[immigrants-discuss] Re: using RBAC with Blastwave pkg-get

[Darren J. Moffat]

The now cannonical RBAC page for OpenSolaris is: http://opensolaris.org/os/community/security/projects/rbac/

In general security-discuss is probably your best alias for RBAC questions.

I believe the only thing you will need it this single entry in /etc/security/exec_attr

Blastwave Installation:suser:cmd:::/opt/csw/bin/pkg-get:uid=0

and this one in /etc/security/prof_attr

Blastware Installation:::Add Blastware application software to the system:

Then you assign that profile to your user account like this:

# usermod -P "Blastware Installation" mark

You can also do all of this graphically using smc(1M).

To run it you do this (assuming /opt/csw/bin is in your path)

mark$ pfexec pkg-get apache


The reason you only need pkg-get is that entry will run pkg-get as uid 0
and everything it runs after that will also inherit that, so the wget, the pkgadd
etc etc.

Advanced options:

There already exists a "Software Installation" profile that works for
pkgadd, smpatch etc.  So you might actually want to extend that
and give yourself "Software Installation" instead.  You can do that in
two different ways.  The first is just add the exec_attr line I gave about
but name it Software Installation.  The second, and slightly more elegant IMO,
is to update the "Software Installation" profile in prof_attr and add "Blastwave Installation"
as a sub profile of it.  In either of those cases you would give yourself
"Software Installation" and be able to use pkgadd, smpatch and pkg-get directly.

Hope that helps, if you have any further questions please follow up in the security-discuss
alias  (I've cc'd).


--
Darren J Moffat
--
This message posted from opensolaris.org