Re: [osol-discuss] pfexec does not work any longer
Brian, Thanks for the information, but it does not work. I will have another look at the documentation, since I may be missing something in the new release. Andrew On 11/14/11 07:36 PM, Brian Cameron wrote: Andrew: The functional replacement of the Primary Administrator RBAC profile is System Administrator. If you use this instead, you should find that your use is able to run programs with pfexec in much the same way as you used to do with Primary Administrator. Note that if you setup your login shell to a shell like pfsh, pfksh, pfcsh, pfbash, ..., then you do not have to run programs with pfexec when needed. With these shells, pfexec is automatically used when needed. If you want users to need to enter a role password in order to run programs, you can also configure the user to have access to a role which has the needed privileges (e.g. root). If RBAC is configured this way, then the panel will present the dialog to enter this role password before running such programs. But, it sounds like you more just want to use the System Administrator profile and avoid needing to enter passwords. Others have recommended sudo. The sudo program is useful for those people who find it the best way to configure a needed system. That said, using sudo to just avoid the use of RBAC is probably not the best use. Brian On 11/11/11 11:37 AM, Andrew Watkins wrote: I have lost the ability of making a user have access to root on Solaris 11 using the command pfexec. On the old Solaris 11 express box it works: === % grep andrew /etc/user_attr andrewprofiles=Primary Administrator;roles=root % id uid=102(andrew) gid=10(staff) % pfexec id uid=0(root) gid=0(root) Now on Solaris 11 it does not: == grep andrew /etc/user_attr andrewprofiles=Primary Administrator;roles=root % id uid=102(andrew) gid=10(staff) % pfexec id uid=102(andrew) gid=10(staff) What do I have to do to get pfexec working again? Cheers, Andrew -- Andrew Watkins * Birkbeck College http://notallmicrosoft.blogspot.com/ ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] pfexec does not work any longer
Brian, Thanks for the information, but it does not work. I will have another look at the documentation, since I may be missing something in the new release. Andrew pfexec was only intended for roles and not for ordinary users; the Primary Administrator was dangerous but when it was assigned to a role, it wasn't that dangerous as assigning it to a user. The first one requires a second password su role cmd but the latter one makes it easy to exploit the system from any account assigned that role. We felt that having pfexec id print uid=0(root) gid=0(root) is a bug, not a feature. There is no profiles in Solaris 11 which delivers that functionality. You can tell su to work like sudo by enabling pam_tty_tickets.so(1) (Yes, it is a bug that it is in that section and with that name) With the old Primary Administrator was really clear when you run with a profile shell: the shell is started as root and you get a # prompt. Of course, you can reinvent Primary Administrator but we recommend against that. Casper ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] pfexec does not work any longer
Andrew, I have lost the ability of making a user have access to root on Solaris 11 using the command pfexec. As an adjunct, I have a memory that a number of years ago, that someone high up in Security (Glenn or Scott) said you are not supposed to use pfexec for that. At the time, this comment was largely ignored, because doing this with pfexec just worked. It now looks like this oversight has been rectified. Regards... Sean. ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] pfexec does not work any longer
Andrew: Thanks for the information, but it does not work. I will have another look at the documentation, since I may be missing something in the new release. For example, I use a line like this /etc/user_attr file for each user that needs to have root role access: userroles=root;profiles=System Administrator,punchin;lock_after_retries=no You can omit the ,punchin if you don't use it, of course. But you say it does not work. If you are using a user with settings like this in /etc/user_attr, and if you are seeing issues, then what does not seem to be working right? Also, Darren is right that the GNOME Panel does not support the sudo-like default of not requiring re-authentication for a period of time. But note that the panel should not pop up dialogs asking for passwords if your user is associated with the System Administrator profile, only if your user does not, but has access to the root role. So, it is pretty easy to configure users with RBAC to not require passwords to run the programs needed. Brian On 11/14/11 07:36 PM, Brian Cameron wrote: Andrew: The functional replacement of the Primary Administrator RBAC profile is System Administrator. If you use this instead, you should find that your use is able to run programs with pfexec in much the same way as you used to do with Primary Administrator. Note that if you setup your login shell to a shell like pfsh, pfksh, pfcsh, pfbash, ..., then you do not have to run programs with pfexec when needed. With these shells, pfexec is automatically used when needed. If you want users to need to enter a role password in order to run programs, you can also configure the user to have access to a role which has the needed privileges (e.g. root). If RBAC is configured this way, then the panel will present the dialog to enter this role password before running such programs. But, it sounds like you more just want to use the System Administrator profile and avoid needing to enter passwords. Others have recommended sudo. The sudo program is useful for those people who find it the best way to configure a needed system. That said, using sudo to just avoid the use of RBAC is probably not the best use. Brian On 11/11/11 11:37 AM, Andrew Watkins wrote: I have lost the ability of making a user have access to root on Solaris 11 using the command pfexec. On the old Solaris 11 express box it works: === % grep andrew /etc/user_attr andrewprofiles=Primary Administrator;roles=root % id uid=102(andrew) gid=10(staff) % pfexec id uid=0(root) gid=0(root) Now on Solaris 11 it does not: == grep andrew /etc/user_attr andrewprofiles=Primary Administrator;roles=root % id uid=102(andrew) gid=10(staff) % pfexec id uid=102(andrew) gid=10(staff) What do I have to do to get pfexec working again? Cheers, Andrew ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] pfexec does not work any longer
Andrew: The functional replacement of the Primary Administrator RBAC profile is System Administrator. If you use this instead, you should find that your use is able to run programs with pfexec in much the same way as you used to do with Primary Administrator. Note that if you setup your login shell to a shell like pfsh, pfksh, pfcsh, pfbash, ..., then you do not have to run programs with pfexec when needed. With these shells, pfexec is automatically used when needed. If you want users to need to enter a role password in order to run programs, you can also configure the user to have access to a role which has the needed privileges (e.g. root). If RBAC is configured this way, then the panel will present the dialog to enter this role password before running such programs. But, it sounds like you more just want to use the System Administrator profile and avoid needing to enter passwords. Others have recommended sudo. The sudo program is useful for those people who find it the best way to configure a needed system. That said, using sudo to just avoid the use of RBAC is probably not the best use. Brian On 11/11/11 11:37 AM, Andrew Watkins wrote: I have lost the ability of making a user have access to root on Solaris 11 using the command pfexec. On the old Solaris 11 express box it works: === % grep andrew /etc/user_attr andrewprofiles=Primary Administrator;roles=root % id uid=102(andrew) gid=10(staff) % pfexec id uid=0(root) gid=0(root) Now on Solaris 11 it does not: == grep andrew /etc/user_attr andrewprofiles=Primary Administrator;roles=root % id uid=102(andrew) gid=10(staff) % pfexec id uid=102(andrew) gid=10(staff) What do I have to do to get pfexec working again? Cheers, Andrew ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
[osol-discuss] pfexec does not work any longer
I have lost the ability of making a user have access to root on Solaris 11 using the command pfexec. On the old Solaris 11 express box it works: === % grep andrew /etc/user_attr andrewprofiles=Primary Administrator;roles=root % id uid=102(andrew) gid=10(staff) % pfexec id uid=0(root) gid=0(root) Now on Solaris 11 it does not: == grep andrew /etc/user_attr andrewprofiles=Primary Administrator;roles=root % id uid=102(andrew) gid=10(staff) % pfexec id uid=102(andrew) gid=10(staff) What do I have to do to get pfexec working again? Cheers, Andrew -- Andrew Watkins * Birkbeck College http://notallmicrosoft.blogspot.com/ ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] pfexec does not work any longer
On 11/11/11 09:37, Andrew Watkins wrote: Now on Solaris 11 it does not: == grep andrew /etc/user_attr andrewprofiles=Primary Administrator;roles=root Solaris 11 no longer includes the Primary Administrator profile. -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] pfexec does not work any longer
On 11/12/11 06:52 AM, Alan Coopersmith wrote: On 11/11/11 09:37, Andrew Watkins wrote: Now on Solaris 11 it does not: == grep andrew /etc/user_attr andrewprofiles=Primary Administrator;roles=root Solaris 11 no longer includes the Primary Administrator profile. So what is the equivalent? -- Ian. ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] pfexec does not work any longer
On 11/11/11 10:55, Ian Collins wrote: On 11/12/11 06:52 AM, Alan Coopersmith wrote: On 11/11/11 09:37, Andrew Watkins wrote: Now on Solaris 11 it does not: == grep andrew /etc/user_attr andrewprofiles=Primary Administrator;roles=root Solaris 11 no longer includes the Primary Administrator profile. So what is the equivalent? sudo is now the preferred default mechanism for authentication. It also caches the authentication for a short period before requiring it again. -Shawn ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] pfexec does not work any longer
Andrew Watkins and...@dcs.bbk.ac.uk wrote: I have lost the ability of making a user have access to root on Solaris 11 using the command pfexec. Allowing people to become root with pfexec is a secutity hole that I decribed years ago. People wo succeed to run commands via vulnerabilities of e.g. the browser will be able to gain root privileges with no extra effort as there is no passwd. Jörg -- EMail:jo...@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin j...@cs.tu-berlin.de(uni) joerg.schill...@fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org