Hello, I got many answers. Special thanks to Charles Morris, Ryan A. Krenzis, Brad Morrison. There was an idea to use profile shell to execute user shell with UID and GID of the user by passing uid, gid parameters to exec_attr. Profile shell doesn't require for user to provide a password. I faced some difficulties while implementing it - I didn't find how to execute a certain shell with pfexec, if you have 2 similar commands only differing by uid,gid. Another solution was to use kerberized su (ksu). Again, Kerberos is too powerful, to use it to achieve my goal. In addition, whenever a user principal assumes an identity of other user principal, he/she can add unwanted entries to .k5login. There could be an option to write or port PAM module from Linux which, allows doing su to superuser to a certain group, defined in pam config. In fact I didn't find a similar module for Solaris. OpenSolaris RBAC project raised an excellent objective to implement arguments for RBAC, however it may take a quite long time for it to appear in Solaris. At the moment there is no complete alternative for sudo, because of its ability to take command arguments, so I have to keep using it. On 14/04/08 12:34 +0300, aleks.feltin@sunsetwireless.fi wrote: >Hi Managers, > >I am implementing RBAC on Solaris 10. I wonder what the possibilities to run >passwordless su to assume indetities of certain users without providing the >password are. RBAC has to replace sudo in future, however at the moment, the >only possibility to use su without password is doing it throught sudo. That is >the biggest obstacle to completely swith to RBAC from sudo. > >-- >A > >[demime 1.01b removed an attachment of type application/pgp-signature which had a name of signature.asc] >_______________________________________________ >sunmanagers mailing list >sunmanagers@sunmanagers.org >http://www.sunmanagers.org/mailman/listinfo/sunmanagers -- A [demime 1.01b removed an attachment of type application/pgp-signature which had a name of signature.asc] _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu Apr 17 03:39:58 2008
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:10 EST