Hi Darren, I've worked out my draft version of two new profiles as you suggested. Please see below for details: [usr/src/lib/libsecdb/prof_attr] SCSI Device Info:::Inquiry, read device information:help=RtSCSIDevInfo.html SCSI Device Management:::Manage, modify device status or data:profiles=SCSI Device Info;help=RtSCSIDevMngmnt.html [usr/src/lib/libsecdb/exec_attr]
SCSI Device Info:solaris:cmd:::/usr/bin/sg_get_config:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_ident:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_inq:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_logs:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_luns:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_modes:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_opcodes:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_read_buffer:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_read_long:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_readcap:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_requests:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_rmsn:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_rtpg:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_safte:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_sat_identify:euid=0;privs=sys_devices SCSI Device Info:solaris:cmd:::/usr/bin/sg_vpd:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_sync:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_persist:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_prevent:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_raw:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_rdac:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_reassign:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_sat_set_features:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_senddiag:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_ses:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_start:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_stpg:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_sync:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_turs:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_verify:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_wr_mode:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_write_buffer:euid=0;privs=sys_devices SCSI Device Management:solaris:cmd:::/usr/bin/sg_write_long:euid=0;privs=sys_devices Comments are welcome. Thanks a lot and best regards, -Xiao Darren J Moffat wrote: > xiao li - Sun Microsystems - Beijing China wrote: >> The "System Administrator" is not a user, it's one of the existing >> rights profiles, we could grant it to any user or role as we want. >> These commands are by design for system administration, I think we >> should put them under the rights profile "File System Management" >> which is a supplementary rights profile of "System Administrator". >> So it will depend on the customers which user/role would run these >> commands, not restricted to superuser(root). > > Since this has NOTHING to do with "File Systems" I don't think that is > an appropriate existing RBAC profile. > > I would like to see one or maybe two new profiles: > > "SCSI Device Info" Contains the non empty set of commands from this > case that require privilege but are non destructive in all their modes > of operation - ie they are "status/info" commands only. > > "SCSI Device Management" Contains all of "SCSI Device Info" (as an > included profile if possible) plus any commands from this case that > have a destructive or change capability. > >
