Manualshelf

Method to Enable Privileged Process Debugging

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software
12345678910
Now try to debug the process using the tusc
# tusc 5926
tusc: ttrace(TT_PROC_ATTACH, 5926, 0, 0, dad0001, 0): Permission denied
tusc: no process to attach to
#
Since the privileges of debugger process (TUSC here) is lower than the test process, user gets
permission denied error.
Solution using RBAC
Using RBAC is a generic solution which customer can use to any debugger tool.
User has to follow the following steps
1. Adding a new debug role in the RBAC roles database
# roleadm add debug
roleadm: added role debug
#
2. Assign new authorization to the above debug role in order to add the entry to cmd_priv
database
# authadm assign debug hpux.security.access.privrun.*
authadm added 1 auth for role debug
#
3. Assign debug role to user from which the user wants to debug
# roleadm assign privdbg debug
roleadm assign done in /etc/rbac/user_role
#
4. Login into the user account (privdbg)
# telnet <hostname>
5. After login add debugger tool binary (For Ex. tusc binary) to cmd_priv database with required
privileges (above getprocxsec command output gives the required privileges list)
# /usr/sbin/cmdprivadm add cmd=/usr/local/bin/tusc \
op=hpux.security.acess.*,* object='*' \
ruid=0 euid=0 privs=BASIC,NETPRIVPORT
/usr/local/bin/tusc::(hpux.security.acess.*,*,*)
:0/0/-1/-1::BASIC,NETPRIVPORT::
cmdprivadm added the entry to /etc/rbac/cmd_priv #
6. Check if the user has privilege shell if not we request user to update the shell using usermod
command,
#echo $SHELL
/usr/bin/privksh
#
7. Now again start the user process
# ./test &
[1] 13646
#
8. Attach the PID of the running process to the debugger tool (For Ex. tusc here)
# tusc 13646
( Attached to process 13646 ("./test") [32-bit] )
Solution using RBAC 7