Now try to debug the process using the tusc
# tusc 5926
tusc: ttrace(TT_PROC_ATTACH, 5926, 0, 0, dad0001, 0): Permission denied
tusc: no process to attach to
#
Since the privileges of debugger process (TUSC here) is lower than the test process, user gets permission denied error.
Solution using RBAC
Using RBAC is a generic solution which customer can use to any debugger tool.
User has to follow the following steps
1.Adding a new debug role in the RBAC roles database
#roleadm add debug roleadm: added role debug
2.Assign new authorization to the above debug role in order to add the entry to cmd_priv database
#authadm assign debug hpux.security.access.privrun.*
authadm added 1 auth for role debug
#
3.Assign debug role to user from which the user wants to debug
# roleadm assign privdbg debug
roleadm assign done in /etc/rbac/user_role
#
4.Login into the user account (privdbg)
#telnet <hostname>
5.After login add debugger tool binary (For Ex. tusc binary) to cmd_priv database with required privileges (above getprocxsec command output gives the required privileges list)
#/usr/sbin/cmdprivadm add cmd=/usr/local/bin/tusc \ op=hpux.security.acess.*,* object='*' \
ruid=0 euid=0
cmdprivadm added the entry to /etc/rbac/cmd_priv #
6.Check if the user has privilege shell if not we request user to update the shell using usermod command,
#echo $SHELL /usr/bin/privksh
#
7.Now again start the user process
# ./test &
[1]13646
#
8.Attach the PID of the running process to the debugger tool (For Ex. tusc here)
# tusc 13646
( Attached to process 13646 ("./test")
Solution using RBAC | 7 |
