On Tue, Mar 03, 2009 at 09:42:40AM +0800, Lizhong Li wrote: > Now I found only user 'profiles=Network Autoconf' can execute 'nwamcfg > -f ...' correctly, while users with > 'auths=solaris.network.autoconf.read' or > 'auths=solaris.network.autoconf.read,auths=solaris.network.autoconf.write,auths=solaris.network.autoconf.refresh' > can also get the return code 0 to indicate the action is executed > correctly though it failed indeed, this is confused.
Hmm, this is indeed confusing! First, let's clarify what we think *should* be happening: - The nwamcfg -f operation should require solaris.network.autoconf.write. If executed by a user without that auth, the "Insufficient priv" message should be printed, with return code 1. - The nwamcfg list operation should require solaris.network.autoconf.read. If executed by a user without that auth, the "Insufficient priv" message should be printed, with return code 1. You are seeing expected behavior (success for both commands) for a user that has the "Network Autoconf" profile assigned. You are seeing mixed results when you assign authorizations directly to the user, rather than using profiles. I think there might be a config issue here: you mention > users with > 'auths=solaris.network.autoconf.read' or > 'auths=solaris.network.autoconf.read,auths=solaris.network.autoconf.write,auth s=solaris.network.autoconf.refresh' The first example assigns only the read authorization; I would expect a user with that authorization to be unable to do 'nwamcfg -f', but be able to do 'nwamcfg list' (they can read, but not write). The second example is I think incorrect syntax. If you want to give multiple authorizations to a user (I'm assuming this is from /etc/user_attr), you list them as 'auths=solaris.network.autoconf.read,solaris.network.autoconf.write,solaris.network.autoconf.refresh' That is, 'auths=auth1,auth2,auth3', rather than 'auths=auth1,auths=auth2,...' Does this make sense? If you could try your tests again, and verify what auths the user has using the 'auths' command, that would be really helpful. Thanks! renee > Lizhong > > Lizhong Li wrote: > > Anurag, > > > > I found there's no auth restriction for "nwamcfg -f ...", is it a defect ? > > > > bash-3.2$ /usr/sbin/nwamcfg -f nwamcfg_destroy_a.s > > Configuration read. > > bash-3.2$ echo $? > > 0 > > > > bash-3.2$ /usr/sbin/nwamcfg > > nwamcfg> list > > List error: Insufficient privileges for action > > > > > > > > -- > Thanks, > Lizhong >
