Amendments to pconsole fast-track [PSARC/2009/275 FastTrack timeout 05/08/2009]
Gary Winiger
gww at eng.sun.com
Fri May 1 13:29:47 PDT 2009
> Amendment 1:
>
> The pconsole-bin binary requires elevated privilege to be useful. We
> request to move the binary from the originally stated /usr/bin to
> /usr/sbin, in line with where other binaries requiring privilege
> usually exist.
>
> Amendment 2:
>
> A new execution profile and attribute will be defined. The specific
> RBAC additions are:
>
> /etc/security/prof_attr:
> Parallel Console Access:::Connect to remote consoles with pconsole:
>
> /etc/security/exec_attr:
> Parallel Console Access:suser:cmd:::/usr/sbin/pconsole-bin:euid=0
^^^^^ ^^^^^^
This is fine for S7-S9, but not for S10 forward.
exec_attr(4):
policy The security policy that is associated with the
profile entry. The valid policies are suser (stan-
dard Solaris superuser) and solaris. The solaris
policy recognizes privileges (see privileges(5));
the suser policy does not.
The solaris and suser policies can coexist in the
same exec_attr database, so that Solaris releases
prior to the current release can use the suser
policy and the current Solaris release can use a
solaris policy. solaris is a superset of suser; it
allows you to specify privileges in addition to
UIDs. Policies that are specific to the current
release of Solaris or that contain privileges
should use solaris. Policies that use UIDs only or
that are not specific to the current Solaris
release should use suser.
What are the elevated privileges and why are they required?
Just those privileges should be specified in the privs= attribute.
Why is there a need to specify a uid?
Gary..
More information about the opensolaris-arc
mailing list