Last week I got an issue where the application team raised the concern that "ps" command output truncated at 80 characters. They are trying to write a script that will find particular process based in a keyword. But due to the truncated "ps" command, they couldn't search the keyword. they request us(unix) to check that. Earlier I thought we can fix it easily, but later on when I dig into it, I found some more details and hurdles. finally, I got a solution and recommended the same to them. I just want to share those details in this post.- /usr/bin/ps Deafult ps option of SVR4 (System V Release 4)
- /usr/ucb/ps BSD style options (ucb means University of California, Berkeley)
root@unixrock# ls -li /usr/bin/ps /usr/ucb/ps
834 -r-xr-xr-x 66 root bin 5816 Jan 8 2007 /usr/bin/ps
834 -r-xr-xr-x 66 root bin 5816 Jan 8 2007 /usr/ucb/ps
root@unixrock#
root@unixrock# ldd /usr/bin/ps /usr/ucb/ps
/usr/bin/ps:
libc.so.1 => /lib/libc.so.1
libm.so.2 => /lib/libm.so.2
/usr/ucb/ps:
libc.so.1 => /lib/libc.so.1
libm.so.2 => /lib/libm.so.2
root@unixrock#
"psadmin" is the application user who is required full output of the process on "ps" command where they can see only first 80 characters. they also tried "/usr/ucb/ps auxwww" but same output. below output "psadmin" user can only seeing first 80 characters of PID 944.
psadmin@unixrock$ uname -a
SunOS unixrock 5.10 Generic_142910-17 i86pc i386 i86pc
psadmin@unixrock$
psadmin@unixrock$ id
uid=100(psadmin) gid=1(other)
psadmin@unixrock$
psadmin@unixrock$ /usr/ucb/ps auxwww|grep -i 944|grep -v grep
USER PID %CPU %MEM SZ RSS TT S START TIME COMMAND
noaccess 944 0.3 7.7133876119764 ? S 02:11:22 3:28 /usr/java/bin/java -server -Xmx128m -XX:+UseParallelGC -XX:ParallelGCThreads=4
psadmin@unixrock$
when we checked as root user, it is working fine as expected. But as normal user account can't do the same.
when I dig more, I found the path through RBAC (Role based access control). Here is the steps to achieve our requirements. Our change plan would be Create Profile --> Privilege to profile --> Creating Role --> Role to profile --> Role to userroot@unixrock#
root@unixrock# /usr/ucb/ps auxwww|grep -i 944|grep -v grep
noaccess 944 0.3 7.7133876119764 ? S 02:11:22 3:29 /usr/java/bin/java -server -Xmx128m -XX:+UseParallelGC -XX:ParallelGCThreads=4 -classpath /usr/share/webconsole/private/container/bin/bootstrap.jar:/usr/share/webconsole/private/container/bin/commons-logging.jar:/usr/share/webconsole/private/container/bin/log4j.jar:/usr/java/lib/tools.jar:/usr/java/jre/lib/jsse.jar -Djava.security.manager -Djava.security.policy==/var/webconsole/domains/console/conf/console.policy -Djavax.net.ssl.trustStore=/var/webconsole/domains/console/conf/keystore.jks -Djava.security.auth.login.config=/var/webconsole/domains/console/conf/consolelogin.conf -Dcatalina.home=/usr/share/webconsole/private/container -Dcatalina.base=/var/webconsole/domains/console -Dcom.sun.web.console.home=/usr/share/webconsole -Dcom.sun.web.console.conf=/etc/webconsole/console -Dcom.sun.web.console.base=/var/webconsole/domains/console -Dcom.sun.web.console.logdir=/var/log/webconsole/console -Dcom.sun.web.console.native=/usr/lib/webconsole -Dcom.sun.web.console.appbase=/var/webconsole/domains/console/webapps -Dcom.sun.web.console.secureport=6789 -Dcom.sun.web.console.unsecureport=6788 -Dcom.sun.web.console.unsecurehost=127.0.0.1 -Dwebconsole.default.file=/etc/webconsole/console/default.properties -Dwebconsole.config.file=/etc/webconsole/console/service.properties -Dcom.sun.web.console.startfile=/var/webconsole/tmp/console_start.tmp -Djava.awt.headless=true -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.NoOpLog org.apache.catalina.startup.Bootstrap start
root 178 0.0 0.2 7112 2944 ? S 02:09:39 0:04 /usr/sbin/nscd
root 476 0.0 0.1 2072 944 ? S 02:10:10 0:00 /usr/sadm/lib/smc/bin/smcboot
root@unixrock#
root@unixrock#
root@unixrock# ps -ef|grep -i 944|grep -v grep
noaccess 944 1 0 02:11:23 ? 3:29 /usr/java/bin/java -server -Xmx128m -XX:+UseParallelGC -XX:ParallelGCThreads=4
root@unixrock#
we tried to set setuid (chmod u+s /usr/ucb/ps) to the executable file "/usr/ucb/ps", its works fine even executed by as a normal user, But its causes the impact for other applications which is looking for the same executable. Our requirements should be achieve without changing the current permissions. We tried SUDO, ACL privilege too, but no use, same conditions only.
root@unixrock# ls -ltr /usr/ucb/ps
-r-xr-xr-x 66 root bin 5816 Jan 8 2007 /usr/ucb/ps
root@unixrock#
root@unixrock# getfacl /usr/ucb/ps
# file: /usr/ucb/ps
# owner: root
# group: bin
user::r-x
group::r-x #effective:r-x
mask:r-x
other:r-x
root@unixrock#
For more about RBAC
Creating a profile by appending the below line on /etc/security/prof_attr and Ctrl+d for save the changes.
root@unixrock# cp -p /etc/security/prof_attr /etc/security/prof_attr_backupPrivilege to profile by appending the below line on /etc/security/exec_attr and Ctrl+d for save the changes.
root@unixrock#
root@unixrock# cat >>/etc/security/prof_attr
psquery:::Processes Query as Root:
root@unixrock#
root@unixrock# cp -p /etc/security/exec_attr /etc/security/exec_attr_backupCreating Role
root@unixrock#
root@unixrock#cat >>/etc/security/exec_attr
psquery:suser:cmd:::/usr/ucb/ps:privs=proc_owner;uid=0;euid=0;gid=0;egid=0
root@unixrock#
root@unixrock# roleadd -d /export/home/Rpsadmin -m RpsadminRole to profile
root@unixrock# passwd Rpsadmin
New Password:
Re-enter new Password:
passwd: password successfully changed for Rpsadmin
root@unixrock#
root@unixrock# rolemod -P "psquery" RpsadminRole to user
root@unixrock#
root@unixrock# cat /etc/user_attr |grep -i psadmin
Rpsadmin::::type=role;profiles=psquery
root@unixrock#
root@unixrock# usermod -R Rpsadmin psadminChecking the status..
root@unixrock#
root@unixrock# cat /etc/user_attr |grep -i psadmin
Rpsadmin::::type=role;profiles=psquery
psadmin::::type=normal;roles=Rpsadmin
root@unixrock#
root@unixrock# su - psadminCool..!!!..We have done with RBAC.
Oracle Corporation SunOS 5.10 Generic Patch January 2005
$
$ id
uid=100(psadmin) gid=1(other)
$ su - Rpsadmin
Password:
$
$ id
uid=101(Rpsadmin) gid=1(other)
$
$ /usr/ucb/ps auxwww|grep -i 944|grep -v grep
noaccess 944 0.4 7.7133876119764 ? S 02:11:22 3:32 /usr/java/bin/java -server -Xmx128m -XX:+UseParallelGC -XX:ParallelGCThreads=4 -classpath /usr/share/webconsole/private/container/bin/bootstrap.jar:/usr/share/webconsole/private/container/bin/commons-logging.jar:/usr/share/webconsole/private/container/bin/log4j.jar:/usr/java/lib/tools.jar:/usr/java/jre/lib/jsse.jar -Djava.security.manager -Djava.security.policy==/var/webconsole/domains/console/conf/console.policy -Djavax.net.ssl.trustStore=/var/webconsole/domains/console/conf/keystore.jks -Djava.security.auth.login.config=/var/webconsole/domains/console/conf/consolelogin.conf -Dcatalina.home=/usr/share/webconsole/private/container -Dcatalina.base=/var/webconsole/domains/console -Dcom.sun.web.console.home=/usr/share/webconsole -Dcom.sun.web.console.conf=/etc/webconsole/console -Dcom.sun.web.console.base=/var/webconsole/domains/console -Dcom.sun.web.console.logdir=/var/log/webconsole/console -Dcom.sun.web.console.native=/usr/lib/webconsole -Dcom.sun.web.console.appbase=/var/webconsole/domains/console/webapps -Dcom.sun.web.console.secureport=6789 -Dcom.sun.web.console.unsecureport=6788 -Dcom.sun.web.console.unsecurehost=127.0.0.1 -Dwebconsole.default.file=/etc/webconsole/console/default.properties -Dwebconsole.config.file=/etc/webconsole/console/service.properties -Dcom.sun.web.console.startfile=/var/webconsole/tmp/console_start.tmp -Djava.awt.headless=true -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.NoOpLog org.apache.catalina.startup.Bootstrap start
root 178 0.2 0.2 7112 2944 ? S 02:09:39 0:04 /usr/sbin/nscd
root 476 0.0 0.1 2072 944 ? S 02:10:10 0:00 /usr/sadm/lib/smc/bin/smcboot
$
I hope this post helps you, Please share your valuable comments or queries and like the page.
