-
Title
How do I enable dtrace for users on Solaris 10? -
Description
How do I enable dtrace for users on Solaris 10?
-
Resolution
1) edit the /etc/user_attr file and enter the user information
(for example `vas-user::::type=normal;defaultpriv=basic,dtrace_kernel,dtrace_proc,dtrace_user'). Right now, however, profiles and roles are not allowed for non-local users.
2) Because the pam_unix_cred.so.1 library assigns the attrs that a particular user needs, /etc/pam.conf needs to be configured in such a way that pam_unix_cred.so.1 is called when VAS users log in. With the default settings of sufficient, no subsequent modules are called once a VAS user logs in successfully which means the attrs for the user are never assigned. Adjust the auth section of pam.conf for each service_name required for logging in.
Those are the only two steps needed for this to work. The roles you want to give the users need to be specific roles with the defaultpriv variable and cannot be contained inside of roles, profiles, etc. That, of course, is not a VAS limitation but a limitation with how the module determines attrs for a given user.
One way a user can check to see if they have the correct attrs is to run `ppriv $$' on the command line after logging in as that particular user. If you use the example settings above, they will see the following:
2780: -bash
flags = <none>
E: basic,dtrace_kernel,dtrace_proc,dtrace_user
I: basic,dtrace_kernel,dtrace_proc,dtrace_user
P: basic,dtrace_kernel,dtrace_proc,dtrace_user
L: all