This is a proposal for adding RBAC support to beadm. Currently one needs to either be root or add /sbin/beadm to one of the exec profiles in /etc/security/exec_attr and then do 'pfexec beadm create BE' in order to create a BE. I'd like to propose handling this in beadm so regular users with proper assigned authority only need to execute "beadm create BE' without doing the manual steps mentioned above.
To do this beadm needs to check if the user has the proper authority and if so, seteuid to root. I've got a prototype of this working but wonder if it is worth the security risk of making beadm a setuid program. If beadm doesn't become a setuid program then the user will have to use pfsh or pfexec to manage BE's. So what I would appreciate comments on, is if it is worth the extra risk of making beadm a setuid program? Thanks Tim -- This message posted from opensolaris.org
