SUMMARY: Solaris 10 RBAC issue

From: Aleks Feltin <aleks.feltin_at_sunsetwireless.fi>
Date: Mon Nov 24 2008 - 12:15:52 EST
Answer from Charles Morris helped to solve my issue, so credit goes to him.

>Aleks,
>try this in /etc/security/exec_attr:
>
>Very Restricted User:suser:cmd:::/usr/bin/id:privs=file_dac_execute
>Very Restricted
>User:suser:cmd:::/usr/bin/svcs:privs=file_dac_execute,file_dac_read,sys_devi
ces,proc_lock_memory,proc_priocntl
>
>The privs might not be quite right (I got them through experimentation).


On 24/11/08 10:48 +0200, Aleks Feltin wrote:
>Hello Managers,
>
>I am trying to build a very restrictive environment to allow execution only
of
>certain commands.
>Implementing everything with RBAC. Here is what I have done so far:
>
>1. created pfofile "Very Restricted User":
>   Very Restricted User:::limited set of commands:help=nohelp.html
>
>2. Mapped execution attributes to profile:
>   Very Restricted User:suser:cmd:::/usr/bin/id
>   Very Restricted User:suser:cmd:::/usr/bin/svcs
>
>3. Commented out "PROFS_GRANTED=Basic Solaris User" from
>/etc/security/policy.conf
>
>4. Created user "numb" with profile "Very Restricted User" and shell
>/bin/pfksh
>
>%profiles -l numb
>
>      Very Restricted User:
>          /usr/bin/id
>          /usr/bin/svcs
>
>I cannot execute any of these commands. For each attempt I get "not found"
>error, even if I have paths in my env.
>
>%su - numb
>{:/export/home/numb::88} echo $PATH
>/bin:/usr/bin:/usr/local/bin:/usr/sfw/bin:/usr/ccs/bin
>{:/export/home/numb::89}
>{:/export/home/numb::89} /usr/bin/id
>pfksh: /usr/bin/id:  not found
>{:/export/home/numb::90} /usr/bin/svcs
>pfksh: /usr/bin/svcs:  not found
>
>What I missed here?
>
>thanks in advance,
>
>Aleks F.
>
>[demime 1.01b removed an attachment of type application/pgp-signature which
had a name of signature.asc]
>_______________________________________________
>sunmanagers mailing list
>sunmanagers@sunmanagers.org
>http://www.sunmanagers.org/mailman/listinfo/sunmanagers

--
A

[demime 1.01b removed an attachment of type application/pgp-signature which had a name of signature.asc]
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Mon Nov 24 12:16:26 2008

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:12 EST