In a Nutshell... Sudo is the way to go with maybe rbac as a second choice. However, I can't user sudo because though it works with Etrust, NIS+, and Stand-alone systems ... it does not work with the older security modesl Keon/SMax/and PowerPack... PowerBrooker makes Sudo authenticate to the PowerBrooker database and not really to Sudo (perhaps my mistake... but I get it to work on NIS+, Stand-Alone... but same configuration failed on PowerBrooker). A SUID program released via a One-Time Safeword/Desgold password bound to a funcional account that is on a captive menu is the way to go (in my case). Zion Huang helped with the C code to get a basic suid file working. Again, if I did not have four or five security models sudo would be the best choice with rbac as a second choice. Thanks to: Zion_Huang@concentra.com David Foster <foster@ncmir.ucsd.edu> "Alan Pae" <alanpae@lycos.com> "Dell, Mary" <mdell@mesirowfinancial.com> Neezam Haniff <nhaniff@ca.mci.com> "Baker, Darryl" <Darryl.Baker@gedas.com> Zion_Huang@concentra.com: > Here is the code: > > #include <sys/types.h> > #include <stdio.h> > > main() > { > setuid(0); <---------- this is the line that is difference > setgid(0); > system("/bin/sh"); > exit(); > } > > After compiling this, this is similar to .sudo to get into super user > mode. > > Hope this help. > > > Zion ** Thanks this code works... I am adding traps etc... putting a section to have the insecure code and only swith to secure to run the pkgadd command etc. "Alan Pae" <alanpae@lycos.com> have you tried sudo or rbac? --- Sun Country - Hundreds of links and technical articles. http://alanpae.tripod.com/sitemap.htm http://resources.solaris-x86.org/sitemap.htm ** rbac is good... but still have some legacy solaris 2.6. Also would add one more security model to my Infrastructure. Most of the native support was provided for Solaris 9... I'll have to look up Solaris 8 support but, still one more security model. David Foster <foster@ncmir.ucsd.edu> Did you try sudo? Or perhaps RBAC in Solaris 9. I wouldn't use Perl for this any longer, as of 5.5.8 Perl no longer supports this, for security reasons. ** thanks... good thing you mentioned it... I went asking for help on C instead of Perl which would have been my first choice. "Dell, Mary" <mdell@mesirowfinancial.com> I use sudo to allow my operators to do a couple of root functions - I don't know if it works with any fancy auth methods, but it works great with regular unix. you can allow different users to use different apps; you can specify whether they need to have a password or not, and you can create groups to give access to. My operators only have root access to one app, nsrjb, and otherwise they're not able to do root stuff. ** Thanks Sudo works on about half of my security models. I was looking for something that could be used in all my environments. The suid C program works on all of them... I wish I could use sudo. Neezam Haniff <nhaniff@ca.mci.com> This sounds like a job for sudo. Sudo gives you the ability to scope out what a particular userid is allowed to run with 'root' priviledges. I think it will give you the granularity you need to accomplish the task at hand. Using the said script with sudo should work. Unfortunately, I have not come across an environment with these particular requirements. Hopefully this will provide some insight into a possible solution, though. ** thanks. "Baker, Darryl" <Darryl.Baker@gedas.com> The 2 best solutions are sudo (switch user and do) and RBAC (role based access control). Both allow non-root users root privileges to run some defined set of commands. While RBAC comes with Solaris 8 and 9 it is cumbersome to set up. Sudo if available in a package form from Sun Freeware (www.sunfreeware.com) and is widely used on many platforms. ** Thanks. Carlos ________________________________________________ Get your own "800" number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Sun Nov 7 23:04:51 2004
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:39 EST