Solaris 11 /proc permission denied
I have a Solaris 11.1 server running an Oracle database. I want to read the environment of a running oracle process, as the oracle user, like this:
$ id
uid=100(oracle) gid=100(oinstall)
$ ps -fuoracle | grep pmon
oracle 1651 1 0 10:25:37 ? 0:01 ora_pmon_TESTDB
$ pargs -e 1651
pargs: cannot examine 1651: permission denied
$ ls -ld /proc/1651
dr-x--x--x 5 oracle oinstall 864 Nov 23 10:25 /proc/1651
How can I grant permissions for oracle to read processes that it already owns?
To answer Iain's question, the files under the PID directory have varied permissions, but are all still owned by oracle:oinstall, like this:
dr-x------ 2 oracle oinstall 32 Nov 23 10:25 contracts
-r-------- 1 oracle oinstall 36 Nov 23 10:25 cred
--w------- 1 oracle oinstall 0 Nov 23 10:25 ctl
lr-x------ 1 oracle oinstall 0 Nov 23 10:25 cwd ->
dr-x------ 2 oracle oinstall 528 Nov 23 10:25 fd
-r-------- 1 oracle oinstall 0 Nov 23 10:25 ldt
-r--r--r-- 1 oracle oinstall 120 Nov 23 10:25 lpsinfo
-r-------- 1 oracle oinstall 816 Nov 23 10:25 lstatus
-r--r--r-- 1 oracle oinstall 536 Nov 23 10:25 lusage
dr-xr-xr-x 3 oracle oinstall 64 Nov 23 10:25 lwp
-r-------- 1 oracle oinstall 9504 Nov 23 10:30 map
dr-x------ 2 oracle oinstall 1824 Nov 23 10:25 object
-r-------- 1 oracle oinstall 258800 Nov 23 10:25 pagedata
dr-x------ 2 oracle oinstall 2352 Nov 23 10:25 path
-r-------- 1 oracle oinstall 72 Nov 23 10:25 priv
-r--r--r-- 1 oracle oinstall 336 Nov 23 10:25 psinfo
-r-------- 1 oracle oinstall 9504 Nov 23 10:25 rmap
lr-x------ 1 oracle oinstall 0 Nov 23 10:25 root ->
-r-------- 1 oracle oinstall 2304 Nov 23 10:25 sigact
-r-------- 1 oracle oinstall 1136 Nov 23 10:25 status
-r--r--r-- 1 oracle oinstall 256 Nov 23 10:25 usage
-r-------- 1 oracle oinstall 0 Nov 23 10:25 watch
-r-------- 1 oracle oinstall 119016 Nov 23 10:25 xmap
Solaris uses now sets of privileges (see: 'man privileges' na 'man ppriv'). The pargs command could have inherited less privileges (from the shell) then the examined process 1651 had as effective. In effect it caused denying of permissions.
To examine process privileges one can use ppriv command:
ppriv -v ...
To set:
ppriv -s... ...
To list all privileges with their descriptions:
ppriv -lv
To see why there is a problem you could then use:
ppriv -D -e pargs -e 1651