On Thu, May 15, 2008 at 11:57:36AM -0700, John Plocher wrote: > In "sudo land", I'm used to a model where > > I'm just "me" until I wish to increase my abilities, at > which point I sudo to enable my superpowers. When I'm > done playing god, (and stop using sudo) those powers go > away. > > in "RBAC land", the model seems to be > > I'm never just me, I always have some set of superpowers > that I can never turn off, so I always need to be more > careful about consequences and side effects. > > Am I misunderstanding things? If so, you can probably ignore > the rest (except maybe for humor value).
You did misunderstand RBAC. In RBAC land pfexec is the equivalent of sudo. IF you use a pf*sh THEN you have what you described above. And one could just as easily write sudo*sh too. These shells are like normal shells that prepend pfexec (or SUDO, if there were sudo*sh shells) to every non-built-in command-line. The only differences between SUDO and RBAC are: - how the authorization DB is represented (sudoers vs. prof_attr + auth_attr + exec_attr + user_attr) - minor feature differences (like SUDO can let you reference all executables in a directory, use the not operator, specify argument pattern matching, ...) Nico --
