Jorgen Lundman
2021-May-06 00:58 UTC
[Samba] /proc/self open fails with proc_owner Was: Time-machine replies with 17: File Exists
> hm, but what is this controlled and controlling process nonsense about? They're both the same process here. The only thing I can imagine is that you cannot reopen with a different mode then the original open -- which is totally braindead. But anyway... >If we are curious, we die in: dtrace -n 'secpolicy_proc_access:entry {printf("uid %u, euid %d, gid %d, egid %d", $uid, $euid, $gid, $egid);} ' -n 'secpolicy_proc_access:return {printf("%d", arg1);}? 7 14124 secpolicy_proc_access:entry uid 0, euid 0, gid 0, egid 0 7 14125 secpolicy_proc_access:return 13 int secpolicy_proc_access(const cred_t *scr) { return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); } I attempted to award proc_owner to root (even though it already has All) but I seem unable to make it get past this check.
Jeremy Allison
2021-May-06 01:06 UTC
[Samba] /proc/self open fails with proc_owner Was: Time-machine replies with 17: File Exists
On Thu, May 06, 2021 at 09:58:44AM +0900, Jorgen Lundman via samba wrote:>> hm, but what is this controlled and controlling process nonsense about? They're both the same process here. The only thing I can imagine is that you cannot reopen with a different mode then the original open -- which is totally braindead. But anyway... >> > >If we are curious, we die in: > >dtrace -n 'secpolicy_proc_access:entry {printf("uid %u, euid %d, gid %d, egid %d", $uid, $euid, $gid, $egid);} ' -n 'secpolicy_proc_access:return {printf("%d", arg1);}? > > > 7 14124 secpolicy_proc_access:entry uid 0, euid 0, gid 0, egid 0 > 7 14125 secpolicy_proc_access:return 13 > > >int >secpolicy_proc_access(const cred_t *scr) >{ > return (PRIV_POLICY(scr, PRIV_PROC_OWNER, B_FALSE, EACCES, NULL)); >} > >I attempted to award proc_owner to root (even though it already has All) but I seem unable to make it get past this check.Looks like Solaris/OmniOS has some different semantics for /proc/self/fd/XX than Linux. Unless OmniOS fixes this the best policy is simply going to be not to use the /proc/self/fd/XX falback for handle-based access (we already have to do this for FreeBSD). Remember how all the world used to have to be Solaris to get UNIX software to run. Now all the world has to be Linux. Sorry :-(.