From: Geoff Lane (zzassgl@zoe.mcc.ac.uk)
Date: Mon Nov 10 2003 - 10:56:33 EST
I wrote a little program to dump out the uid/euid and discovered that RBAC
is working correctly but you have to get the exec_attr record correct for a
given program.
In the case of apachectl you need
Apache Management:suser:cmd:::/usr/local/apache/bin/apachectl:uid=0;egid=2
Notice it's uid=0 NOT euid=0 which I was using following the general advice
given by SMC (the egid isn't relevant in this case.) When uid= is used,
apachectl (which is a shell script) works as expected from the role user
name. When euid= is used, apachectl isn't given sufficient priviledge and
fails.
I still don't understand why this happens but I'm just happy it works now.
Nobody nailed it, but thanks for the replies.
On Mon, Nov 10, 2003 at 01:01:38PM +0000, Geoff Lane wrote:
> I'm in the process of replacing various ad-hoc methods of granting special
> privileges with RBAC. Unfortunately I'm stuck at the first fence, creating
> a simple web server administration role.
>
> Here's the config on a fully patched x86 Solaris 9 system...
>
> exec_attr:
> Apache Management:suser:cmd:::/usr/local/apache/bin/apachectl:euid=0;egid=2
>
> prof_attr:
> Apache Management:::Apache Web Server Management:help=ApacheManagement.html
>
> user_attr:
> webadm::::profiles=Apache Management;type=role
> zzcos::::type=normal;roles=webadm
>
> passwd:
> webadm:x:26349:1:Apache Management:/export/home/webadm:/bin/pfsh
>
> I restarted nscd after creating the role.
> /export/home/webadm exists and is owned by webadm.
> SMC seems happy with the configuration.
> But when user zzcos su's into webadm and runs
> /usr/local/apache/bin/apachectl it does not run with euid=0 and fails to
> start the server (which can be started as root.)
> There's nothing in /var/adm/messages.
> /var/log/auth shows that the su into webadm worked OK.
> roles(1) shows that zzcos has the webadm role.
>
> The man page for su implies that /etc/pam.conf needs su-specific entries
> before RBAC will work but the Security Services manual makes no mention of
> modifying pam.conf which already has the line...
>
> other account requisite pam_roles.so.1
>
> So, where do I go from here? Do I need the pam.conf entries given in su(1)
> or have I made a dumb mistake in the configuration?
>
> Thanks, summary will follow.
>
>
> --
> /\ Geoff. Lane. /\ Manchester Computing /\ Manchester /\ M13 9PL /\ England /\
>
> IBM manuals are neither written by, nor for, humans.
> _______________________________________________
> sunmanagers mailing list
> sunmanagers@sunmanagers.org
> http://www.sunmanagers.org/mailman/listinfo/sunmanagers
-- /\ Geoff. Lane. /\ Manchester Computing /\ Manchester /\ M13 9PL /\ England /\ McDonalds hamburgers are made from 100% genuine clown meat. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:27:26 EDT