Whitepaper on Method to enable Privileged Process Debugging Published: October 2012
© Copyright 2010, 2012 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 Overview..................................................................................................4 2 Problem statement......................................................................................5 3 Solution....................................................................................................6 What is RBAC?........................................................................................................................6 What is FGP?...........................
1 Overview Debugging utilities in hpux (for ex: tusc, gdb etc) fails to debug a process which has Fine Grained Privileges unless; the debugging utility process has the same or higher set of privileges. A process cannot inherit the privileges of other process at run time. The privileges need to be set for binary before it is executed. HP-UX has different methods of elevating the privileges which are discussed in solution section.
2 Problem statement Debugging—especially Privileged Process Debugging—has always been important in the customer environment. If the debugging process is having lesser privileges than the process on which it is executing, user will encounter the permission denied error message.
3 Solution User can set the privileges of debugger binary either manually using setfilexsec command or create a new debug role in RBAC (Role Based Access Control) roles database with hpux.security.access.privrun.* authorizations. This document provides the details on how to provide the required privileges for debugging processes using RBAC. What is RBAC? RBAC (Role-Based Access Control) is an alternative to the all-or-nothing security model of traditional root user-based systems.
Now try to debug the process using the tusc # tusc 5926 tusc: ttrace(TT_PROC_ATTACH, 5926, 0, 0, dad0001, 0): Permission denied tusc: no process to attach to # Since the privileges of debugger process (TUSC here) is lower than the test process, user gets permission denied error. Solution using RBAC Using RBAC is a generic solution which customer can use to any debugger tool. User has to follow the following steps 1.
In user-mode ........................................... [running] exit(0) .................................. WIFEXITED(0) [1] + Done .
4 Limitations If customer is having more than one application and each one has different privileges, in that case user need to combine all the privileges using comma separated list and add into cmd_priv database against tusc.
5 Summary Debugging tools should have sufficient privileges to debug the processes whose privileges are elevated. We can temporarily elevate and drop privileges of debugging tools using RBAC. For More information,http://h21007.www2.hp.com/portal/download/files/unprot/hpux/ RBACv1_HP-UX11i.pdf http://h21007.www2.hp.com/portal/StaticDownload? attachment_ciid=ed0964c3c39f111064c3c39f1110275d6e10RCRD=0c08092f62f02110092f62f02110275d6e10RCRD Man pages privileges(5) Overview of HP-UX privileges.
