anyone have any idea how do to this with auth_attr?
I suspect if I grant him
solaris.device.:RO::Device Allocation::help=DevAllocHeader.html
that will work but I'm unsure. Just looking for a second opinion.
anyone have any idea how do to this with auth_attr?
I suspect if I grant him
solaris.device.:RO::Device Allocation::help=DevAllocHeader.html
that will work but I'm unsure. Just looking for a second opinion.
Granting access to a specific command in a very exact way is the sort of thing I'd use sudo for. A script that does exactly what you want, which you can grant access to specifically.
Thanks but I'm trying to do this within the framework of user_attr, exec_attr.
Enable format command like this :
echo "formaters:::Format command for formaters:" >> /etc/security/prof_attr
echo "formaters:suser:cmd:::/usr/sbin/format:euid=0 >> /etc/security/exec_attr
# in /etc/user_attr modify the line to add the profile or use usermod command.
john::::type=normal;defaultpriv=basic;profiles=formaters
Remember, the user (in this case john) will have to use pf shell (defined in /etc/passwd or with usermod command)
If you want user to look at the output of format command and not modify disks, you can use root cron to make a list file in intervals you like echo | format > /path/to/format_output.txt
readable to them.
Hope that helps
Regards
Peasant.
wouldn't he be able to do pfksh to do this as well?
that's exactly what I was looking for by the way....
thanks.
User can use any pf shell (pfksh, pfbash, pfsh)
Regards.
so I tried to do a variation of this
echo "formaters:::Format command for formaters:" >> /etc/security/prof_attr
echo "formaters:suser:cmd:::/export/home/john/format_echo.sh:euid=0" >> /etc/security/exec_attr
# in /etc/user_attr modify the line to add the profile or use usermod command.
john::::type=normal;defaultpriv=basic;profiles=formaters
where format_echo.sh is
#!/usr/bin/pfbash
echo|format
file is 755 and owned by root:johns_group
i've tried to execute the .sh script as john using both pfexec and pkbash and get the following output:
john@solaris:~$ ./format_echo.sh
Searching for disks...done
No permission (or no disks found)!
I suspect this is because the same issue still applies in that the user doesn't have access to run format. correct?
You need to change your script shebang to use the "-p" option for the effective user id to be set:
$ cat /etc/release
Oracle Solaris 11.2 X86
Copyright (c) 1983, 2014, Oracle and/or its affiliates. All rights reserved.
Assembled 23 June 2014
$ cat format_echo.sh
#!/bin/ksh -p
echo|format
$ tail -1 /etc/security/exec_attr
formaters:suser:cmd:::/export/home/user1/format_echo.sh:euid=0
$ tail -1 /etc/user_attr
user1::::type=normal;defaultpriv=basic;profiles=formaters
$ tail -1 /etc/security/prof_attr
formaters:::Format command for formaters:
$ ./format_echo.sh
Searching for disks...done
No permission (or no disks found)!
$ pfexec ./format_echo.sh
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c1t0d0 <ATA-VBOX HARDDISK-1.0-16.00GB>
/pci@0,0/pci8086,2829@d/disk@0,0
Specify disk (enter its number): Specify disk (enter its number):
user1@solaris:~$ cat /etc/release
Oracle Solaris 11.2 SPARC
Copyright (c) 1983, 2015, Oracle and/or its affiliates. All rights reserved.
Assembled 17 March 2015
user1@solaris:~$ cat format_echo.sh
#!/bin/ksh -p
echo|format
user1@solaris:~$ grep formaters /etc/security/exec_attr
formaters:suser:cmd:::/export/home/user1/echo_format.sh:euid=0
user1@solaris:~$ grep user1 /etc/user_attr
user1::::profiles=formaters,Oracle Backup;type=role;roleauth=role
user1@solaris:~$ grep formaters /etc/security/prof_attr
formaters:::Format command for formaters:
user1@solaris:~$ ./format_echo.sh
Searching for disks...done
No permission (or no disks found)!
user1@solaris:~$ pfexec ./format_echo.sh
Searching for disks...done
No permission (or no disks found)!
Wrong pathname in exec_attr ...
Thanks, forest for the trees and all that...