How to limit patchadd command to root user only?

ShouTenraku · December 6, 2011, 11:16pm

I'm running a solaris 10 5/09 server, I have 2 users other than root. One being able to use the patchadd command and one is unable to do so. What I'm trying to do is to limit the patchadd command so that only root is able to run it.

jim_mcnamara · December 7, 2011, 6:17pm

Obviously those users have root access, correct? --

pfexec [do something as root user]

If you want them to continue doing system work, it may be difficult to prevent them from re-granting access that could possibly deny.

Please post the /etc/user_atrr entries for those two other users.

ShouTenraku · December 7, 2011, 11:04pm

Is there anyway I can check if they have root/admin access?

Sorry I forgot to mention those users account are my own.
One of them can simply #patchadd and patchadd will execute the other will get a #patchadd:not found.
/etc/user_atrr entries are identical for both users
#
# /etc/user_atrr
# execution attributes for profiles. see user_attr(4)
#ident "@ (#)user_attr 1.1 07/01/31 SMI"
adm:::: profiles=Log Management
lp:::: profiles=Printer Management
postgres::::type=role;profiles=Postgres Administration,All
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no;min_label=admin_low;clearance=admin_high

jim_mcnamara · December 10, 2011, 7:30am

I do not understand. Based on your post, root & postgres could use patchadd.

Are you trying to limit the root user? Don't do that.

Better yet what are you trying to do, exactly. I'm confused.

ShouTenraku · December 10, 2011, 7:42am

No I'm not trying to limit the root user.

I'm trying to ensure only the root user has the ability to run the patchadd command.

However for some reason one of my user account is able to run patchadd and I'm trying to remove the permission.

ShouTenraku · December 12, 2011, 3:59am

Hi Jim, I managed to figure out, turns out I can simply modify the permission at /usr/sbin/pkgadd instead of patchadd. Thanks for your help anyway!

unisoftdesign · December 12, 2011, 5:19am

So what's the difference between changing permissions on pkgadd and patchadd, i.e. couldn't you have sorted it out by changing perms on patchadd?

ShouTenraku · December 12, 2011, 6:09am

I tried chmod on patchadd it didn't work. Anyway patchadd is a link, if you list it you will notice a l infront of the permission while a directory will have a d infront.