Solaris

I am referring Bill Calkins(SCSA exam prep) for RBAC..actually i wanted to make a normal user to get the privilege to run a command through authorization, not through profile files...
This is the exact steps given by Bill calkins..


1.roleadd -m -d /export/home/adminusr -c "Admin Assistant" \
-A solaris.admin.usermgr.pswd,solaris.system.shutdown,\
solaris.admin.fsmgr.write adminusr
2. passwd adminusr
3. usermod -R adminusr neil
4.su - neil
5.$roles
adminusr
6.su - adminusr

Now, neil can change passwords, shutdown system, share filesystems...
This is what Bill Calkins says...

but when i do this as neil..for eg.
$su - adminusr
passwd:****
passwd:****
$/usr/sbin/shutdown -h now
Only root can run /usr/sbin/shutdown...

Please let me know where I am going wrong...

you need to take the role as "adminuser" as far as i know... try a "su - adminuser" and test again.

---------- Post updated at 11:05 ---------- Previous update was at 11:04 ----------

To keep the forums high quality for all users, please take the time to format your posts correctly.

First of all, use Code Tags when you post any code or data samples so others can easily read your code. You can easily do this by highlighting your code and then clicking on the # in the editing menu. (You can also type code tags [code] and [/code] by hand.)

Second, avoid adding color or different fonts and font size to your posts. Selective use of color to highlight a single word or phrase can be useful at times, but using color, in general, makes the forums harder to read, especially bright colors like red.

Third, be careful when you cut-and-paste, edit any odd characters and make sure all links are working property.

Thank You.

The UNIX and Linux Forums

Hi,
let me see /etc/user_attr file.


Good luck

You forgot one small thing... pfexec
$ pfexec shutdown -h now
and it should work

It isn't required to use pfexec here. However, the book example just doesn't allow to reboot as it doesn't apply to stock Solaris but Trusted Solaris extension only.

so i dont know how u managed that,i suspect that executive attribution has not given correct for your role that it cant execute "shutdown",
but example shown below works 100% :

# useradd -m -d /export/home/testuser testuser
64 blocks
# passwd testuser
New Password:
Re-enter new Password:
passwd: password successfully changed for testuser
# grep testuser /etc/passwd
testuser:x:60004:1::/export/home/testuser:/bin/sh
# roleadd -m -d /export/home/shutdown shutdown
64 blocks
# passwd shutdown
New Password:
Re-enter new Password:
passwd: password successfully changed for shutdown
# grep shutdown /etc/passwd
shutdown:x:60005:1::/export/home/shutdown:/bin/pfsh
# usermod -R shutdown testuser
# grep testuser /etc/user_attr
testuser::::type=normal;roles=shutdown

#echo "SHUTDOWN::rofile to shutdown:help=shutdown.html" > /etc/security/prof_attr
#rolemod -P SHUTDOWN shutdown
#echo "SHUTDOWN:suser:cmd:::/usr/sbin/shutdown:uid=0" > /etc/security/exec_attr

-----------------------------------------------------

login as: testuser
Using keyboard-interactive authentication.
Password:
Last login: Mon Jul 20 12:36:57 2009 from 10.10.1.231
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ su - shutdown
Password:
$ /usr/sbin/shutdown

hutdown started. Mon Jul 20 12:53:22 GET 2009

Broadcast Message from root (pts/2) on gantek4 Mon Jul 20 12:53:22...
The system gantek4 will be shut down in 1 minute

showmount: gantek4: RPC: Program not registered
Broadcast Message from root (pts/2) on gantek4 Mon Jul 20 12:53:52...
The system gantek4 will be shut down in 30 seconds


Good luck

No, it simply can't work. The book example is wrong in the sense authorizations can't grant a role to shutdown with regular Solaris.
The workaround is to use profiles like you do.