Re: (mis)using RBAC...

From: benjamin brumaire (benjamin_at_brumaire.biz)
Date: 04/14/05

  • Next message: Darren J Moffat: "Re: (mis)using RBAC..."
    Date: Thu, 14 Apr 2005 19:26:54 +0200
    To: Jonathan Katz <jonathan.katz@gmail.com>
    
    

    Jonathan Katz schrieb:

    >All,
    >
    >I was recently charged with setting up RBAC so that the group I work
    >
    ...

    > I then added the role to my account on the server in /etc/user_attr:
    >jkatz::::type=normal;profiles=Web Administration,Basic Solaris User
    >
    >
    >
    you added a right profile. I missed the right profile "All" in this entry.

    >4) Finally, I changed my shell to /bin/pfcsh. Now, with my regular
    >user account I can start and restart our webservers.
    >
    >My questions are, is this a normal practice (are there other people
    >doing it) and is it supported? What unintended consequences am I
    >missing? I understand that if a user's account is compromised, the
    >webserver services can be stopped and started at-will. I also
    >understand that our sysadmin group will be restricted to using
    >pfcsh/pfksh/pfsh and cannot use bash or tcsh (although we can still
    >leave those set, type 'exec pfsh' and then do what we need to do as
    >the Profile.)
    >
    >
    >
    It looks valid to me . To avoid error you should use usermod,
    smprofile, etc ... to modify the RBAC databases.
    Another way, less invasive perhaps, is to use pfsh as interpreter in
    the start/stop script or use a "pf" wrapper to call them.

    On Solaris10 you should try to give the http daemon the privilege to
    open privileged port "PRIV_NET_PRIVADDR" so it doens't need to be start
    as root :)

    regards
    benjamin


  • Next message: Darren J Moffat: "Re: (mis)using RBAC..."