PSARC 2009/215 PCITool Public Interrupts

Erwin Tsaur Erwin.Tsaur at sun.com
Fri May 1 11:09:33 PDT 2009 

Gary Winiger wrote:
>> After discussing with Gary Winiger I am amending the PSARC case to 
>> include more details about security.
>>     
>
> 	I'm probably being overly picky here.  In my offline discussions
> 	there seemed to be confusion about the (architectural) details.
> 	Including that I'm not the only one on the committee.
>
>   
>>  From project team:
>> It is currently not in the "Maintenance and Repair" Rights Profile and 
>> we don't plan to ship it with it configured in it. Do you recommend 
>> otherwise?
>>
>>  From Gary Winiger:
>>     Manintenance and Repair seems like an appropriate Rights Profile.
>>     The specification can state that the will be adding /usr/sbin/pcitool
>>     to the existing Maintenance and Repair Rights Profile with attributes
>>     of --- and you state the attributes.
>>     
>
> 	I've missed seeing the specification that pcitool will be
> 	added to Maintenane and Repair and with what attributes.
>
>   
>>     See
>>     http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/
>>     for how to add to the RBAC databases.
>>     
>
> 	I'm happy to coach how to deliver into the RBAC databases should
> 	the best practice not be sufficient for the project team.
>   
I've read the link above, and I believe I just need to... (please 
correct if wrong)  add the line:

Maintenance and Repair:solaris:cmd:::/usr/sbin/pcitool:privs=all

to usr/src/lib/libsecdb/exec_attr.txt

"Maintenance and Repair" is an existing Rights Profile.  Sample of other 
commands in the same profile are mdb, coreadm, halt and reboot.

>   
>> Maintenance Commands                                  pcitool(1M)
>>
>> NAME
>>      pcitool - interrupt routing tool
>>
>> SYNOPSIS
>>      /usr/sbin/pcitool PCI_nexus_node -i ino=ino [ -r [ -c ] | -w
>>      cpu=CPU [ -g ] ] [ -v ] [ -q ]
>>
>>      /usr/sbin/pcitool [ -h ]
>>     
>
>   
>>      Required privileges
>>
>>      The user must have all privileges in order to access  inter-
>>      rupt  information.   A  regular  user  can  access interrupt
>>      information when su(1M) to root or granted the  "Maintenance
>>      and  Repair"  rights  profile  in  the  user_attr  file. See
>>      user_attr(4) and rbac(5).
>>     
>
>   
>> SEE ALSO
>>      pci(4), su(1M), user_attr(4), rbac(5)
>>
>> NOTES
>>     
>
>   
>>      Root access is required to  execute  all  commands  in  this
>>      tool.
>>     
>
> 	Probably a nit.  The preceeding gives me pause over what the
> 	specification for Rights Profiles inclusion really is.
> 	Should this note just be eliminated, or is there some hard
> 	requirement for euid==ruid==0 which cannot be met otherwise.
>   
That's right, something left over from the old PSARC case, which I 
removed now.  Updated manpage included
> Gary..
>   

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pcitool.manpage
URL: <http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20090501/90269bda/attachment.ksh>

More information about the opensolaris-arc mailing list