Assigning proc_owner privilege to particular user in RBAC


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
# 8  
I do not think there is a "group_proc" privilege. You are going to have to set up sudo and and specifically allow those users to become the user that runs the application. But then they can "tink" with the application process.

sudo -
man pages section 1M: System Administration Commands
It is part of Solaris 11.

Suppose the app runs with appuser. sudo su - appuser is the command they would use. I assume they are already in the same group as appuser. Let's call that group "foo"

You will have read up on sudoedit and /etc/sudoers You grant the permission to become "appuser" based on the fact that they are only in the special group I mentioned, "foo". Actually appuser does not have to be in the "foo" group, but then you open up access to anything that appuser can do in its own group to these newcomers.
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

9 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Create user with different privilege

Hi , I want to create 3 different user with below privilege in Solaris and Linux. 1) Read Only 2)Read and Write Only 3) Admin user Can you guys help me on this . (3 Replies)
Discussion started by: Naveen Pathak
3 Replies

2. AIX

sudo - User privilege specification

I am planning to implement sudo for users. Under , it looks I have to put the users who need to have sudo access: What are the recommended for users? I don't think I need to give the ALL privilege (i.e ) to AIX users. I'd like to know the commonly used privilege specification for sudo... (9 Replies)
Discussion started by: Daniel Gate
9 Replies

3. AIX

User Privilege

How to assign superuser privilege to an ordinary user temporarily (1 Reply)
Discussion started by: udtyuvaraj
1 Replies

4. UNIX for Dummies Questions & Answers

How to create/restrict a user with to have no privilege from other group

Hello experts I am new to Unix. Env : HPUX I need to create a user say testuser such that it does not have access to file/directories from the other group i.e the last 3 digits . How do I do that. Reason for such a request :- I have an existing user oracle which has default umask... (3 Replies)
Discussion started by: simonsimon
3 Replies

5. Solaris

Root privilege for user

Can anyone please tell how to give root privilege to a normal user in solaris 10? (5 Replies)
Discussion started by: nicktrix
5 Replies

6. Linux

Sudo user vs RBAC

Hi all, What the difference between the sudo users & RBAC when the talk of effects after doing the above comes??? any differences between them ,kindly list ?? (1 Reply)
Discussion started by: saurabh84g
1 Replies

7. AIX

[Help] Give privilege to an ordinary user

I'm trying to give a non-root user the right to start IBM HTTP Server, the web server is listening on port 80, but for AIX, ports under 1024 are privilege ports which can be used only by root. /usr/IBMIHS/bin# ./apachectl start (13)Permission denied: make_sock: could not bind to address :::80... (1 Reply)
Discussion started by: ibmer414
1 Replies

8. UNIX for Advanced & Expert Users

RBAC: create a user to shut the server

Hi, I have created a user to shutdown the server using RBAC. Here are my steps: 1. roleadd -u 1000 -g 10 -d /home/stopsys -m stopsys 2. passwd stopsys 3. edit /etc/security/prof_attr to include: Shut:::able to shut the server: 4. modrole -P Shut stopsys 5. useradd -u 1001 -g 10 -d... (2 Replies)
Discussion started by: chaandana
2 Replies

9. UNIX for Dummies Questions & Answers

Write privilege for user

Is it possible to grant write privileges to a user on a directory with out having to add the user to a group or make the user the owner of the directory? My background is in Windows and in Windows you can grant specific privileges to a user without having to put the user in a group or making the... (3 Replies)
Discussion started by: here2learn
3 Replies
coreadm(1M)															       coreadm(1M)

NAME
coreadm - core file administration SYNOPSIS
coreadm [-g pattern] [-G content] [-i pattern] [-I content] [-d option...] [-e option...] coreadm [-p pattern] [-P content] [pid...] coreadm -u coreadm specifies the name and location of core files produced by abnormally-terminating processes. See core(4). Only users who have the sys_admin privilege can execute the first form of the SYNOPSIS. This form configures system-wide core file options, including a global core file name pattern and a core file name pattern for the init(1M) process. All settings are saved in coreadm's con- figuration file /etc/coreadm.conf to set at boot. See init(1M). Nonprivileged users can execute the second form of the SYNOPSIS. This form specifies the file name pattern and core file content that the operating system uses to generate a per-process core file. Only users who have the sys_admin privilege can execute the third form of the SYNOPSIS. This form updates all system-wide core file options, based on the contents of /etc/coreadm.conf. Normally, this option is used on reboot when starting svc:/system/coreadm:default. A core file name pattern is a normal file system path name with embedded variables, specified with a leading % character. The variables are expanded from values that are effective when a core file is generated by the operating system. The possible embedded variables are as fol- lows: %d Executable file directory name, up to a maximum of MAXPATHLEN characters %f Executable file name, up to a maximum of MAXCOMLEN characters %g Effective group-ID %m Machine name (uname -m) %n System node name (uname -n) %p Process-ID %t Decimal value of time(2) %u Effective user-ID %z Name of the zone in which process executed (zonename) %% Literal % For example, the core file name pattern /var/core/core.%f.%p would result, for command foo with process-ID 1234, in the core file name /var/core/core.foo.1234. A core file content description is specified using a series of tokens to identify parts of a process's binary image: anon Anonymous private mappings, including thread stacks that are not main thread stacks ctf CTF type information sections for loaded object files data Writable private file mappings dism DISM mappings heap Process heap ism ISM mappings rodata Read-only private file mappings shanon Anonymous shared mappings shfile Shared mappings that are backed by files shm System V shared memory stack Process stack symtab Symbol table sections for loaded object files text Readable and executable private file mappings In addition, you can use the token all to indicate that core files should include all of these parts of the process's binary image. You can use the token none to indicate that no mappings are to be included. The default token indicates inclusion of the system default content (stack+heap+shm+ism+dism+text+data+rodata+anon+shanon+ctf). The /proc file system data structures are always present in core files regard- less of the mapping content. You can use + and - to concatenate tokens. For example, the core file content default-ism would produce a core file with the default set of mappings without any intimate shared memory mappings. The coreadm command with no arguments reports the current system configuration, for example: $ coreadm global core file pattern: /var/core/core.%f.%p global core file content: all init core file pattern: core init core file content: default global core dumps: enabled per-process core dumps: enabled global setid core dumps: enabled per-process setid core dumps: disabled global core dump logging: disabled The coreadm command with only a list of process-IDs reports each process's per-process core file name pattern, for example: $ coreadm 278 5678 278: core.%f.%p default 5678: /home/george/cores/%f.%p.%t all-ism Only the owner of a process or a user with the proc_owner privilege can interrogate a process in this manner. When a process is dumping core, up to three core files can be produced: one in the per-process location, one in the system-wide global location, and, if the process was running in a local (non-global) zone, one in the global location for the zone in which that process was running. Each core file is generated according to the effective options for the corresponding location. When generated, a global core file is created in mode 600 and owned by the superuser. Nonprivileged users cannot examine such files. Ordinary per-process core files are created in mode 600 under the credentials of the process. The owner of the process can examine such files. A process that is or ever has been setuid or setgid since its last exec(2) presents security issues that relate to dumping core. Similarly, a process that initially had superuser privileges and lost those privileges through setuid(2) also presents security issues that are related to dumping core. A process of either type can contain sensitive information in its address space to which the current nonprivileged owner of the process should not have access. If setid core files are enabled, they are created mode 600 and owned by the superuser. The following options are supported: -d option... Disable the specified core file option. See the -e option for descriptions of possible options. Multiple -e and -d options can be specified on the command line. Only users with the sys_admin privilege can use this option. -e option... Enable the specified core file option. Specify option as one of the following: global Allow core dumps that use global core pattern. global-setid Allow set-id core dumps that use global core pattern. log Generate a syslog(3C) message when generation of a global core file is attempted. process Allow core dumps that use per-process core pattern. proc-setid Allow set-id core dumps that use per-process core pattern. Multiple -e and -d options can be specified on the command line. Only users with the sys_admin privilege can use this option. -g pattern Set the global core file name pattern to pattern. The pattern must start with a / and can contain any of the spe- cial % variables that are described in the DESCRIPTION. Only users with the sys_admin privilege can use this option. -G content Set the global core file content to content. You must specify content by using the tokens that are described in the DESCRIPTION. Only users with the sys_admin privilege can use this option. -i pattern Set the default per-process core file name to pattern. This changes the per-process pattern for any process whose per-process pattern is still set to the default. Processes that have had their per-process pattern set or are descended from a process that had its per-process pattern set (using the -p option) are unaffected. This default persists across reboot. Only users with the sys_admin or proc_owner privilege can use this option. -I content Set the default per-process core file content to content. This changes the per-process content for any process whose per-process content is still set to the default. Processes that have had their per-process content set or are descended from a process that had its per-process content set (using the -P option) are unaffected. This default persists across reboot. Only users with the sys_admin or proc_owner privileges can use this option. -p pattern Set the per-process core file name pattern to pattern for each of the specified process-IDs. The pattern can con- tain any of the special % variables described in the DESCRIPTION and need not begin with /. If the pattern does not begin with /, it is evaluated relative to the directory that is current when the process generates a core file. A nonprivileged user can apply the -p option only to processes that are owned by that user. A user with the proc_owner privilege can apply the option to any process. The per-process core file name pattern is inherited by future child processes of the affected processes. See fork(2). If no process-IDs are specified, the -p option sets the per-process core file name pattern to pattern on the parent process (usually the shell that ran coreadm). -P content Set the per-process core file content to content for each of the specified process-IDs. The content must be speci- fied by using the tokens that are described in the DESCRIPTION. A nonprivileged user can apply the -p option only to processes that are owned by that user. A user with the proc_owner privilege can apply the option to any process. The per-process core file name pattern is inherited by future child processes of the affected processes. See fork(2). If no process-IDs are specified, the -P option sets the per-process file content to content on the parent process (usually the shell that ran coreadm). -u Update system-wide core file options from the contents of the configuration file /etc/coreadm.conf. If the configu- ration file is missing or contains invalid values, default values are substituted. Following the update, the con- figuration file is resynchronized with the system core file configuration. Only users with the sys_admin privilege can use this option. OPERANDS
The following operands are supported: pid process-ID Example 1: Setting the Core File Name Pattern When executed from a user's $HOME/.profile or $HOME/.login, the following command sets the core file name pattern for all processes that are run during the login session: example$ coreadm -p core.%f.%p Note that since the process-ID is omitted, the per-process core file name pattern will be set in the shell that is currently running and is inherited by all child processes. Example 2: Dumping a User's Files Into a Subdirectory The following command dumps all of a user's core dumps into the corefiles subdirectory of the home directory, discriminated by the system node name. This command is useful for users who use many different machines but have a shared home directory. example$ coreadm -p $HOME/corefiles/%n.%f.%p 1234 Example 3: Culling the Global Core File Repository The following commands set up the system to produce core files in the global repository only if the executables were run from /usr/bin or /usr/sbin. example# mkdir -p /var/cores/usr/bin example# mkdir -p /var/cores/usr/sbin example# coreadm -G all -g /var/cores/%d/%f.%p.%n FILES
/etc/coreadm.conf EXIT STATUS
The following exit values are returned: 0 Successful completion. 1 A fatal error occurred while either obtaining or modifying the system core file configuration. 2 Invalid command-line options were specified. See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWcsu | +-----------------------------+-----------------------------+ gcore(1), svcs(1), init(1M), svcadm(1M), exec(2), fork(2), setuid(2), time(2), syslog(3C), core(4), attributes(5), smf(5) NOTES
In a local (non-global) zone, the global settings apply to processes running in that zone. In addition, the global zone's apply to pro- cesses run in any zone. The term global settings refers to settings which are applied to the system or zone as a whole, and does not necessarily imply that the settings are to take effect in the global zone. The coreadm service is managed by the service management facility, smf(5), under the service identifier: svc:/system/coreadm:default Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using svcadm(1M). The ser- vice's status can be queried using the svcs(1) command. 22 Jul 2005 coreadm(1M)

Featured Tech Videos