Parted - GNU Partition Editor [PSARC/2009/145 FastTrack timeout 03/06/2009]
Phi Tran
Phi.Tran at sun.com
Mon Mar 2 16:31:55 PST 2009
Scott Rotondo wrote:
> Mark Logan wrote:
>> Sebastien Roy wrote:
>>> On Mon, 2009-03-02 at 14:38 -0800, Phi Tran wrote:
>>>
>>>> The following RBAC authorizations and profile will be added.
>>>>
>>>> Authorization Names:
>>>> solaris.admin.parted.:::Partition Editor::help=AuthPartedHeader.html
>>>> solaris.admin.parted.write:::Edit Partitions::help=AuthPartedWrite.html
>>>>
>>>
>>> Is there a technical reason why reading partition information would
>>> require a special authorization?
>>>
>>
>> Parted needs permission to access the raw disk device. Someone told me
>> that I needed to use RBAC to allow non-root users to run it.
>
> If parted is a setuid-root program (so it has the ability to modify raw
> disks), then it's appropriate for it to check an authorization to see if
> it should make changes on behalf of the user who is invoking it.
>
> If it's not setuid, then it won't gain any privileges just because you
> define these authorizations. You would want to include the command in an
> RBAC profile so that users who have the profile can run it with the
> necessary privileges. In that case, there is probably no reason for the
> additional authorization check.
The program isn't setuid. The model would be to include the command
with the sys_devices privileges as you stated. However, we thought that
there still needs to be a write authorization.
Phi
More information about the opensolaris-arc
mailing list