How role in RBAC works ?

Posted on 2009-04-30
Last Modified: 2013-12-27
Below is the output from my /etc/security/exec_attr, here I have assign /usr/sbin/poweroff and /usr/sbin/reboot command to 'shutdown' profile and later assigned 'shutdown' profile to a role named 'power'

so now I assigned 'power' role to a user 'user1' so doesn't it mean whenever 'user1' assume the 'power' role he should be able to run only /usr/sbin/poweroff and /usr/sbin/reboot command. no other command like 'ls' 'cp' 'mv'. ? please let me me know if I am getting it right.


Open in new window

Question by:beer9
    LVL 22

    Accepted Solution

    No. Assuming a role does not take away the normal privileges, so all the commands will work as they always do. It just means that in addition to the normal ones, the role user can run the commands designated in exec_attr with the specified attributes, in this case running the poweroff and reboot commands as uid=0.  

    In fact, if you assign the role to a user, that user does not even have to assume the role to execute the commands. He can just use the pfexec command (kind of like sudo) and it will run with the exec_attr attributes.

    If you do not assign the role, then the users will assume the role using the su command.

    By the way, in general you shouldn't be using reboot. The reboot command is an emergency command, one step above
    the halt command. It bypasses all of the normal shutdown processing. You should be using either the shutdown command or the init command.
    LVL 38

    Assisted Solution

    addtion to blu's comment.
    Roles are similar to regular system users, however roles may not log into the system. The preferred method of assuming a role is to use the `su` command.  
    also please have a look at the following docs to learn more details:

    Author Closing Comment

    Thanks! :-)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
    I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (…
    Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
    This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now