Thursday Apr 04, 2013

mdb ::if

The Solaris mdb(1) live and post-mortem debugger gained a really powerful new dcmd called ::if in the Solaris 11.1 release.

As a very quick example of how powerful it can be here is a short one liner to find all the processes that are running with their real and effective uid

> ::ptree | ::if proc_t p_cred->cr_ruid <> p_cred->cr_uid | ::print proc_t p_user.u_comm

Or a similar one to find out all the priv aware processes, this time showing some output:

> ::ptree | ::if proc_t p_cred->cr_priv.crpriv_flags & 0x0002 | ::print proc_t p_user.u_comm
p_user.u_comm = [ "su" ]
p_user.u_comm = [ "nfs4cbd" ]
p_user.u_comm = [ "lockd" ]
p_user.u_comm = [ "nfsmapid" ]
p_user.u_comm = [ "statd" ]
p_user.u_comm = [ "nfs4cbd" ]
...

The new ::if is very powerful and can do much more advanced things, like substring comparison, than my simple examples, but I choose examples that are useful to me and relevant to security.

About

DarrenMoffat

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today