[OpenIndiana-discuss] Bugs 4043 and 4067

Gary Mills gary_mills at fastmail.fm
Mon Jan 27 19:30:07 UTC 2014 

On Mon, Jan 27, 2014 at 05:23:23PM +0100, Udo Grabowski (IMK) wrote:
> On 27/01/2014 15:22, Stephen S. Jones wrote:
> >OpenIndiana Community (OpenHoosiers?),
> >
> >Bugs #4043 and #4067 recently were classified as complete and were
> >closed.  From my perspective and through the most current updates,
> >neither issue is resolved.
> 
> I'm writing this mail on a oi151a9 Desktop (completely unprivileged)
> and can unmount my devices (I couldn't on a8).

I'm still seeing the problem under oi_151a9 .  My profiles are:

$ profiles
Primary Administrator
Console User
Suspend To RAM
Suspend To Disk
Brightness
CPU Power Management
Network Autoconf User
Desktop Print Management
Basic Solaris User
All

> Check your /etc/security/exec_attr, the basic solaris user should have:
> 
> Basic Solaris User:solaris:cmd:::/usr/bin/cdda2wav.bin:privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr
> Basic Solaris User:solaris:cmd:::/usr/bin/cdrecord.bin:privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,net_privaddr
> Basic Solaris User:solaris:cmd:::/usr/bin/readcd.bin:privs=file_dac_read,sys_devices,net_privaddr
> Basic Solaris
> User:suser:cmd:::/usr/lib/ospm/lp-queue-helper:replaced by Desktop
> Print Management

Mine are the same.  I notice that there is nothing for `Console User',
though.  Is yours the same?

> /etc/security/policy.conf should have:
> 
> AUTHS_GRANTED=solaris.device.cdrw
> PROFS_GRANTED=Basic Solaris User
> CONSOLE_USER=Console User

Mine are the same as this.

> and /etc/logindevperm should read:
> 
> /dev/vt/console_user	0600	/dev/mouse:/dev/kbd
> /dev/vt/console_user	0600	/dev/mouse:/dev/kbd
> /dev/vt/console_user	0600	/dev/sound/*		# audio devices
> /dev/vt/console_user	0600	/dev/fbs/*		# frame buffers
> /dev/vt/console_user	0600	/dev/dri/*		# dri devices
> /dev/vt/console_user	0400	/dev/removable-media/dsk/*	# removable media
> /dev/vt/console_user	0400	/dev/removable-media/rdsk/*	# removable media
> /dev/vt/console_user	0400	/dev/hotpluggable/dsk/*		# hotpluggable storage
> /dev/vt/console_user	0400	/dev/hotpluggable/rdsk/*	# hotpluggable storage
> /dev/vt/console_user	0600	/dev/video[0-9]+	# video devices
> /dev/vt/console_user	0600	/dev/usb/hid[0-9]+	# hid devices should
> have the same permission with conskbd a
> nd consms
> /dev/vt/console_user	0600	/dev/usb/[0-9a-f]+[.][0-9a-f]+/[0-9]+/*
> driver=scsa2usb,usb_mid,usbprn,ugen	#lib
> usb/ugen devices
> /dev/vt/console_user    0620    /dev/console            # workaround
> for defect.opensolaris.org 12133

Mine is the same except that the last line was missing.  I added it,
logged out and in again, and still was unable to unmount a DVD from
the desktop GUI.  Bug 12133 seems not to apply.  What else should I
check?

Are the RBAC files even being used for a desktop session?  When I look
at the processes with `ppriv', I don't see any extra privileges.

These messages from privilege debugging seem relevant:

    Jan 27 11:06:01 amd genunix: [ID 864859 kern.notice] NOTICE: umount[3381]: missing privilege "sys_mount" (euid = 107, syscall = 255) needed at secpolicy_fs_owner+0x3b
    Jan 27 11:06:01 amd genunix: [ID 864859 kern.notice] NOTICE: umount[3381]: missing privilege "ALL" (euid = 107, syscall = 255) needed at secpolicy_vnode_owner+0x33
    Jan 27 11:06:01 amd genunix: [ID 864859 kern.notice] NOTICE: metacity[3300]: missing privilege "proc_owner" (euid = 107, syscall = 5) needed at secpolicy_proc_access+0x24

-- 
-Gary Mills-		-refurb-		-Winnipeg, Manitoba, Canada-

More information about the OpenIndiana-discuss mailing list