2008/525 ikeadm token login
Paul Wernau
Paul.Wernau at sun.com
Fri Aug 15 08:38:08 PDT 2008
Darren J Moffat wrote:
> Can any user run 'ikeadm token login' ? Or is a specific authorisation
> needed ? If so what is it ? Same for logout.
>
The exisiting model for ikeadm in general is that a user needs to have
root privileges. A non-root user will get a permissions error
attempting to open the door to in.iked:
pwernau at host$ ikeadm dump p1
Unable to communicate with in.iked
ikeadm: open_door failed: No such file or directory
ikeadm: Fatal error - exiting.
> I'm particularly interested in the case where the key is actually a
> users smartcard and the user has no direct root access. In this case I
> would rather not give them an RBAC profile that allows running ikeadm as
> uid=0 because then they can do other things to ike.
You bring up an good point. Is there some pre-existing authorization
you'd recommend? I see solaris.device.grant (Delegate Device
Administration) as a potential. Or we could create a new set.
I agree with you that it is worth extending the ikeadm <-> in.iked
interface to be authorization aware for this particular subcommand.
Thanks,
Paul
More information about the opensolaris-arc
mailing list