On May 15, 2008, at 11:57 AM, John Plocher wrote: > Gary Winiger wrote: >> I'm sponsoring this Fast Track for Jim Hughes. > > Can you clear up a usage-model confusion for me? > > In "sudo land", I'm used to a model where > > I'm just "me" until I wish to increase my abilities, at > which point I sudo to enable my superpowers. When I'm > done playing god, (and stop using sudo) those powers go > away.
pfexec provides this "enable/disable my superpowers" for all but the role aware commands. The value of RBAC is that even though you pfexec stuff as UID=0, the audit trail is "you as god", not "god". > in "RBAC land", the model seems to be > > I'm never just me, I always have some set of superpowers > that I can never turn off, so I always need to be more > careful about consequences and side effects. Not exactly the case. Some commands like svcadm are crontab privilege aware so that, for instance, typing "pfexec svcadm disable nwam", the "pfexec" is redundant. > Am I misunderstanding things? If so, you can probably ignore > the rest (except maybe for humor value). > > Just as someone invented sheaths for knives, because people > don't always need to walk around armed to the teeth, the > "sudo world" doesn't require everyone to walk around with > a loaded "rm *" command :-) the "rm" command is not role aware. > This proposal, if applied to my home system, would seem to > effectively make logging in as "plocher" be the same as > logging in as "root" - and is something I'm not sure I want. > > What I do want is to be able, as "plocher", to say "I want > to explicitly do `foo` now, but not necessarily at any other > time without additional future confirmation being required". It is possible to set up a role such that even RBAC aware applications still require you to use "pfexec foo", but that is a very off topic discussion. > -John > >
