[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Solaris 2.5* ACLs and /dev/kmem access
From:       Vic Abell <abe () vic ! cc ! purdue ! edu>
Date:       1996-08-28 12:44:06
[Download RAW message or body]

ACLs seem a better method for empowering specific programs to read
the memory devices (/dev/drum, dev/kmem, /dev/mem, /dev/swap, etc.)
that does group assignment to those devices.  That's particularly
true when the group that owns the memory devices has other powers
like ownership of directories and files.  Both AIX and Solaris
share this latter, questionable trait.

Under AIX 4.1.4 it's possible to create a new group -- the familiar
kmem to some of us -- that is the setgid() destination for programs
permitted to use the memory devices.  The ACLs for the memory
devices can then be modified to permit members of the kmem group
to read them.

Doing that under Solaris 2.5 or 2.5.1 doesn't seem to be possible.
The setfacl program reports:

        # setfacl -m u:<login>:r-- /dev/kmem
        /dev/kmem: failed to set acl entries
        setacl error: Operation not applicable
    or
        # ls -l /dev/kmem
        lrwxrwxrwx 1 root root ... /dev/kmem -> ../devices/pseudo/mm@0:kmem
        # setfacl -m u:<login>:r-- /devices/pseudo/mm@0:kmem
        /devices/pseudo/mm@0:kmem: failed to set acl entries
        setacl error: Operation not applicable

(I've tried this on Solaris 2.5 and 2.5.1.)  Is there a good reason
Solaris 2.5* doesn't support setacl operation on memory devices?  Or
am I doing something wrong?

Vic Abell <abe@purdue.edu>

[prev in list] [next in list] [prev in thread] [next in thread]