2009/184 SMB/CIFS Share Exec Properties
Darren J Moffat
Darren.Moffat at sun.com
Tue Mar 24 02:16:03 PDT 2009
Jordan Brown wrote:
> Darren J Moffat wrote:
>> Or - and this is my preferred option - there should be a requirement
>> that the commands be listed in a specific RBAC exec_attr(4) profile
>> and that smbd 'pfexec' them and by default they only run with basic
>> privs (unless the exec_attr(4) profile gives them more.
>
> That sounds like it might be theoretically correct, but it seems like a
> pretty heavyweight thing to ask users to set up. Remember that this is
> a mechanism intended to allow users to plug their own components -
> typically but not necessarily scripts - into the SMB connect/disconnect
> process.
I don't thing it is heavyweight at all. In fact all that would be
required is a single entry in the specific RBAC exec_attr(4) table that
listed what uid/gid and privs the "script" ran with. That can even be
done once for the whole network and stored in NIS, NIS+, LDAP.
--
Darren J Moffat
More information about the opensolaris-arc
mailing list