Chinaunix首页 | 论坛 | 博客
  • 博客访问: 19268819
  • 博文数量: 7460
  • 博客积分: 10434
  • 博客等级: 上将
  • 技术积分: 78178
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-02 22:54
文章分类

全部博文(7460)

文章存档

2011年(1)

2009年(669)

2008年(6790)

分类:

2008-05-11 22:26:51

很多人发现普通用户不能使用sar命令,IBM给的解决方法是将普通用户加到adm组中。但原因是什么呢?使用truss命令,很快就能自己找到答案了。

$ sar 1 1
sar: The file access permissions do not allow the specified action.
注解:这说明普通用户不能使用sar命令。
$ truss sar 1 1
execve("/usr/sbin/sar", 0x2FF22C0C, 0x2FF22C1C)  argc: 3
sbrk(0x00000000)                                = 0x200036F4
sbrk(0x0000000C)                                = 0x200036F4
sbrk(0x00010010)                                = 0x20003700
getuidx(4)                                      = 0x0000000E
getuidx(2)                                      = 0x0000000E
getuidx(1)                                      = 0x0000000E
getgidx(4)                                      = 0
getgidx(2)                                      = 0
getgidx(1)                                      = 0
__loadx(0x01000080, 0x2FF1E050, 0x00003E80, 0x2FF21FE0, 0x00000000, 0x00000000, 0x00000080, 0x7F7F7F7F) = 0xD0077130
__loadx(0x01000180, 0x2FF1E040, 0x00003E80, 0xF09E5858, 0xF09E5788, 0x00000000, 0xFFFFFFFD, 0x00000000) = 0x20014BD8
__loadx(0x07080000, 0xF09E5828, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015AF0
__loadx(0x07080000, 0xF09E5768, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015AFC
__loadx(0x07080000, 0xF09E5838, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B2C
__loadx(0x07080000, 0xF09E5778, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B38
__loadx(0x07080000, 0xF09E57F8, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B08
__loadx(0x07080000, 0xF09E57A8, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B20
__loadx(0x07080000, 0xF09E5808, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B44
__loadx(0x07080000, 0xF09E5818, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B74
__loadx(0x07080000, 0xF09E5798, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015B5C
__loadx(0x07080000, 0xF09E57B8, 0xFFFFFFFF, 0x20014BD8, 0x00000000, 0x6002E017, 0x6000AA24, 0x00000000) = 0x20015BD4
getuidx(4)                                      = 0x0000000E
getuidx(2)                                      = 0x0000000E
getuidx(1)                                      = 0x0000000E
getgidx(4)                                      = 0
getgidx(2)                                      = 0
getgidx(1)                                      = 0
__loadx(0x01000080, 0x2FF1E050, 0x00003E80, 0x2FF21FE0, 0x00000000, 0x00000000, 0x00000080, 0x7F7F7F7F) = 0xD0077130
getuidx(4)                                      = 0x0000000E
getuidx(2)                                      = 0x0000000E
getuidx(1)                                      = 0x0000000E
getgidx(4)                                      = 0
getgidx(2)                                      = 0
getgidx(1)                                      = 0
__loadx(0x01000080, 0x2FF1E050, 0x00003E80, 0x2FF21FE0, 0x00000000, 0x00000000, 0x00000080, 0x7F7F7F7F) = 0xD0077130
getuidx(4)                                      = 0x0000000E
getuidx(2)                                      = 0x0000000E
getuidx(1)                                      = 0x0000000E
getgidx(4)                                      = 0
getgidx(2)                                      = 0
getgidx(1)                                      = 0
__loadx(0x01000080, 0x2FF1E050, 0x00003E80, 0x2FF21FE0, 0x00000000, 0x00000000, 0x00000080, 0x7F7F7F7F) = 0xD0077130
getuidx(4)                                      = 0x0000000E
getuidx(2)                                      = 0x0000000E
getuidx(1)                                      = 0x0000000E
getgidx(4)                                      = 0
getgidx(2)                                      = 0
getgidx(1)                                      = 0
__loadx(0x01000080, 0x2FF1E050, 0x00003E80, 0x2FF21FE0, 0x00000000, 0x00000000, 0x00000080, 0x7F7F7F7F) = 0xD0077130
getuidx(4)                                      = 0x0000000E
getuidx(2)                                      = 0x0000000E
getuidx(1)                                      = 0x0000000E
getgidx(4)                                      = 0
getgidx(2)                                      = 0
getgidx(1)                                      = 0
__loadx(0x01000080, 0x2FF1E050, 0x00003E80, 0x2FF21FE0, 0x00000000, 0x00000000, 0x00000080, 0x7F7F7F7F) = 0xD0077130
access("/usr/lib/nls/msg/en_US/sar.cat", 0)     = 0
_getpid()                                       = 14252
access("/usr/lib/sa/sadc", 01)                  Err#13 EACCES
access("/usr/lib/nls/msg/en_US/libc.cat", 0)    = 0
_getpid()                                       = 14252
open("/usr/lib/nls/msg/en_US/libc.cat", O_RDONLY) = 3
kioctl(3, 22528, 0x00000000, 0x00000000)        Err#25 ENOTTY
kfcntl(3, F_SETFD, 0x00000001)                  = 0
kioctl(3, 22528, 0x00000000, 0x00000000)        Err#25 ENOTTY
kread(3, "01 ?707 I S O 8".., 4096)    = 4096
lseek(3, 0, 1)                                  = 4096
lseek(3, 0, 1)                                  = 4096
lseek(3, 0, 1)                                  = 4096
_getpid()                                       = 14252
lseek(3, 0, 1)                                  = 4096
close(3)                                        = 0
sarkwrite(2, " s a r", 3)                               = 3
: kwrite(2, 0xF09EA2BC, 2)                      = 2
The file access permissions do not allow the specified action.kwrite(2, " T h e   f i l e   a c c".., 62)       = 62

kwrite(2, 0xF09EA2B8, 1)                        = 1
kfcntl(1, F_GETFL, 0x2FF22FFC)                  = 2
kfcntl(2, F_GETFL, 0x00000000)                  = 2
_exit(1)
注解:用truss看看,发现使用sar时要访问/usr/lib/nls/msg/en_US/libc.cat、/usr/lib/sa/sadc等文件。
$ su -
root's Password:
mycomputer#/> sar 1 1

AIX mycomputer 1 5 005F833A4C00    01/15/05

09:56:36    %usr    %sys    %wio   %idle
09:56:37      10       0       0      90
注解:验证一下root能不能使用sar?当然可以了,似乎有点多此一举,呵呵。
mycomputer#/> exit
$ ls -l /usr/lib/nls/msg/en_US/libc.cat /usr/lib/sa/sadc
-rw-r--r--   1 bin      bin           19572 Apr 09 2001  /usr/lib/nls/msg/en_US/libc.cat
-r-sr-x---   1 root     adm           13636 Aug 09 2003  /usr/lib/sa/sadc
注解:看看/usr/lib/nls/msg/en_US/libc.cat、/usr/lib/sa/sadc饬礁鑫募?娜ㄏ奚柚谩U业轿侍獾脑?蛄耍?usr/lib/sa/sadc属于adm组,而OTHER用户的权限是——不可读、不可写、不可执行。
$ file /usr/lib/sa/sadc
/usr/lib/sa/sadc:       0653-902 Cannot open the specified file for reading.
注解:看看/usr/lib/sa/sadc是脚本还是二进制文件还是别的什么?居然出错了?当然要出错,刚刚不是说OTHER用户的权限是不可读……吗?
$ su -
root's Password:
mycomputer#/> file /usr/lib/sa/sadc
/usr/lib/sa/sadc:       executable (RISC System/6000) or object module
注解:用root看看吧。发现不是脚本。
mycomputer#/> chmod o+x /usr/lib/sa/sadc
注解:给OTHER用户的加可执行权限。
mycomputer#/> exit
$ sar 1 1

AIX mycomputer 1 5 005F833A4C00    01/15/05

09:59:13    %usr    %sys    %wio   %idle
09:59:14       0       0       0     100
$
注解:用普通用户再试试sar,成功喽!

小结一下:让普通用户能够使用sar命令,至少有两种办法:
1、将普通用户加到adm组中;
2、这个例子中,就是这个命令:chmod o+x /usr/lib/sa/sadc 。

注:本文只分析了AIX下非adm组成员不能使用sar命令的原因;对使用方法2是否存在安全隐患,不在本文讨论之列。

========================================================
任何形式的转载,请写明出处:
email:
website:
========================================================

阅读(1450) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~