Last week I got an issue where the application team raised the concern that "ps" command output truncated at 80 characters. They are trying to write a script that will find particular process based in a keyword. But due to the truncated "ps" command, they couldn't search the keyword. they request us(unix) to check that. Earlier I thought we can fix it easily, but later on when I dig into it, I found some more details and hurdles. finally, I got a solution and recommended the same to them. I just want to share those details in this post.
- /usr/bin/ps Deafult ps option of SVR4 (System V Release 4)
- /usr/ucb/ps BSD style options (ucb means University of California, Berkeleyroot@unixrock# ls -li /usr/bin/ps /usr/ucb/ps834 -r-xr-xr-x 66 root bin 5816 Jan 8 2007 /usr/bin/ps834 -r-xr-xr-x 66 root bin 5816 Jan 8 2007 /usr/ucb/psroot@unixrock#root@unixrock# ldd /usr/bin/ps /usr/ucb/ps/usr/bin/ps:libc.so.1 => /lib/libc.so.1libm.so.2 => /lib/libm.so.2/usr/ucb/ps:libc.so.1 => /lib/libc.so.1libm.so.2 => /lib/libm.so.2root@unixrock#
"psadmin" is the application user who is required full output of the process on "ps" command where they can see only first 80 characters. they also tried "/usr/ucb/ps auxwww" but same output. below output "psadmin" user can only seeing first 80 characters of PID 944.
psadmin@unixrock$ uname -a
SunOS unixrock 5.10 Generic_142910-17 i86pc i386 i86pc
psadmin@unixrock$
psadmin@unixrock$ id
uid=100(psadmin) gid=1(other)
psadmin@unixrock$
psadmin@unixrock$ /usr/ucb/ps auxwww|grep -i 944|grep -v grep
USER PID %CPU %MEM SZ RSS TT S START TIME COMMAND
noaccess 944 0.3 7.7133876119764 ? S 02:11:22 3:28 /usr/java/bin/java -server -Xmx128m -XX:+UseParallelGC -XX:ParallelGCThreads=4
psadmin@unixrock$
when we checked as root user, it is working fine as expected. But as normal user account can't do the same.
root@unixrock#
root@unixrock# /usr/ucb/ps auxwww|grep -i 944|grep -v grep
noaccess 944 0.3 7.7133876119764 ? S 02:11:22 3:29 /usr/java/bin/java -server -Xmx128m -XX:+UseParallelGC -XX:ParallelGCThreads=4 -classpath /usr/share/webconsole/private/container/bin/bootstrap.jar:/usr/share/webconsole/private/container/bin/commons-logging.jar:/usr/share/webconsole/private/container/bin/log4j.jar:/usr/java/lib/tools.jar:/usr/java/jre/lib/jsse.jar -Djava.security.manager -Djava.security.policy==/var/webconsole/domains/console/conf/console.policy -Djavax.net.ssl.trustStore=/var/webconsole/domains/console/conf/keystore.jks -Djava.security.auth.login.config=/var/webconsole/domains/console/conf/consolelogin.conf -Dcatalina.home=/usr/share/webconsole/private/container -Dcatalina.base=/var/webconsole/domains/console -Dcom.sun.web.console.home=/usr/share/webconsole -Dcom.sun.web.console.conf=/etc/webconsole/console -Dcom.sun.web.console.base=/var/webconsole/domains/console -Dcom.sun.web.console.logdir=/var/log/webconsole/console -Dcom.sun.web.console.native=/usr/lib/webconsole -Dcom.sun.web.console.appbase=/var/webconsole/domains/console/webapps -Dcom.sun.web.console.secureport=6789 -Dcom.sun.web.console.unsecureport=6788 -Dcom.sun.web.console.unsecurehost=127.0.0.1 -Dwebconsole.default.file=/etc/webconsole/console/default.properties -Dwebconsole.config.file=/etc/webconsole/console/service.properties -Dcom.sun.web.console.startfile=/var/webconsole/tmp/console_start.tmp -Djava.awt.headless=true -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.NoOpLog org.apache.catalina.startup.Bootstrap start
root 178 0.0 0.2 7112 2944 ? S 02:09:39 0:04 /usr/sbin/nscd
root 476 0.0 0.1 2072 944 ? S 02:10:10 0:00 /usr/sadm/lib/smc/bin/smcboot
root@unixrock#
root@unixrock#
root@unixrock# ps -ef|grep -i 944|grep -v grep
noaccess 944 1 0 02:11:23 ? 3:29 /usr/java/bin/java -server -Xmx128m -XX:+UseParallelGC -XX:ParallelGCThreads=4
root@unixrock#
we tried to set setuid (chmod u+s /usr/ucb/ps) to the executable file "/usr/ucb/ps", its works fine even executed by as a normal user, But its causes the impact for other applications which is looking for the same executable. Our requirements should be achieve without changing the current permissions. We tried SUDO, ACL privilege too, but no use, same conditions only.
root@unixrock# ls -ltr /usr/ucb/ps
-r-xr-xr-x 66 root bin 5816 Jan 8 2007 /usr/ucb/ps
root@unixrock#
root@unixrock# getfacl /usr/ucb/ps
# file: /usr/ucb/ps
# owner: root
# group: bin
user::r-x
group::r-x #effective:r-x
mask:r-x
other:r-x
root@unixrock#
when I dig more, I found the path through RBAC (Role based access control). Here is the steps to achieve our requirements. Our change plan would be Create Profile --> Privilege to profile --> Creating Role --> Role to profile --> Role to user
For more about RBAC
Creating a profile by appending the below line on /etc/security/prof_attr and Ctrl+d for save the changes.
root@unixrock# cp -p /etc/security/prof_attr /etc/security/prof_attr_backup
root@unixrock#
root@unixrock# cat >>/etc/security/prof_attr
psquery:::Processes Query as Root:
root@unixrock#
Privilege to profile by appending the below line on /etc/security/exec_attr and Ctrl+d for save the changes.
root@unixrock# cp -p /etc/security/exec_attr /etc/security/exec_attr_backup
root@unixrock#
root@unixrock#cat >>/etc/security/exec_attr
psquery:suser:cmd:::/usr/ucb/ps:privs=proc_owner;uid=0;euid=0;gid=0;egid=0
root@unixrock#
Creating Role
root@unixrock# roleadd -d /export/home/Rpsadmin -m Rpsadmin
root@unixrock# passwd Rpsadmin
New Password:
Re-enter new Password:
passwd: password successfully changed for Rpsadmin
root@unixrock#
Role to profile
root@unixrock# rolemod -P "psquery" Rpsadmin
root@unixrock#
root@unixrock# cat /etc/user_attr |grep -i psadmin
Rpsadmin::::type=role;profiles=psquery
root@unixrock#
Role to user
root@unixrock# usermod -R Rpsadmin psadmin
root@unixrock#
root@unixrock# cat /etc/user_attr |grep -i psadmin
Rpsadmin::::type=role;profiles=psquery
psadmin::::type=normal;roles=Rpsadmin
root@unixrock#
Checking the status..
root@unixrock# su - psadmin
Oracle Corporation SunOS 5.10 Generic Patch January 2005
$
$ id
uid=100(psadmin) gid=1(other)
$ su - Rpsadmin
Password:
$
$ id
uid=101(Rpsadmin) gid=1(other)
$
$ /usr/ucb/ps auxwww|grep -i 944|grep -v grep
noaccess 944 0.4 7.7133876119764 ? S 02:11:22 3:32 /usr/java/bin/java -server -Xmx128m -XX:+UseParallelGC -XX:ParallelGCThreads=4 -classpath /usr/share/webconsole/private/container/bin/bootstrap.jar:/usr/share/webconsole/private/container/bin/commons-logging.jar:/usr/share/webconsole/private/container/bin/log4j.jar:/usr/java/lib/tools.jar:/usr/java/jre/lib/jsse.jar -Djava.security.manager -Djava.security.policy==/var/webconsole/domains/console/conf/console.policy -Djavax.net.ssl.trustStore=/var/webconsole/domains/console/conf/keystore.jks -Djava.security.auth.login.config=/var/webconsole/domains/console/conf/consolelogin.conf -Dcatalina.home=/usr/share/webconsole/private/container -Dcatalina.base=/var/webconsole/domains/console -Dcom.sun.web.console.home=/usr/share/webconsole -Dcom.sun.web.console.conf=/etc/webconsole/console -Dcom.sun.web.console.base=/var/webconsole/domains/console -Dcom.sun.web.console.logdir=/var/log/webconsole/console -Dcom.sun.web.console.native=/usr/lib/webconsole -Dcom.sun.web.console.appbase=/var/webconsole/domains/console/webapps -Dcom.sun.web.console.secureport=6789 -Dcom.sun.web.console.unsecureport=6788 -Dcom.sun.web.console.unsecurehost=127.0.0.1 -Dwebconsole.default.file=/etc/webconsole/console/default.properties -Dwebconsole.config.file=/etc/webconsole/console/service.properties -Dcom.sun.web.console.startfile=/var/webconsole/tmp/console_start.tmp -Djava.awt.headless=true -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.NoOpLog org.apache.catalina.startup.Bootstrap start
root 178 0.2 0.2 7112 2944 ? S 02:09:39 0:04 /usr/sbin/nscd
root 476 0.0 0.1 2072 944 ? S 02:10:10 0:00 /usr/sadm/lib/smc/bin/smcboot
$
Cool..!!!..We have done with RBAC.
I hope this post helps you, Please share your valuable comments or queries and like the page.
No comments:
Post a Comment