• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 679
  • Last Modified:

How role in RBAC works ?

Below is the output from my /etc/security/exec_attr, here I have assign /usr/sbin/poweroff and /usr/sbin/reboot command to 'shutdown' profile and later assigned 'shutdown' profile to a role named 'power'

so now I assigned 'power' role to a user 'user1' so doesn't it mean whenever 'user1' assume the 'power' role he should be able to run only /usr/sbin/poweroff and /usr/sbin/reboot command. no other command like 'ls' 'cp' 'mv'. ? please let me me know if I am getting it right.
shutdown:suser:cmd:::/usr/sbin/poweroff:uid=0
shutdown:suser:cmd:::/usr/sbin/reboot:uid=0

Open in new window

0
beer9
Asked:
beer9
2 Solutions
 
Brian UtterbackPrinciple Software EngineerCommented:
No. Assuming a role does not take away the normal privileges, so all the commands will work as they always do. It just means that in addition to the normal ones, the role user can run the commands designated in exec_attr with the specified attributes, in this case running the poweroff and reboot commands as uid=0.  

In fact, if you assign the role to a user, that user does not even have to assume the role to execute the commands. He can just use the pfexec command (kind of like sudo) and it will run with the exec_attr attributes.

If you do not assign the role, then the users will assume the role using the su command.

By the way, in general you shouldn't be using reboot. The reboot command is an emergency command, one step above
the halt command. It bypasses all of the normal shutdown processing. You should be using either the shutdown command or the init command.
0
 
yuzhCommented:
addtion to blu's comment.
Roles are similar to regular system users, however roles may not log into the system. The preferred method of assuming a role is to use the `su` command.  
also please have a look at the following docs to learn more details:
http://www.softpanorama.org/Solaris/Security/solaris_rbac.shtml
http://docs.sun.com/app/docs/doc/817-0365/6mg5vpmdo?a=view
 
0
 
beer9Author Commented:
Thanks! :-)
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now