|
|
|
|
|
|
| Author |
Message |
Tom
*nix forums beginner
Joined: 10 Mar 2005
Posts: 14
|
 Posted: Wed Feb 02, 2005 9:10 pm Post subject:
Solaris 9 setproject(3PROJECT) Problem
|
|
|
I am trying to learn and understand the programming interface for
placing a process into a desired project. The man page for
setproject(3PROJECT) says if the user is a member of that project then
super-user privleges are not required. I added my user into a project.
However, whereas via the command line 'newtask' a new process can be
added, the same attempt via the API 'setproject' fails.
Why does my program fail but the command line mechanism work?
% id
uid=9999(santera) gid=14(sysadmin)
% grep santera /etc/project
t8000-lr:110:Platform
LR:santera::project.cpu-shares=(privileged,1,deny)
% newtask -p t8000-lr ls
Makefile SetProject.C SetProject
% cat SetProject.C
// SetProject.C
#include <unistd.h>
#include <iostream>
#include <sched.h> // scheduler
#include <cerrno>
#include <project.h>
#include <sys/types.h>
#include <sys/task.h>
using namespace std;
int main (int /* pArgc, char** /* pArgv */)
{
cout << "PID=" << ::getpid ()
<< "; UID=" << ::getuid ()
<< "; EUID=" << ::geteuid ()
<< "; GID=" << ::getgid ()
<< "; EGID=" << ::getegid ()
<< endl;
int retVal = ::setproject ("t8000-lr",
"santera",
TASK_NORMAL);
if (retVal != 0)
{
cout << "error: setproject(): retVal=" << retVal
<< "; " << errno << " (" << strerror(errno) << ")"
<< endl;
}
}
% SetProject
PID=21193; UID=9999; EUID=9999; GID=14; EGID=14
error: setproject(): retVal=-1; 1 (Not owner) |
|
| Back to top |
|
 |
Casper H.S. Dik
*nix forums Guru
Joined: 20 Feb 2005
Posts: 1634
|
| Posted: Thu Feb 03, 2005 8:09 am Post subject:
Re: Solaris 9 setproject(3PROJECT) Problem
|
|
|
"Tom" <cube_384@yahoo.com> writes:
| Quote: | I am trying to learn and understand the programming interface for
placing a process into a desired project. The man page for
setproject(3PROJECT) says if the user is a member of that project then
super-user privleges are not required. I added my user into a project.
However, whereas via the command line 'newtask' a new process can be
added, the same attempt via the API 'setproject' fails.
Why does my program fail but the command line mechanism work?
|
You do need to be the superuser; the command line is a set-uid root
program.
Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth. |
|
| Back to top |
|
|
Tom
*nix forums beginner
Joined: 10 Mar 2005
Posts: 14
|
| Posted: Thu Feb 03, 2005 12:52 pm Post subject:
Re: Solaris 9 setproject(3PROJECT) Problem
|
|
|
Casper, the Solaris 9 man page seems to imply that if user is a member
of the project, it can create a task in that project. Allow me to
quote:
If user_name is a valid member of the project specified by
project_name, as determined by inproj(3PROJECT), setpro-
ject() will create a new task with settaskid(2) using task
flags specified by flags, use setrctl(2) to associate vari-
ous resource controls with the process, task, and project,
and bind the calling process to the appropriate resource
pool with pool_set_binding(3POOL). Resource controls not
explicity specified in the project entry will be preserved.
If user_name is a name of the superuser (user with UID equal
to 0), the setproject() function skips the inproj(3PROJECT)
check described above and allows the superuser to join any
project.
If this is not true, I do not understand how application processes can
manage which projects to join; they'd all have to have super-user priv.
Tom |
|
| Back to top |
|
|
Casper H.S. Dik
*nix forums Guru
Joined: 20 Feb 2005
Posts: 1634
|
| Posted: Fri Feb 04, 2005 9:23 am Post subject:
Re: Solaris 9 setproject(3PROJECT) Problem
|
|
|
"Tom" <cube_384@yahoo.com> writes:
| Quote: | Casper, the Solaris 9 man page seems to imply that if user is a member
of the project, it can create a task in that project. Allow me to
quote:
If user_name is a valid member of the project specified by
project_name, as determined by inproj(3PROJECT), setpro-
ject() will create a new task with settaskid(2) using task
flags specified by flags, use setrctl(2) to associate vari-
ous resource controls with the process, task, and project,
and bind the calling process to the appropriate resource
pool with pool_set_binding(3POOL). Resource controls not
explicity specified in the project entry will be preserved.
If user_name is a name of the superuser (user with UID equal
to 0), the setproject() function skips the inproj(3PROJECT)
check described above and allows the superuser to join any
project.
If this is not true, I do not understand how application processes can
manage which projects to join; they'd all have to have super-user priv.
|
You read this incorrectly. What this means is that the library will
check whether a particular uses belongs to a particular project.
Considering the resource binding and other system calls done,
the setproject() call is reserved for privileged users; the mention
of root here is a red herring: it simply means that the interface
allows the superuser to join any project.
Applications processes normally should not join different projects;
at most they should switch tasks.
In order to switch projects, you'll need to run newtask(1) or call
setproject() from within a privileged application.
You can run "newtask -p <project> -c <pid>" in case you need to change
the project of a particular process.
Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth. |
|
| Back to top |
|
|
Tom
*nix forums beginner
Joined: 10 Mar 2005
Posts: 14
|
| Posted: Fri Feb 04, 2005 2:03 pm Post subject:
Re: Solaris 9 setproject(3PROJECT) Problem
|
|
|
Thanks for the explanation. I'm sure Solaris 9 works just as you state,
but I'm not so sure that is the way it ought to work. I'll tell you,
the man page is VERY mis-leading.
Why should I bother to specify user_name as a valid member of the
project if only super-user can be used to successfully do anything with
this function? There isn't any way to specify another process id via
setproject's API, so it's dealing with the process making the call.
This just does not make sense to me.
newtask(1) will not allow user to join a project unless user is
specified in /etc/project, but once specified it works. It seems to me
setproject should do the same thing; otherwise I have no programming
API equivalent. I'm forced to have a SUID program do fork/exec, then
the new child process does the setproject while still having super-user
priv to make this work. Please correct me if I'm missing something.
My goal is to have various processes, all of the same user, end up in
different projects. I need to do this from a program not some
command-line mechanism.
Tom |
|
| Back to top |
|
|
Casper H.S. Dik
*nix forums Guru
Joined: 20 Feb 2005
Posts: 1634
|
| Posted: Fri Feb 04, 2005 3:25 pm Post subject:
Re: Solaris 9 setproject(3PROJECT) Problem
|
|
|
"Tom" <cube_384@yahoo.com> writes:
| Quote: | Thanks for the explanation. I'm sure Solaris 9 works just as you state,
but I'm not so sure that is the way it ought to work. I'll tell you,
the man page is VERY mis-leading.
Why should I bother to specify user_name as a valid member of the
project if only super-user can be used to successfully do anything with
this function? There isn't any way to specify another process id via
setproject's API, so it's dealing with the process making the call.
This just does not make sense to me.
|
Because the function is just initgroups(); it establish parts
of the user environment and process settings; a part which the users
are not allowed to control.
| Quote: | newtask(1) will not allow user to join a project unless user is
specified in /etc/project, but once specified it works. It seems to me
setproject should do the same thing; otherwise I have no programming
API equivalent. I'm forced to have a SUID program do fork/exec, then
the new child process does the setproject while still having super-user
priv to make this work. Please correct me if I'm missing something.
|
That is exactly what setproject() does. And it says so in the
manual page. The caller needs to be the superuser but which projects
the caller is restricted to is determined by the username argument; when
"username" is a user with uid 0 then there are no restrictions on
which projects the user can join.
| Quote: | My goal is to have various processes, all of the same user, end up in
different projects. I need to do this from a program not some
command-line mechanism.
|
Are you sure you don't just want to use tasks for this? Tasks
are meant for users to sub divide their processes in.
Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth. |
|
| Back to top |
|
|
Tom
*nix forums beginner
Joined: 10 Mar 2005
Posts: 14
|
| Posted: Fri Feb 04, 2005 4:29 pm Post subject:
Re: Solaris 9 setproject(3PROJECT) Problem
|
|
|
Casper H.S. Dik wrote:
| Quote: | Are you sure you don't just want to use tasks for this? Tasks
are meant for users to sub divide their processes in.
|
According to _System Admin Guide: Resource Mgmt & Network Services_ (p.
7 , tasks are created at login, by cron, newtask(1), and
setproject(3PROJECT). What other call(s) should I use?
To summarize, if I have a process starting up other processes, and I
want to divide those new processes into various projects so as to
control their usage, etc. that this manager process has to be SUID. A
new child process then calls setproject() or settaskid() to kick over
into the new project. That's the only way, right?
I really appreciate your time. I haven't been very successful finding
good information on these (relatively) new interfaces.
Tom |
|
| Back to top |
|
|
Casper H.S. Dik
*nix forums Guru
Joined: 20 Feb 2005
Posts: 1634
|
| Posted: Fri Feb 04, 2005 4:44 pm Post subject:
Re: Solaris 9 setproject(3PROJECT) Problem
|
|
|
"Tom" <cube_384@yahoo.com> writes:
| Quote: | To summarize, if I have a process starting up other processes, and I
want to divide those new processes into various projects so as to
control their usage, etc. that this manager process has to be SUID. A
new child process then calls setproject() or settaskid() to kick over
into the new project. That's the only way, right?
|
Typically, you'd use new tasks for that only an dnot projects; if
you insist on different projects, then yes, the process needs to
have sufficient privileges.
| Quote: | I really appreciate your time. I haven't been very successful finding
good information on these (relatively) new interfaces.
|
Which is a bug of sorts.
Casper |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Fri Jan 09, 2009 11:10 am | All times are GMT
|
|
0 Credit Cards | Myspace Layouts | Online Loans | Web Hosting by Safehosting | Bankruptcy
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
Solaris
