Assign Superuser rights to normal user

tuxian · April 28, 2011, 9:51pm

Hi,

It's actually strange, but Is there any way through which I can assign super user rights to normal user.
Actually su/sudo/rbac does solve these but switching id is the problem for an application.

For eg: $dladm show-dev
insufficient priviliges.

Is there any way to get it done ?

Also I tried adding user with 0 uid & gid (same as root) but it won't accept password.If I change that ID to above 100, password works

Thanks a lot

petervg · April 29, 2011, 3:13am

Tuxian,

Take a look at privileges and the ppriv command in Solaris 10.

You can use RBAC to assign privileges to regular users. Be aware that this might compromise some (all) of your security.

--Peter

jlliagre · April 29, 2011, 4:22am

This should work. Aliasing the root account is a common practice. I guess you incorrectly created that alias. One way to fix it would be to run as root these commands, assuming altroot is the new username with a userid equal to 0:

pwconv
passwd altroot

tuxian · April 29, 2011, 7:53am

Thanks I will have a look on same.I will ping here if have any query.:rolleyes:

jlliagre:

This should work. Aliasing the root account is a common practice. I guess you incorrectly created that alias. One way to fix it would be to run as root these commands, assuming altroot is the new username with a userid equal to 0:
pwconv
passwd altroot

Thanks a lot
Actually direct root login was disabled hence it was givin access denied,its letting in after doing su

fpmurphy · April 29, 2011, 8:53am

RBAC will solve the problem for you without compromising security. Much better that sudo.

See Solaris RBAC Elements and Basic Concepts (System Administration Guide: Security Services)

jlliagre · April 29, 2011, 9:06am

@tuxian: it would help if you tell why you want to grant some privileges in the first place, and specifically what specific ones. There are plenty of ways to grant some or all privileges to a user but the best practice is to grant only the least privileges required, not all of them.

tuxian · May 3, 2011, 1:30am

Hi,
Thanks for link.

I am trying to configure RBAC just for testing purpose.
Steps Performed

1)Added User & Set Password- nachiket
2)Added Role & Set Password - opsrole
 
3)Edited /etc/security/prof_attr 
SoftAdd:::Soft Addition & Removal:
 
4)Edited /etc/security/exec_attr
SoftAdd:suser:cmd:::/usr/bin/ln:euid=0
SoftAdd:suser:cmd:::/usr/bin/pkginfo:uid=0
SoftAdd:suser:cmd:::/usr/bin/pkgmk:uid=0
SoftAdd:suser:cmd:::/usr/bin/pkgparam:uid=0
SoftAdd:suser:cmd:::/usr/bin/pkgproto:uid=0
SoftAdd:suser:cmd:::/usr/bin/pkgtrans:uid=0
SoftAdd:suser:cmd:::/usr/bin/prodreg:uid=0
SoftAdd:suser:cmd:::/usr/ccs/bin/make:euid=0
SoftAdd:suser:cmd:::/usr/sbin/install:euid=0
SoftAdd:suser:cmd:::/usr/sbin/patchadd:uid=0
SoftAdd:suser:cmd:::/usr/sbin/patchrm:uid=0
SoftAdd:suser:cmd:::/usr/sbin/pkgadd:uid=0;gid=bin
SoftAdd:suser:cmd:::/usr/sbin/pkgask:uid=0
SoftAdd:suser:cmd:::/usr/sbin/pkgchk:uid=0
SoftAdd:suser:cmd:::/usr/sbin/pkgrm:uid=0;gid=bin
 
5)rolemod -P SoftAdd,All opsrole
 
6)usermod -R opsrole nachiket
 
7)tail -2 /etc/user_attr
opsrole::::type=role;profiles=SoftAdd,All
nachiket::::type=normal;roles=opsrole

When I am running below command as a role getting error

jlliagre · May 3, 2011, 2:58am

You need to "su" to the opsrole first and/or use "pfexec pkgadd ..."

tuxian · May 3, 2011, 4:37am

Yup it's working through pfexec