RBAC - root password

From: UmanS (kedaran0504@yahoo.com.au)
Date: Wed Jan 22 2003 - 17:21:47 EST

• Next message: Siert Zijl: "process discovering"
• Previous message: Coleman, Jim (CORP): "canon virtual print queues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

My refering back to my previous email about RBAC
(given bellow). I was playing with it for while and
noted that user "passman" can change the root password
also. Is there a way to stop this ( other than a
script)?.

Thanks
Uman.

Previuos call ********************
I have applied the patch 110386-02 and changed the
line to as Casper said:
User Security:suser:cmd:::/usr/bin/passwd:euid=0;uid=0

It worked like a champ.

Thanks again.
Uman

My Original question ========

I have received 3 responses so far, I write this
partial summary to say that I have tried everything as
said in the doco. Used User Security profile provided
by SUN. Steps taken:
1. User Security:suser:cmd:::/usr/bin/passwd:euid=0
This is already provided by SUN in
/etc/security/exec_attr
2. roleadd -m -P "User Security,All" passman && passwd
passman
3. usermod -R passman testuser
4. login as testuser
login: testuser
Password:
bash-2.03$ su - passman
Password:
$ passwd <user_id>
passwd (SYSTEM): Permission denied
passwd (SYSTEM): Can't change local passwd file
Permission denied
5. Tested profiles
$ profiles
User Security
All
Basic Solaris User

Then Stev send this message
"sandrewz" <sandrewz@yahoo.com>
This has to do with the EUID in one of the RBAC
authentication files under /etc/security/. This has
been fixed under Solaris 9. BTW, I haven't seen this
error posted anywhere, but discovered it myself.

stev

Therefore I have to assume that it's not going to work
in Sol 8. If anyone successfully implemented in Sol 8
I would like to hear from them.

Thanks to
Schneider, Michael (empolis GT)
Casper Dik
and also to Stev.

Regards
Uman
 --- UmanS <kedaran0504@yahoo.com.au> wrote: > Hi
Managers,
>
> We planning to handover unix passwd changes to our
> help desk and I am trying to do it through RBAC. I
> have followed the procedures from this "god send"
> list
> it working for snoop command (as in the SUMMARY) but
> it doesn't work for passwd command. When I test I
> get
> the following answer:
> passwd (SYSTEM): Permission denied
> passwd (SYSTEM): Can't change local passwd file
>
> Has anyone implement this before?. I have a script
> in
> perl to change the password (also from this list)
> but
> that still require root user id.
>
> Any suggestions/ideas welcome.

http://www.yahoo.promo.com.au/hint/ - Yahoo! Hint
Dropper
- Avoid getting hideous gifts this Christmas with
Yahoo! Hint Dropper!
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

http://movies.yahoo.com.au - Yahoo! Movies
- What's on at your local cinema?
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Siert Zijl: "process discovering"
• Previous message: Coleman, Jim (CORP): "canon virtual print queues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:25:38 EDT