Dear all,
I am administering a DC environment of over 100+ Solaris servers used by various teams including Databases.
Every user created on the node belonging to databases is assigned group staff(10) .
I want that all users belonging to staff should NOT be able to execute certain system commands like:
/usr/sbin/psrinfo -p
/usr/sbin/prtdiag
etc.
Also they should not be able to access certain predefined folders like /var/tmp .
How can this be achieved ?
Regards
do you know what is setuid and setguid ?
chmod o-x /usr/sbin/psrinfo /usr/sbin/prtdiag
This will deny execution rights for those two commands for everyone except for root and group that owns them.
And then be prepared to deal with a lot of broken applications, scripts, and utilities.
Restrict access to psrinfo and prtdiag?
Why?
"If I could only know how many CPUs were on this server, I could take over the world with my evil hacking schemes"?
As an alternative, you could use ACLs.
Note that Solaris by default uses NFSv4 ACLs which are a a bit different than standard POSIX (Linux) ones.
Solaris is using NFSv4 ACLs on ZFS filesystems. On UFS filesystems standard ACLs are used.
As far as I know, ZFS has been an unofficial standard for global zones since 2007-2008.
Of course the poster might be using Solaris 8, 9 or a really outdated release of S10.
Anyway... another example of why it's important to be specific about the OS version. 