很多人发现普通用户不能使用sar命令,IBM给的解决方法是将普通用户加到adm组中。但原因是什么呢?使用truss命令,很快就能自己找到答案了。
$ sar 1 1
sar: The file access permissions do not allow the specified action.
注解:这说明普通用户不能使用sar命令。
$ truss sar 1 1
execve("/usr/sbin/sar", 0x2FF22C0C, 0x2FF22C1C) argc: 3
sbrk(0x00000000) = 0x200036F4
sbrk(0x0000000C) = 0x200036F4
sbrk(0x00010010) = 0x20003700
getuidx(4) = 0x0000000E
getuidx(2) = 0x0000000E
getuidx(1) = 0x0000000E
getgidx(4) = 0
getgidx(2) = 0
getgidx(1) = 0
__loadx(0x01000080, 0x2FF1E050, 0x00003E80, 0x2FF21FE0, 0x00000000, 0x00000000, 0x00000080, 0x7F7F7F7F) = 0xD0077130
__loadx(0x01000180, 0x2FF1E040, 0x00003E80, 0xF09E5858, 0xF09E5788, 0x00000000, 0xFFFFFFFD, 0x00000000) = 0x20014BD8
__loadx(0x07080000, 0xF09E5828, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015AF0
__loadx(0x07080000, 0xF09E5768, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015AFC
__loadx(0x07080000, 0xF09E5838, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B2C
__loadx(0x07080000, 0xF09E5778, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B38
__loadx(0x07080000, 0xF09E57F8, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B08
__loadx(0x07080000, 0xF09E57A8, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B20
__loadx(0x07080000, 0xF09E5808, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B44
__loadx(0x07080000, 0xF09E5818, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B74
__loadx(0x07080000, 0xF09E5798, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B5C
__loadx(0x07080000, 0xF09E57B8, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015BD4
getuidx(4) = 0x0000000E
getuidx(2) = 0x0000000E
getuidx(1) = 0x0000000E
getgidx(4) = 0
getgidx(2) = 0
getgidx(1) = 0
__loadx(0x01000080, 0x2FF1E050, 0x00003E80, 0x2FF21FE0, 0x00000000, 0x00000000, 0x00000080, 0x7F7F7F7F) = 0xD0077130
getuidx(4) = 0x0000000E
getuidx(2) = 0x0000000E
getuidx(1) = 0x0000000E
getgidx(4) = 0
getgidx(2) = 0
getgidx(1) = 0
__loadx(0x01000080, 0x2FF1E050, 0x00003E80, 0x2FF21FE0, 0x00000000, 0x00000000, 0x00000080, 0x7F7F7F7F) = 0xD0077130
getuidx(4) = 0x0000000E
getuidx(2) = 0x0000000E
getuidx(1) = 0x0000000E
getgidx(4) = 0
getgidx(2) = 0
getgidx(1) = 0
__loadx(0x01000080, 0x2FF1E050, 0x00003E80, 0x2FF21FE0, 0x00000000, 0x00000000, 0x00000080, 0x7F7F7F7F) = 0xD0077130
getuidx(4) = 0x0000000E
getuidx(2) = 0x0000000E
getuidx(1) = 0x0000000E
getgidx(4) = 0
getgidx(2) = 0
getgidx(1) = 0
__loadx(0x01000080, 0x2FF1E050, 0x00003E80, 0x2FF21FE0, 0x00000000, 0x00000000, 0x00000080, 0x7F7F7F7F) = 0xD0077130
getuidx(4) = 0x0000000E
getuidx(2) = 0x0000000E
getuidx(1) = 0x0000000E
getgidx(4) = 0
getgidx(2) = 0
getgidx(1) = 0
__loadx(0x01000080, 0x2FF1E050, 0x00003E80, 0x2FF21FE0, 0x00000000, 0x00000000, 0x00000080, 0x7F7F7F7F) = 0xD0077130
access("/usr/lib/nls/msg/en_US/sar.cat", 0) = 0
_getpid() = 14252
access("/usr/lib/sa/sadc", 01) Err#13 EACCES
access("/usr/lib/nls/msg/en_US/libc.cat", 0) = 0
_getpid() = 14252
open("/usr/lib/nls/msg/en_US/libc.cat", O_RDONLY) = 3
kioctl(3, 22528, 0x00000000, 0x00000000) Err#25 ENOTTY
kfcntl(3, F_SETFD, 0x00000001) = 0
kioctl(3, 22528, 0x00000000, 0x00000000) Err#25 ENOTTY
kread(3, "01 ?707 I S O 8".., 4096) = 4096
lseek(3, 0, 1) = 4096
lseek(3, 0, 1) = 4096
lseek(3, 0, 1) = 4096
_getpid() = 14252
lseek(3, 0, 1) = 4096
close(3) = 0
sarkwrite(2, " s a r", 3) = 3
: kwrite(2, 0xF09EA2BC, 2) = 2
The file access permissions do not allow the specified action.kwrite(2, " T h e f i l e a c c".., 62) = 62
kwrite(2, 0xF09EA2B8, 1) = 1
kfcntl(1, F_GETFL, 0x2FF22FFC) = 2
kfcntl(2, F_GETFL, 0x00000000) = 2
_exit(1)
注解:用truss看看,发现使用sar时要访问/usr/lib/nls/msg/en_US/libc.cat、/usr/lib/sa/sadc等文件。
$ su -
root's Password:
mycomputer#/> sar 1 1
AIX mycomputer 1 5 005F833A4C00 01/15/05
09:56:36 %usr %sys %wio %idle
09:56:37 10 0 0 90
注解:验证一下root能不能使用sar?当然可以了,似乎有点多此一举,呵呵。
mycomputer#/> exit
$ ls -l /usr/lib/nls/msg/en_US/libc.cat /usr/lib/sa/sadc
-rw-r--r-- 1 bin bin 19572 Apr 09 2001 /usr/lib/nls/msg/en_US/libc.cat
-r-sr-x--- 1 root adm 13636 Aug 09 2003 /usr/lib/sa/sadc
注解:看看/usr/lib/nls/msg/en_US/libc.cat、/usr/lib/sa/sadc饬礁鑫募娜ㄏ奚柚谩U业轿侍獾脑蛄耍?usr/lib/sa/sadc属于adm组,而OTHER用户的权限是——不可读、不可写、不可执行。
$ file /usr/lib/sa/sadc
/usr/lib/sa/sadc: 0653-902 Cannot open the specified file for reading.
注解:看看/usr/lib/sa/sadc是脚本还是二进制文件还是别的什么?居然出错了?当然要出错,刚刚不是说OTHER用户的权限是不可读……吗?
$ su -
root's Password:
mycomputer#/> file /usr/lib/sa/sadc
/usr/lib/sa/sadc: executable (RISC System/6000) or object module
注解:用root看看吧。发现不是脚本。
mycomputer#/> chmod o+x /usr/lib/sa/sadc
注解:给OTHER用户的加可执行权限。
mycomputer#/> exit
$ sar 1 1
AIX mycomputer 1 5 005F833A4C00 01/15/05
09:59:13 %usr %sys %wio %idle
09:59:14 0 0 0 100
$
注解:用普通用户再试试sar,成功喽!
小结一下:让普通用户能够使用sar命令,至少有两种办法:
1、将普通用户加到adm组中;
2、这个例子中,就是这个命令:chmod o+x /usr/lib/sa/sadc 。
注:本文只分析了AIX下非adm组成员不能使用sar命令的原因;对使用方法2是否存在安全隐患,不在本文讨论之列。
========================================================
任何形式的转载,请写明出处:
email: beginner@yeah.net
website: http://www.aixchina.net/?1865
========================================================
