From: Geoff Lane (zzassgl@zoe.mcc.ac.uk)
Date: Mon Nov 10 2003 - 08:01:38 EST
I'm in the process of replacing various ad-hoc methods of granting special
privileges with RBAC. Unfortunately I'm stuck at the first fence, creating
a simple web server administration role.
Here's the config on a fully patched x86 Solaris 9 system...
exec_attr:
Apache Management:suser:cmd:::/usr/local/apache/bin/apachectl:euid=0;egid=2
prof_attr:
Apache Management:::Apache Web Server Management:help=ApacheManagement.html
user_attr:
webadm::::profiles=Apache Management;type=role
zzcos::::type=normal;roles=webadm
passwd:
webadm:x:26349:1:Apache Management:/export/home/webadm:/bin/pfsh
I restarted nscd after creating the role.
/export/home/webadm exists and is owned by webadm.
SMC seems happy with the configuration.
But when user zzcos su's into webadm and runs
/usr/local/apache/bin/apachectl it does not run with euid=0 and fails to
start the server (which can be started as root.)
There's nothing in /var/adm/messages.
/var/log/auth shows that the su into webadm worked OK.
roles(1) shows that zzcos has the webadm role.
The man page for su implies that /etc/pam.conf needs su-specific entries
before RBAC will work but the Security Services manual makes no mention of
modifying pam.conf which already has the line...
other account requisite pam_roles.so.1
So, where do I go from here? Do I need the pam.conf entries given in su(1)
or have I made a dumb mistake in the configuration?
Thanks, summary will follow.
-- /\ Geoff. Lane. /\ Manchester Computing /\ Manchester /\ M13 9PL /\ England /\ IBM manuals are neither written by, nor for, humans. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:27:26 EDT