SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-16-2008, 09:40 AM
| ||||
| ||||
 Solaris 10 SMF/inetd/privs problem I'm trying to use amanda to back up a couple of dev servers that are in an isolated dev LAN. Found an unloved U10 with a DDS-3 drive gathering dust, so I built a Sol 10 (06/06) system on it, amanda etc. The servers to be backed up are also running Sol 10 (06/06). I configured amanda on server and clients, and then ran "amcheck -cl config client_host" to test it. I get an error Amanda Backup Client Hosts Check -------------------------------- ERROR: jocelyn: [could not access /dev/rdsk/c1t0d0s5 (/var): Permission denied] ...etc.. Client check: 1 host checked in 0.158 seconds, 3 problems found When I look on the client, the dir perms look correct, and I have no problems acecssing those dirs when I sudo to the Amanda user ("dump"). It turned out to be an RBACs issue: Jul 27 13:50:19 jocelyn genunix: [ID 702911 kern.notice] selfcheck[7672]: missing privilege "file_dac_read" (euid = 15, syscall = 33) needed at devfs_access+0x84 [uid 15 = dump, the Amanda user] How do I add this privilege to an inet-managed daemon? For other SMF services I can modify the start/privileges property, but this doesn't work for inet-managed daemons (nor does adding a prop inetd_start/privileges). Any ideas? -- Sak Wathanasin Network Analysis Limited http://www.network-analysis.ltd.uk      |
|
01-16-2008, 09:40 AM
| ||||
| ||||
| Re: Solaris 10 SMF/inetd/privs problem Sak Wathanasin wrote: > I'm trying to use amanda to back up a couple of dev servers that are in > an isolated dev LAN. Found an unloved U10 with a DDS-3 drive gathering > dust, so I built a Sol 10 (06/06) system on it, amanda etc. The servers > to be backed up are also running Sol 10 (06/06). > > I configured amanda on server and clients, and then ran "amcheck -cl > config client_host" to test it. I get an error > > Amanda Backup Client Hosts Check > -------------------------------- > ERROR: jocelyn: [could not access /dev/rdsk/c1t0d0s5 (/var): Permission > denied] > ...etc.. > Client check: 1 host checked in 0.158 seconds, 3 problems found > > When I look on the client, the dir perms look correct, and I have no > problems acecssing those dirs when I sudo to the Amanda user ("dump"). > It turned out to be an RBACs issue: > > Jul 27 13:50:19 jocelyn genunix: [ID 702911 kern.notice] > selfcheck[7672]: missing privilege "file_dac_read" (euid = 15, syscall = > 33) needed at devfs_access+0x84 > > [uid 15 = dump, the Amanda user] > > How do I add this privilege to an inet-managed daemon? For other SMF > services I can modify the start/privileges property, but this doesn't > work for inet-managed daemons (nor does adding a prop > inetd_start/privileges). > > Any ideas? In the method_context element, you can set privileges as attributes of the method_credential. In the manifest, it would be something like: <exec_method type='method' name='inetd_start' exec='whatever the amanda executable is' timeout_seconds='10'> <method_context> <method_credential privileges = 'file_dac_read' /> </method_context> </exec_method> You can also use an RBAC profile in the method_context, see smf_method(5). Hopefully this gets you on the track... Dave |
Linear Mode
