From mark.james.lists at gmail.com Tue Oct 17 17:40:29 2006 From: mark.james.lists at gmail.com (mark larios) Date: Wed, 18 Oct 2006 09:40:29 +0900 Subject: [immigrants-discuss] using RBAC with Blastwave pkg-get Message-ID: Hello, I'm a new OpenSolaris user and I'm trying to create a Right to allow me to install software using Blastwave without having to su to root. I've read over Ben's "Using RBAC on (Open)Solaris," so I understand the basic concepts, but now that I'm getting into the specifics I'm a little lost. I've created a Right called "Blastwave Installation", but I'm not sure what commands I need to add to the Right. I assume I'll need at least pkg-get and wget. Since I'm new, introductions are in order. I'm a technician at a fruit fly lab in Kyoto. While I spend most of my time breeding flies and carrying out crosses, I'm developing a web-app for managing the stocks; I'm evaluating Solaris as a platform for serving the application. I've administered Linux (although that was about 4 years go) and OS X and deployed applications on FreeBSD (TextDrive), but there's something that feels right about Solaris. I'm looking forward to learning. Thanks. -- Mark James Adams Drosophila Genetic Resource Center Kyoto Institute of Technology From Darren.Moffat at Sun.COM Thu Oct 19 05:52:35 2006 From: Darren.Moffat at Sun.COM (Darren J. Moffat) Date: Thu, 19 Oct 2006 05:52:35 PDT Subject: [immigrants-discuss] Re: using RBAC with Blastwave pkg-get In-Reply-To: Message-ID: <18889039.1161262385403.JavaMail.Twebapp@oss-app2> The now cannonical RBAC page for OpenSolaris is: http://opensolaris.org/os/community/security/projects/rbac/ In general security-discuss is probably your best alias for RBAC questions. I believe the only thing you will need it this single entry in /etc/security/exec_attr Blastwave Installation:suser:cmd:::/opt/csw/bin/pkg-get:uid=0 and this one in /etc/security/prof_attr Blastware Installation:::Add Blastware application software to the system: Then you assign that profile to your user account like this: # usermod -P "Blastware Installation" mark You can also do all of this graphically using smc(1M). To run it you do this (assuming /opt/csw/bin is in your path) mark$ pfexec pkg-get apache The reason you only need pkg-get is that entry will run pkg-get as uid 0 and everything it runs after that will also inherit that, so the wget, the pkgadd etc etc. Advanced options: There already exists a "Software Installation" profile that works for pkgadd, smpatch etc. So you might actually want to extend that and give yourself "Software Installation" instead. You can do that in two different ways. The first is just add the exec_attr line I gave about but name it Software Installation. The second, and slightly more elegant IMO, is to update the "Software Installation" profile in prof_attr and add "Blastwave Installation" as a sub profile of it. In either of those cases you would give yourself "Software Installation" and be able to use pkgadd, smpatch and pkg-get directly. Hope that helps, if you have any further questions please follow up in the security-discuss alias (I've cc'd). -- Darren J Moffat -- This message posted from opensolaris.org