[3305] in bugtraq
Solaris 2.5* ACLs and /dev/kmem access
daemon@ATHENA.MIT.EDU (Vic Abell)
Wed Aug 28 19:14:54 1996
Date: Wed, 28 Aug 1996 12:44:06 -0500
Reply-To: abe@purdue.edu
From: Vic Abell <abe@vic.cc.purdue.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
ACLs seem a better method for empowering specific programs to read
the memory devices (/dev/drum, dev/kmem, /dev/mem, /dev/swap, etc.)
that does group assignment to those devices. That's particularly
true when the group that owns the memory devices has other powers
like ownership of directories and files. Both AIX and Solaris
share this latter, questionable trait.
Under AIX 4.1.4 it's possible to create a new group -- the familiar
kmem to some of us -- that is the setgid() destination for programs
permitted to use the memory devices. The ACLs for the memory
devices can then be modified to permit members of the kmem group
to read them.
Doing that under Solaris 2.5 or 2.5.1 doesn't seem to be possible.
The setfacl program reports:
# setfacl -m u:<login>:r-- /dev/kmem
/dev/kmem: failed to set acl entries
setacl error: Operation not applicable
or
# ls -l /dev/kmem
lrwxrwxrwx 1 root root ... /dev/kmem -> ../devices/pseudo/mm@0:kmem
# setfacl -m u:<login>:r-- /devices/pseudo/mm@0:kmem
/devices/pseudo/mm@0:kmem: failed to set acl entries
setacl error: Operation not applicable
(I've tried this on Solaris 2.5 and 2.5.1.) Is there a good reason
Solaris 2.5* doesn't support setacl operation on memory devices? Or
am I doing something wrong?
Vic Abell <abe@purdue.edu>
