From: Mitcheson, Douglas (douglas.mitcheson@uk.experian.com)
Date: Wed Dec 10 2003 - 05:47:50 EST
> Sun Fire V120 running Solaris 8 2/02 KJP 108528-19 + Recommended Patch
> Cluster Apr 03.
>
> An RBAC profile has been assigned directly to a non-root user (rather than
> to a role) which allows the user to run a script as another user.
> Everything works as it should from the users login prompt, i.e. the script
> runs as the 'other' user, but if the user run's the script from cron then
> RBAC is completely ignored!
>
> Here's a simple procedure that can be used to recreate the problem...
>
> (1) As root, create /tmp/testscript as follows:
>
> #!/bin/ksh
> /usr/sbin/format <</dev/null
>
> (2) Add the following line to the end of /etc/security/exec_attr:
>
> TEST:suser:cmd:::/tmp/testscript:uid=0
>
> (3) Assign the 'TEST' profile to the user (e.g. jbloggs) in
> /etc/user_attr:
>
> jbloggs::::type=normal;profiles=TEST,All
>
> (4) Change the default shell of the user (e.g. jbloggs) to the 'profile'
> version of the shell e.g. change ksh to pfksh:
>
> jbloggs:x:101:2000:Joe Bloggs:/export/home/jbloggs:/bin/pfksh
>
> (5) Logon to the user (jbloggs) and run /tmp/testscript. You should see a
> list of disks from the format command.
>
> (6) As the user, edit your crontab and add the following
>
> * * * * * /tmp/testscript > /tmp/testscript.out 2>&1
>
> (7) After a maximum of 60s, output should appear in /tmp/testscript.out.
> The output should suggest that format is being run as a non-root user!
>
> Any suggestions?
>
> Thanks
>
> Doug Mitcheson
> Experian Ltd
==========================================================================
Information in this e-mail and any attachments are confidential, and may
not be copied or used by anyone other than the addressee, nor disclosed
to any third party without our permission. There is no intention to
create any legally binding contract or other binding commitment through
the use of this electronic communication unless it is issued in accordance
with the Experian Limited standard terms and conditions of purchase or
other express written agreement between Experian Limited and the recipient
Experian Limited (registration number 653331) Registered office:
Talbot House, Talbot Street, Nottingham NG80 1TH
Although Experian has taken reasonable steps to ensure that this communication
and any attachments are free from computer virus, you are advised to take
your own steps to ensure that they are actually virus free.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:27:39 EDT