Re: (mis)using RBAC...
From: benjamin brumaire (benjamin_at_brumaire.biz)
Date: Thu, 14 Apr 2005 19:26:54 +0200 To: Jonathan Katz <firstname.lastname@example.org>
Jonathan Katz schrieb:
>I was recently charged with setting up RBAC so that the group I work
> I then added the role to my account on the server in /etc/user_attr:
>jkatz::::type=normal;profiles=Web Administration,Basic Solaris User
you added a right profile. I missed the right profile "All" in this entry.
>4) Finally, I changed my shell to /bin/pfcsh. Now, with my regular
>user account I can start and restart our webservers.
>My questions are, is this a normal practice (are there other people
>doing it) and is it supported? What unintended consequences am I
>missing? I understand that if a user's account is compromised, the
>webserver services can be stopped and started at-will. I also
>understand that our sysadmin group will be restricted to using
>pfcsh/pfksh/pfsh and cannot use bash or tcsh (although we can still
>leave those set, type 'exec pfsh' and then do what we need to do as
It looks valid to me . To avoid error you should use usermod,
smprofile, etc ... to modify the RBAC databases.
Another way, less invasive perhaps, is to use pfsh as interpreter in
the start/stop script or use a "pf" wrapper to call them.
On Solaris10 you should try to give the http daemon the privilege to
open privileged port "PRIV_NET_PRIVADDR" so it doens't need to be start
as root :)