Solved

Solaris 10 shutdown for someone else besides root

Posted on 2009-03-30
9
1,028 Views
Last Modified: 2013-12-27
Trying to set up an account on a new install of Solaris 10 that can shut the machine down from a terminal. I ran the SMC and created a user in the staff group and and gave it "shutdown" rights under the rights tab (there was message on the side bar that said Rtshutdown.html could not be accessed, most likely cause the file doesn't exist). Still got permission denied when I tried to run the shutdown command. I then added the user to the following groups; bin, root, sys, sysadmin, I really don't want the user in those groups, I was just testing stuff out. The user still get permision denied when it tries to run shutdown.

One side note, I did not install and naming services during the install process and this machine does not have access to the internet.

If you need to see some configs just let me know, an help would be great

0
Comment
Question by:still_lost
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 5

Accepted Solution

by:
awa2008 earned 250 total points
ID: 24020719
0
 
LVL 40

Expert Comment

by:omarfarid
ID: 24021352
0
 
LVL 4

Expert Comment

by:joules17
ID: 24025857
delegating the rights to shutdown the system can be done with one of these mentioned above, RBAC or sudo,
but can you give us these outputs to see why a user with root permission is not able to shutdown

#more /etc/passwd
#more /etc/group
echo $PATH     -- from the user's login shell


0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:still_lost
ID: 24132168
Should have mentioned this earlier, but I don't want to use sudo.

This is what I've done so far. Using mainly the SMC i've created a user named sentry who's primary group is staff. I created a role called shut gave it the predefined right "shutdown" and a "shutdowncmd" right that I made in the SMC. The shut role is part of the sysadmin group. I added the sentry and root user to the shut role.

If I "su - shut" from root or sentry then run"/usr/sbin/shutdown -h now" I get "Only root can run ..."

cat /etc/passwd
....
shut:x:101:14:shut:/home/shut:/bin/pfsh
sentry:x:102:10::/home/sentry:/bin/sh

cat /etc/group
.....
sysadmin::14:shut
...
staff::10:sentry
...

cat /etc/user_attr
....
shut::::profiles=shutdowncmd,shutdown;type=role
sentry::::roles=shut;type=normal

$PATH for shut does not include /usr/sbin/ but since I'm typing in the whole path for the command I don't think it should matter
0
 
LVL 14

Expert Comment

by:arthurjb
ID: 24187808
I imagine the reason that you have not gotten any further replies is that sudo is the correct option, and you have said that you don't want to use it.

You should rethink your options.

Creating an account that belongs to no one, to do a job as important as shutting down the machine, can create a major security hole.

With sudo, you have logging and know who did the shutdown.  With your method there is no accountability.

Good Luck!
 
0
 

Author Comment

by:still_lost
ID: 24209030
For various reasons ( I won't go into them) I have to use RBAC. It is plenty secure for what I am using it for. I guess my question really should have been why is RBAC not working on a new install of Solaris 10
0
 
LVL 14

Assisted Solution

by:arthurjb
arthurjb earned 250 total points
ID: 24210795
If you insist on doing it the hard way, here is a link that describes the whole process;

http://www.sun.com/bigadmin/content/submitted/custom_roles_rbac.html

Good Luck
0
 

Author Comment

by:still_lost
ID: 24380092
OK, finally got back to this. Seems like the big problem was using SMC and the built in shutdown right. When I finally gave up on SMC and used the command line and created new profile to run the shutdown command it worked.

I followed the first example in the last link that arthurjb posted. I'm sure the one posted by awa2008 would have worked as well if I had done everything in the command line. I'm going to try and split the points between the two. Thanks for all the good links.
0
 

Author Comment

by:still_lost
ID: 24380115
One more thing, there is a slight error in the first example. At one point it says to edit the /etc/security/prof_attr file when it should be the /etc/security/exec_attr file
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question