Amendments to pconsole fast-track [PSARC/2009/275 FastTrack timeout 05/08/2009]
Tim Haley
tim.haley at sun.com
Fri May 1 15:15:43 PDT 2009
Gary Winiger wrote:
>> Amendment 1:
>>
>> The pconsole-bin binary requires elevated privilege to be useful. We
>> request to move the binary from the originally stated /usr/bin to
>> /usr/sbin, in line with where other binaries requiring privilege
>> usually exist.
>>
>> Amendment 2:
>>
>> A new execution profile and attribute will be defined. The specific
>> RBAC additions are:
>>
>> /etc/security/prof_attr:
>> Parallel Console Access:::Connect to remote consoles with pconsole:
>>
>> /etc/security/exec_attr:
>> Parallel Console Access:suser:cmd:::/usr/sbin/pconsole-bin:euid=0
> ^^^^^ ^^^^^^
> This is fine for S7-S9, but not for S10 forward.
> exec_attr(4):
> policy The security policy that is associated with the
> profile entry. The valid policies are suser (stan-
> dard Solaris superuser) and solaris. The solaris
> policy recognizes privileges (see privileges(5));
> the suser policy does not.
>
> The solaris and suser policies can coexist in the
> same exec_attr database, so that Solaris releases
> prior to the current release can use the suser
> policy and the current Solaris release can use a
> solaris policy. solaris is a superset of suser; it
> allows you to specify privileges in addition to
> UIDs. Policies that are specific to the current
> release of Solaris or that contain privileges
> should use solaris. Policies that use UIDs only or
> that are not specific to the current Solaris
> release should use suser.
>
> What are the elevated privileges and why are they required?
> Just those privileges should be specified in the privs= attribute.
> Why is there a need to specify a uid?
>
> Gary..
>
> _______________________________________________
> opensolaris-arc mailing list
> opensolaris-arc at opensolaris.org
Thanks Gary,
We'll work on narrowing the privilege and send an update.
-tim
More information about the opensolaris-arc
mailing list