I am referring Bill Calkins(SCSA exam prep) for RBAC..actually i wanted to make a normal user to get the privilege to run a command through authorization, not through profile files...
This is the exact steps given by Bill calkins..
you need to take the role as "adminuser" as far as i know... try a "su - adminuser" and test again.
---------- Post updated at 11:05 ---------- Previous update was at 11:04 ----------
To keep the forums high quality for all users, please take the time to format your posts correctly.
First of all, use Code Tags when you post any code or data samples so others can easily read your code. You can easily do this by highlighting your code and then clicking on the # in the editing menu. (You can also type code tags
```text
and
```
by hand.)
Second, avoid adding color or different fonts and font size to your posts. Selective use of color to highlight a single word or phrase can be useful at times, but using color, in general, makes the forums harder to read, especially bright colors like red.
Third, be careful when you cut-and-paste, edit any odd characters and make sure all links are working property.
It isn't required to use pfexec here. However, the book example just doesn't allow to reboot as it doesn't apply to stock Solaris but Trusted Solaris extension only.
so i dont know how u managed that,i suspect that executive attribution has not given correct for your role that it cant execute "shutdown",
but example shown below works 100% :
login as: testuser
Using keyboard-interactive authentication.
Password:
Last login: Mon Jul 20 12:36:57 2009 from 10.10.1.231
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ su - shutdown
Password:
$ /usr/sbin/shutdown
hutdown started. Mon Jul 20 12:53:22 GET 2009
Broadcast Message from root (pts/2) on gantek4 Mon Jul 20 12:53:22...
The system gantek4 will be shut down in 1 minute
showmount: gantek4: RPC: Program not registered
Broadcast Message from root (pts/2) on gantek4 Mon Jul 20 12:53:52...
The system gantek4 will be shut down in 30 seconds
No, it simply can't work. The book example is wrong in the sense authorizations can't grant a role to shutdown with regular Solaris.
The workaround is to use profiles like you do.
samar and jlliagre, thanks for your valuable time...
I understand the need for entries in /etc/security/prof_attr and /etc/security/exec_attr..but let me ask you .. suppose if i do that this way:
vi /etc/security/prof_attr
shut:::Shut down the system:
vi /etc/security/exec_attr
shut:suser:cmd:::/usr/sbin/shutdown:uid=0
(note that the profile is not being given auths=solaris.system.shutdown attribute)
It works perfect even without any authorization...then where will the need for the -A switch arise..?This is the question I am trying to get an answer for the whole 5 hours of yesterday.., that is the reason why I wanted to create a role and user with just entries in /etc/user_attr instead of /etc/security/prof_attr and /etc/security/exec_attr.
kindly help me out...!
actually here u have authorization :))) in solaris RBAC there are predefined authorizations. you cant modify it as u did with prof_attr and exec_attr .
in your situation "shutdown" authorization works:
solaris.system.shutdown:::Shutdown the System::help=SysShutdown.html
look at your /etc/security/auth_attr .. your role adminusr takes authorization from that file. (this file auth_attr not only for roles, it gives users also definite rights).
thanks samar,
but sorry to ask you again, if authorisation is predefined, why the need for -A switch in roleadd and why Bill Calkins had mentioned it explicitly? pls dont get irritated with my question..thanks.
My understanding is these authorizations were really meant for the Secure Extensions and are now obsolete. They simply seem to be of no use in Solaris 10/Open Solaris. I have found no reference of them, outside their declaration in Open Solaris source code.