I have been playing with RBAC, trying to allow additional user "pleb1" to
change passwords. I'm at the stage where I can have "pleb1" run "pfexec
passwd userx", but I want them to be able to just type "passwd userx".
Is this possible? How?
Maybe add this to their shell:
alias passwd='/usr/bin/pfexec /usr/bin/passwd'
> I have been playing with RBAC, trying to allow additional user "pleb1"
> to change passwords.
If I script up "pfexec passwd userx" in the bespoke secure menu system we use, it works - however, the root password is solicited. I don't want (with a capital "D"!) user "pleb1" to have or need the root password.
Is there a way of working around this? My predecessor used "expect" and a hard-coded password, ack ptui! I do not want to continue this!! Can a user with an RBAC privilege change a password wothout needing root's pw?
Regards,
The whole point of RBAC is to avoid having to give root's password out.
I am no expert but I look into this some time ago, and adapted a
Sun Blueprint article into a demo for RBAC setup for a password
administrator. For whatever it is worth, take a look at it here:
<http://www.hccfl.edu/pollock/AUnix2/RBAC.htm>
If you want simplicity, check into sudo instead. A
sample password profile could be defined in sudoers
something like this (you should investigate passwd
options more carefully than I did here):
User_Alias PW_ADMIN_ROLE = user1
Cmnd_Alias PW_PROFILE = \
/usr/bin/passwd -[ul] [a-zA-Z]*, \
/usr/bin/passwd [a-zA-Z]*, \
!/usr/bin/passwd root, !/usr/bin/passwd user1, \
!/usr/bin/passwd -* root, !/usr/bin/passwd -* user1
PW_ADMIN_ROLE localhost = PW_PROFILE
Hope that helps! Solaris RBAC seems to be designed to be
flexible and extensible, at the expense of simplicity. I
do like it better than SE Linux role based security, but
I must again point out I'm no expert. I just use sudo.
--
Wayne
What prevents said user from setting root's password? If you can change
root's password, you have root.
> Is there a way of working around this? My predecessor used "expect" and a hard-coded password, ack ptui! I do not want to continue this!! Can a user with an RBAC privilege change a password wothout needing root's pw?
I dunno if I'd use expect, but the wrapper idea has merit to me. You can
check the arguments given in a wrapper, make sure the user isn't doing
something they're not supposed to. I don't know if RBAC has the option of
granting password-changing rights, but I doubt it can specify which users
the priviledged users are allowed to alter.
--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/