beer9
asked on
How to add auth RBAC to a user in Solaris 10 ?
I want to add a user with 'shutting down/poweroff' authorization RBAC. I got this entry in /etc/secutiry/auth_attr
bash-3.00# grep shutdown /etc/security/auth_attr
solaris.system.shutdown::: Shutdown the System::help=SysShutdown.h tml
I did 'usermod -A solaris.system.shutdown username
but still I am not able to poweroff the system using command /usr/sbin/poweroff
I am getting permission denied error.
Kindly suggest how can I use the predefined auth.
bash-3.00# grep shutdown /etc/security/auth_attr
solaris.system.shutdown:::
I did 'usermod -A solaris.system.shutdown username
but still I am not able to poweroff the system using command /usr/sbin/poweroff
I am getting permission denied error.
Kindly suggest how can I use the predefined auth.
ASKER
I am getting problem to understand this concept specially the 'auth' part.
We already have system defined authorization like solaris.system.shutdown in /etc/security/auth_attr
but still I had to manually define a profile which auth the profile in /etc/security/prof_attr and later defined a associated command like /usr/sbin/poweroff in /etc/security/exec_attr for the named profile.
and after doing all this, I created a new role and with just defined profile and assigned to a user. and then I got the expected result
My whole concern is why we have predefined authorization, and how to use that in simple way.
I just noticed we too have '-A (authorization)' option in useradd comamnd, how can I simply allow a user to assign specific authorization.
We already have system defined authorization like solaris.system.shutdown in /etc/security/auth_attr
but still I had to manually define a profile which auth the profile in /etc/security/prof_attr and later defined a associated command like /usr/sbin/poweroff in /etc/security/exec_attr for the named profile.
and after doing all this, I created a new role and with just defined profile and assigned to a user. and then I got the expected result
My whole concern is why we have predefined authorization, and how to use that in simple way.
I just noticed we too have '-A (authorization)' option in useradd comamnd, how can I simply allow a user to assign specific authorization.
ASKER
also my another curiosity is how can I find out which(how many) commands are associated with auth 'solaris.jobs.admin'
I just guess that 'contab' should be working but is there way I can get a list of command which support auth 'solaris.jobs.admin' ??
I just guess that 'contab' should be working but is there way I can get a list of command which support auth 'solaris.jobs.admin' ??
try this command
usermod -u UID -R rolename
to put the changes into effect
svcadm restart system/name-service-cache
usermod -u UID -R rolename
to put the changes into effect
svcadm restart system/name-service-cache
ASKER
I am getting problem to understand the 'auth' in RBAC, please let me know if some example satisfy my curiosity.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you! :)
http://www.softpanorama.or
http://www.samag.com/docum
http://www.sun.com/softwar
http://rabbs.com/rbac.pdf
http://docs.sun.com/app/do
and the links in: http: Q_21910191.html