I wrote a little program to dump out the uid/euid and discovered that RBAC is working correctly but you have to get the exec_attr record correct for a given program. In the case of apachectl you need Apache Management:suser:cmd:::/usr/local/apache/bin/apachectl:uid=0;egid=2 Notice it's uid=0 NOT euid=0 which I was using following the general advice given by SMC (the egid isn't relevant in this case.) When uid= is used, apachectl (which is a shell script) works as expected from the role user name. When euid= is used, apachectl isn't given sufficient priviledge and fails. I still don't understand why this happens but I'm just happy it works now. Nobody nailed it, but thanks for the replies. On Mon, Nov 10, 2003 at 01:01:38PM +0000, Geoff Lane wrote: > I'm in the process of replacing various ad-hoc methods of granting special > privileges with RBAC. Unfortunately I'm stuck at the first fence, creating > a simple web server administration role. > > Here's the config on a fully patched x86 Solaris 9 system... > > exec_attr: > Apache Management:suser:cmd:::/usr/local/apache/bin/apachectl:euid=0;egid=2 > > prof_attr: > Apache Management:::Apache Web Server Management:help=ApacheManagement.html > > user_attr: > webadm::::profiles=Apache Management;type=role > zzcos::::type=normal;roles=webadm > > passwd: > webadm:x:26349:1:Apache Management:/export/home/webadm:/bin/pfsh > > I restarted nscd after creating the role. > /export/home/webadm exists and is owned by webadm. > SMC seems happy with the configuration. > But when user zzcos su's into webadm and runs > /usr/local/apache/bin/apachectl it does not run with euid=0 and fails to > start the server (which can be started as root.) > There's nothing in /var/adm/messages. > /var/log/auth shows that the su into webadm worked OK. > roles(1) shows that zzcos has the webadm role. > > The man page for su implies that /etc/pam.conf needs su-specific entries > before RBAC will work but the Security Services manual makes no mention of > modifying pam.conf which already has the line... > > other account requisite pam_roles.so.1 > > So, where do I go from here? Do I need the pam.conf entries given in su(1) > or have I made a dumb mistake in the configuration? > > Thanks, summary will follow. > > > -- > /\ Geoff. Lane. /\ Manchester Computing /\ Manchester /\ M13 9PL /\ England /\ > > IBM manuals are neither written by, nor for, humans. > _______________________________________________ > sunmanagers mailing list > sunmanagers@sunmanagers.org > http://www.sunmanagers.org/mailman/listinfo/sunmanagers -- /\ Geoff. Lane. /\ Manchester Computing /\ Manchester /\ M13 9PL /\ England /\ McDonalds hamburgers are made from 100% genuine clown meat. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Mon Nov 10 11:01:13 2003
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:23 EST