«
»

Solaris commands aren’t what they seem


With this new post I am going to show you some curious things that recently happened to me.

For testing purposes I needed to remove the execution permission for regular users for the prstat command. So I just did a basic chmod (nothing strange for now…) :

root@solarisbox# chmod 550 /usr/bin/prstat
root@solarisbox#

After that, regulars users cannot use anymore this command :

arnaud@solarisbox$ prstat
bash: /usr/bin/prstat: Permission denied
arnaud@solarisbox$

Great ! But after that problems appeared… Regular users have also lose execution permision for other commands… :

arnaud@solarisbox$ ps
bash: /usr/bin/ps: Permission denied
arnaud@solarisbox$ uptime
bash: /usr/bin/uptime: Permission denied
arnaud@solarisbox$

There is only one explanation : those commands are the same…

Yes, ps and prstat are the same commands !!

Well that’s not exactly true. Those commands are in fact hard links, that’s why when changing permissions for one of them, permissions are changed for every hard links (which have the same inode).

In fact, In my Ultra 20 Workstation with Solaris 10 5/09 installed, we can count 66 hard links :

root@solarisbox# ls -li /usr/bin/prstat
6582 -r-xr-x—  66 root     bin         5816 Jan  8  2007 /usr/bin/prstat
root@solarisbox#
root@solarisbox# find /usr -inum 6582
/usr/bin/newtask
/usr/bin/nohup
/usr/bin/prctl
/usr/bin/prstat
/usr/bin/ps
/usr/bin/savecore
/usr/bin/setuname
/usr/bin/uptime
/usr/bin/w
/usr/bin/pargs
/usr/bin/pcred
/usr/bin/pfiles
/usr/bin/pflags
/usr/bin/pldd
/usr/bin/pmap
/usr/bin/ppgsz
/usr/bin/ppriv
/usr/bin/preap
/usr/bin/prun
/usr/bin/psig
/usr/bin/pstack
/usr/bin/pstop
/usr/bin/ptime
/usr/bin/ptree
/usr/bin/pwait
/usr/bin/pwdx
/usr/bin/sort
/usr/bin/prex
/usr/bin/tnfxtract
/usr/bin/gcore
/usr/bin/plimit
/usr/bin/truss
/usr/bin/cputrack
/usr/bin/adb
/usr/bin/mdb
/usr/lib/isaexec
/usr/lib/ipf/ipftest
/usr/lib/rcap/rcapd
/usr/sadm/lib/wbem/rds
/usr/sbin/add_drv
/usr/sbin/modinfo
/usr/sbin/modload
/usr/sbin/modunload
/usr/sbin/pbind
/usr/sbin/prtconf
/usr/sbin/psrset
/usr/sbin/rem_drv
/usr/sbin/swap
/usr/sbin/sysdef
/usr/sbin/update_drv
/usr/sbin/whodo
/usr/sbin/ipf
/usr/sbin/ipfs
/usr/sbin/ipfstat
/usr/sbin/ipmon
/usr/sbin/ipnat
/usr/sbin/ippool
/usr/sbin/iscsitgtd
/usr/sbin/zdb
/usr/sbin/dtrace
/usr/sbin/intrstat
/usr/sbin/lockstat
/usr/sbin/plockstat
/usr/X11/bin/Xephyr
/usr/X11/bin/Xvfb
/usr/ucb/ps
root@solarisbox#

Knowing that, we can do some very curious things…

root@solarisbox# rm /usr/bin/ps
root@solarisbox# ps
bash: ps: command not found
root@solarisbox#
root@solarisbox# cp /usr/sbin/dtrace /usr/bin/ps
root@solarisbox# ps
PID TTY         TIME CMD
1120 pts/3       0:00 sh
1124 pts/3       0:00 bash
1213 pts/3       0:00 ps
root@solarisbox#

Well, in fact this is no such a curious thing if you know, an you may, what are hard links.

So, the question is, why a lot of commands are hard links ?

The answer is in docs.sun.com : Shell-Scripts Wrappers.

To sum up, a lot of commands are hard links to the wrapper /usr/lib/isaexec, which looks in which platform we are in order to execute the correct command.

For example, my U20 is an amd64 platform :

root@solarisbox# isalist
amd64 pentium_pro+mmx pentium_pro pentium+mmx pentium i486 i386 i86
root@solarisbox#

So when I do a ps in fact the binary I am going to execute is /usr/bin/amd64/ps.

Another way to see it is to use the truss or dtrace command :

root@solarisbox# truss -o /tmp/ps.truss ps
PID TTY         TIME CMD
1120 pts/3       0:00 sh
1124 pts/3       0:00 bash
1245 pts/3       0:00 truss
1246 pts/3       0:00 ps
root@solarisbox#
root@solarisbox# grep execve /tmp/ps.truss
execve(“/usr/bin/ps”, 0x08047DE4, 0x08047DEC)  argc = 1
execve(“/usr/bin/amd64/ps“, 0x08047DE4, 0x08047DEC)  argc = 1
root@solarisbox#

So, what is the conclusion ?  commands are not what they seem….

Another more practical conclusion is if you want to copy a command, be carefull which command you are copying !

root@solarisbox# cp /usr/bin/ps /tmp/ps
root@solarisbox# /tmp/ps
/tmp/ps: cannot find/execute “ps” in ISA subdirectories
root@solarisbox#
root@solarisbox# cp /usr/bin/amd64/ps /tmp/ps2
root@solarisbox# /tmp/ps2
PID TTY         TIME CMD
1120 pts/3       0:00 sh
1124 pts/3       0:00 bash
1251 pts/3       0:00 ps2
root@solarisbox#

Arnaud

VN:F [1.9.3_1094]
Rating: 10.0/10 (2 votes cast)
VN:F [1.9.3_1094]
Rating: +2 (from 2 votes)
Solaris commands aren't what they seem, 10.0 out of 10 based on 2 ratings Sphere: Related Content

  • Facebook
  • Twitter
  • Google Buzz
  • Google Bookmarks
  • LinkedIn
  • Share/Bookmark

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

, ,

This entry was posted on November 3, 2009, 13:29 and is filed under Solaris. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. #1 by Jorge Moratilla on November 20, 2009 - 17:22

    Quite impressive! Great post!

    Best regards
    jorge moratilla

    VA:F [1.9.3_1094]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.3_1094]
    Rating: 0 (from 0 votes)
    Quote
(will not be published)