ill prepared to troubleshoot the effects of RBAC on various programs and operations.  I hope that one of us OpenHoosiers with experience in RBAC can pursue bugs 4043 and 4067 again with the hypothesis that RBAC is the cause and solution.
>
> Thanks


I'm writing this mail on a oi151a9 Desktop (completely unprivileged)
and can unmount my devices (I couldn't on a8).
Check your /etc/security/exec_attr, the basic solaris user should have:

Basic Solaris 
User:solaris:cmd:::/usr/bin/cdda2wav.bin:privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr
Basic Solaris 
User:solaris:cmd:::/usr/bin/cdrecord.bin:privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,net_privaddr
Basic Solaris 
User:solaris:cmd:::/usr/bin/readcd.bin:privs=file_dac_read,sys_devices,net_privaddr
Basic Solaris User:suser:cmd:::/usr/lib/ospm/lp-queue-helper:replaced by Desktop 
Print Management

/etc/security/policy.conf should have:

AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
CONSOLE_USER=Console User

and /etc/logindevperm should read:

/dev/vt/console_user	0600	/dev/mouse:/dev/kbd
/dev/vt/console_user	0600	/dev/mouse:/dev/kbd
/dev/vt/console_user	0600	/dev/sound/*		# audio devices
/dev/vt/console_user	0600	/dev/fbs/*		# frame buffers
/dev/vt/console_user	0600	/dev/dri/*		# dri devices
/dev/vt/console_user	0400	/dev/removable-media/dsk/*	# removable media
/dev/vt/console_user	0400	/dev/removable-media/rdsk/*	# removable media
/dev/vt/console_user	0400	/dev/hotpluggable/dsk/*		# hotpluggable storage
/dev/vt/console_user	0400	/dev/hotpluggable/rdsk/*	# hotpluggable storage
/dev/vt/console_user	0600	/dev/video[0-9]+	# video devices
/dev/vt/console_user	0600	/dev/usb/hid[0-9]+	# hid devices should have the same 
permission with conskbd a
nd consms
/dev/vt/console_user	0600	/dev/usb/[0-9a-f]+[.][0-9a-f]+/[0-9]+/* 
driver=scsa2usb,usb_mid,usbprn,ugen	#lib
usb/ugen devices
/dev/vt/console_user    0620    /dev/console            # workaround for 
defect.opensolaris.org 12133

-- 
Dr.Udo Grabowski    Inst.f.Meteorology a.Climate Research IMK-ASF-SAT
www.imk-asf.kit.edu/english/sat.php
KIT - Karlsruhe Institute of Technology            http://www.kit.edu
Postfach 3640,76021 Karlsruhe,Germany  T:(+49)721 608-26026 F:-926026

More information about the OpenIndiana-discuss mailing list