Sudo to RBAC and init.d to SMF
in [Solaris]
|
Prev: How to change graphics card on Solaris ?
Next: How to get rid of "fcaw*: Link Failure. Resetting..." messages at JNI HBAs
From: Gary Mills on 14 Apr 2008 17:57 We're upgrading a server from Solaris 9 to Solaris 10. This would be a good opportunity to convert our init.d scripts into SMF services. Creating a manifest and a method is relatively easy. However, there are a group of users who use sudo to stop and start the process as root. How do we give them the ability to run svcadm to enable or disable the service on Solaris 10? Can this be done in the manifest or the method script? We can't modify the executable itself. -- -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
From: hume.spamfilter on 14 Apr 2008 21:52 Gary Mills <mills(a)cc.umanitoba.ca> wrote: > root. How do we give them the ability to run svcadm to enable or > disable the service on Solaris 10? Can this be done in the manifest > or the method script? We can't modify the executable itself. Well, on my box as an example, to start and stop the icecast server, I place in the SMF manifest, right after the last exec_method: <property_group name='general' type='framework'> <propval name='action_authorization' type='astring' value='solaris.smf.manage.icecast'/> <propval name='enabled' type='boolean' value='false'/> <propval name='value_authorization' type='astring' value='solaris.smf.manage.icecast'/> </property_group> And then in /etc/user_attr I have: hume::::type=normal;auths=solaris.smf.manage.icecast .... which seems to work okay. -- Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/
From: Gary Mills on 14 Apr 2008 22:06 In <fu11p0$jk3$1(a)Kil-nws-1.UCIS.Dal.Ca> hume.spamfilter(a)bofh.ca writes: >Gary Mills <mills(a)cc.umanitoba.ca> wrote: >> root. How do we give them the ability to run svcadm to enable or >> disable the service on Solaris 10? Can this be done in the manifest >> or the method script? We can't modify the executable itself. >Well, on my box as an example, to start and stop the icecast server, I >place in the SMF manifest, right after the last exec_method: > <property_group name='general' type='framework'> > <propval name='action_authorization' type='astring' value='solaris.smf.manage.icecast'/> > <propval name='enabled' type='boolean' value='false'/> > <propval name='value_authorization' type='astring' value='solaris.smf.manage.icecast'/> > </property_group> >And then in /etc/user_attr I have: >hume::::type=normal;auths=solaris.smf.manage.icecast That seems to be exactly what I want. I'd like to eliminate sudo in favour of RBAC, as you noticed. Is this portion of the manifest documented someplace? Is there an existing service that I can use as a model? -- -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
From: Chris Ridd on 15 Apr 2008 02:06 On 2008-04-15 03:06:06 +0100, Gary Mills <mills(a)cc.umanitoba.ca> said: > In <fu11p0$jk3$1(a)Kil-nws-1.UCIS.Dal.Ca> hume.spamfilter(a)bofh.ca writes: > >> Gary Mills <mills(a)cc.umanitoba.ca> wrote: >>> root. How do we give them the ability to run svcadm to enable or >>> disable the service on Solaris 10? Can this be done in the manifest >>> or the method script? We can't modify the executable itself. > >> Well, on my box as an example, to start and stop the icecast server, I >> place in the SMF manifest, right after the last exec_method: > >> <property_group name='general' type='framework'> >> <propval name='action_authorization' type='astring' >> value='solaris.smf.manage.icecast'/> >> <propval name='enabled' type='boolean' value='false'/> >> <propval name='value_authorization' type='astring' >> value='solaris.smf.manage.icecast'/> >> </property_group> > >> And then in /etc/user_attr I have: > >> hume::::type=normal;auths=solaris.smf.manage.icecast > > That seems to be exactly what I want. I'd like to eliminate sudo in > favour of RBAC, as you noticed. Is this portion of the manifest > documented someplace? Is there an existing service that I can use as > a model? Does that same manifest still work on a system without RBAC? Cheers, Chris
From: Thommy M. on 15 Apr 2008 13:07
Chris Ridd wrote: > On 2008-04-15 03:06:06 +0100, Gary Mills <mills(a)cc.umanitoba.ca> said: > >> In <fu11p0$jk3$1(a)Kil-nws-1.UCIS.Dal.Ca> hume.spamfilter(a)bofh.ca writes: >> >>> Gary Mills <mills(a)cc.umanitoba.ca> wrote: >>>> root. How do we give them the ability to run svcadm to enable or >>>> disable the service on Solaris 10? Can this be done in the manifest >>>> or the method script? We can't modify the executable itself. >> >>> Well, on my box as an example, to start and stop the icecast server, I >>> place in the SMF manifest, right after the last exec_method: >> >>> <property_group name='general' type='framework'> >>> <propval name='action_authorization' type='astring' >>> value='solaris.smf.manage.icecast'/> >>> <propval name='enabled' type='boolean' value='false'/> >>> <propval name='value_authorization' type='astring' >>> value='solaris.smf.manage.icecast'/> >>> </property_group> >> >>> And then in /etc/user_attr I have: >> >>> hume::::type=normal;auths=solaris.smf.manage.icecast >> >> That seems to be exactly what I want. I'd like to eliminate sudo in >> favour of RBAC, as you noticed. Is this portion of the manifest >> documented someplace? Is there an existing service that I can use as >> a model? > > Does that same manifest still work on a system without RBAC? What kind of systems that supports SMF will not support RBAC? |