Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RBAC and password changes.

6 views
Skip to first unread message

noauth

unread,
Dec 14, 2009, 9:03:26 AM12/14/09
to
It's tedious for all if only one user in a large organisation is able to
change people's passwords.

I have been playing with RBAC, trying to allow additional user "pleb1" to
change passwords. I'm at the stage where I can have "pleb1" run "pfexec
passwd userx", but I want them to be able to just type "passwd userx".

Is this possible? How?

nelson

unread,
Dec 14, 2009, 3:55:33 PM12/14/09
to
if you use one of the pf* aligned shells (pfsh, pfcsh, pfksh) then
yes, i actually like having to use pfexec - it helps me be aware of
when i need extra privileges but each to their own

ITguy

unread,
Dec 14, 2009, 8:00:13 PM12/14/09
to

Maybe add this to their shell:
alias passwd='/usr/bin/pfexec /usr/bin/passwd'

Fritz Wuehler

unread,
Dec 15, 2009, 11:43:35 PM12/15/09
to
Thank you for your replies. Apologies for the non-threading.

> I have been playing with RBAC, trying to allow additional user "pleb1"
> to change passwords.

If I script up "pfexec passwd userx" in the bespoke secure menu system we use, it works - however, the root password is solicited. I don't want (with a capital "D"!) user "pleb1" to have or need the root password.

Is there a way of working around this? My predecessor used "expect" and a hard-coded password, ack ptui! I do not want to continue this!! Can a user with an RBAC privilege change a password wothout needing root's pw?


Regards,

Wayne

unread,
Dec 16, 2009, 1:44:14 AM12/16/09
to

The whole point of RBAC is to avoid having to give root's password out.
I am no expert but I look into this some time ago, and adapted a
Sun Blueprint article into a demo for RBAC setup for a password
administrator. For whatever it is worth, take a look at it here:

<http://www.hccfl.edu/pollock/AUnix2/RBAC.htm>

If you want simplicity, check into sudo instead. A
sample password profile could be defined in sudoers
something like this (you should investigate passwd
options more carefully than I did here):

User_Alias PW_ADMIN_ROLE = user1

Cmnd_Alias PW_PROFILE = \
/usr/bin/passwd -[ul] [a-zA-Z]*, \
/usr/bin/passwd [a-zA-Z]*, \
!/usr/bin/passwd root, !/usr/bin/passwd user1, \
!/usr/bin/passwd -* root, !/usr/bin/passwd -* user1

PW_ADMIN_ROLE localhost = PW_PROFILE

Hope that helps! Solaris RBAC seems to be designed to be
flexible and extensible, at the expense of simplicity. I
do like it better than SE Linux role based security, but
I must again point out I'm no expert. I just use sudo.

--
Wayne

hume.sp...@bofh.ca

unread,
Dec 16, 2009, 8:28:43 AM12/16/09
to
Fritz Wuehler <fr...@spamexpire-200912.rodent.frell.theremailer.net> wrote:
> If I script up "pfexec passwd userx" in the bespoke secure menu system we use, it works - however, the root password is solicited. I don't want (with a capital "D"!) user "pleb1" to have or need the root password.

What prevents said user from setting root's password? If you can change
root's password, you have root.

> Is there a way of working around this? My predecessor used "expect" and a hard-coded password, ack ptui! I do not want to continue this!! Can a user with an RBAC privilege change a password wothout needing root's pw?

I dunno if I'd use expect, but the wrapper idea has merit to me. You can
check the arguments given in a wrapper, make sure the user isn't doing
something they're not supposed to. I don't know if RBAC has the option of
granting password-changing rights, but I doubt it can specify which users
the priviledged users are allowed to alter.

--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/

0 new messages