06-26-2007
RBAC: create a user to shut the server
Hi,
I have created a user to shutdown the server using RBAC.
Here are my steps:
1. roleadd -u 1000 -g 10 -d /home/stopsys -m stopsys
2. passwd stopsys
3. edit /etc/security/prof_attr to include:
Shut:::able to shut the server:
4. modrole -P Shut stopsys
5. useradd -u 1001 -g 10 -d /home/user10 -m -R stopsys -s /bin/ksh user10
6. passwd user10
edit /etc/security/exec_attr to include:
Shut:suser:cmd:::/usr/sbin/shutdown:uid=0
Now, when I login & execute the shutdown cmd, I get this:
/usr/sbin/shutdown: Only root can run /usr/sbin/shutdown
But the relavent files have been updated as follows:
#tail -1 /etc/security/prof_attr
Shut:::Shutdown the Server:
# tail -2 /etc/user_attr
stopsys::::type=role;profiles=Shut
user10::::type=normal;roles=stopsys
# tail -1 /etc/security/exec_attr
Shut:suser:cmd:::/usr/sbin/shutdown:uid=0
Would you be able to find the issue here ?
Thanks in advance.
Chaandana
9 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
Hi all,
I am using Sun Solaris 9 .In this system normal users unable to create files from the command line.I added these users in bin,adm and even root group i found them unable to create a file. (1 Reply)
Discussion started by: mallesh
1 Replies
2. Linux
Hi all,
What the difference between the sudo users & RBAC when the talk of effects after doing the above comes???
any differences between them ,kindly list ?? (1 Reply)
Discussion started by: saurabh84g
1 Replies
3. Solaris
Hello All
I just want to know how to Shut Down the Solaris Machines( Servers ) for Maintainance and then Start Up the Machines ( Servers ) .
I think I will have to Log In as root to do that .
Also how do i Check if all the services running on that server before shut down are running... (6 Replies)
Discussion started by: supercops
6 Replies
4. Solaris
Hello everyone,
I have been trying to find a way to setup a directory server working with RBAC on Solaris. I will try to figure out my environment and my concerns. Here we go :
- I have Unix servers mostly running Solaris 10 and 9 in my environment.
- I have users/user groups that need to... (4 Replies)
Discussion started by: niyazi
4 Replies
5. Ubuntu
Hi,
Anyone can help me on how to duplicate privileges and group for useroradb01 to userrootdb01. I have currently using "useroradb01" and create a newly user "userrootdb01".
I want both in the sames privileges and group. Please see the existing users list below;
drwxr-xr-x 53 useroradb01... (0 Replies)
Discussion started by: fspalero
0 Replies
6. Homework & Coursework Questions
first off let me introduce myself. My name is Eric and I am new to linux, I am taking an advanced linux administration class and we are tasked with creating a script to add new users that anyone can run, has to check for the existence of a directory. if the directory does not exist then it has... (12 Replies)
Discussion started by: pbhound
12 Replies
7. Ubuntu
Is there any way to create an SMTP mail server will all granular permissions to it so that I can read emails which that server receives through any scripting language and also reply from the same server automatically? (3 Replies)
Discussion started by: sandeepcm
3 Replies
8. Shell Programming and Scripting
Can someone help in writing some script through which I can transfer file (scp) from root user in abc server to crt user in hfg server and can give the crt user password in script itself so that it doesn't prompt me every time for password (4 Replies)
Discussion started by: Moon1234
4 Replies
9. Solaris
Hi
I need to assign proc_owner privilege to particular user through RBAC. How can I assign this privilege to user, I need help on this.
Further I need to understand if I give this proc_owner privilege to particular user, what kind of control user will get on other user or system processes... (7 Replies)
Discussion started by: sb200
7 Replies
LEARN ABOUT REDHAT
profiles
profiles(1) profiles(1)
NAME
profiles - print execution profiles for a user
SYNOPSIS
profiles [-l] [ user ...]
The profiles command prints on standard output the names of the execution profiles that have been assigned to you or to the optionally-
specified user or role name. Profiles are a bundling mechanism used to enumerate the commands and authorizations needed to perform a spe-
cific function. Along with each listed executable are the process attributes, such as the effective user and group IDs, with which the
process runs when started by a privileged command interpreter. The profile shells are pfcsh, pfksh, and pfexec. See the pfexec(1) man page.
Profiles can contain other profiles defined in prof_attr(4).
Multiple profiles can be combined to construct the appropriate access control. When profiles are assigned, the authorizations are added to
the existing set. If the same command appears in multiple profiles, the first occurrence, as determined by the ordering of the profiles, is
used for process-attribute settings. For convenience, a wild card can be specified to match all commands.
When profiles are interpreted, the profile list is loaded from user_attr(4). If any default profile is defined in /etc/security/policy.conf
(see policy.conf(4)), the list of default profiles are added to the list loaded from user_attr(4). Matching entries in prof_attr(4) provide
the authorizations list, and matching entries in exec_attr(4) provide the commands list.
The following options are supported:
-l Lists the commands in each profile followed by the special process attributes such as user and group IDs.
Example 1: Sample Output
The output of the profiles command has the following form:
example% profiles tester01 tester02
tester01 : Audit Management, All Commands
tester02 : Device Management, All Commands
example%
Example 2: Using the list Option
example% profiles -l tester01 tester02
tester01 :
Audit Management:
/usr/sbin/audit euid=root
/usr/sbin/auditconfig euid=root egid=sys
All Commands:
*
tester02 :
Device Management:
/usr/bin/allocate: euid=root
/usr/bin/deallocate: euid=root
All Commands
*
example%
The following exit values are returned:
0 Successful completion.
1 An error occurred.
/etc/security/exec_attr
/etc/security/prof_attr
/etc/user_attr
/etc/security/policy.conf
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Availability |SUNWcsu |
+-----------------------------+-----------------------------+
auths(1), pfexec(1), roles(1), getprofattr(3SECDB), exec_attr(4), policy.conf(4), prof_attr(4), user_attr(4), attributes(5)
11 Feb 2000 profiles(1)