John Plocher wrote: > Nicolas Williams wrote: >> You did misunderstand RBAC. >> In RBAC land pfexec is the equivalent of sudo. > > From Jim's mail, there seems to be an additional > > except for role-aware applications, for which you are > always [an audited] god. > > My fear is ending up in a world where more and more things > are role-aware and we set up the user environment [for the > first defined user?] such that they are forced to be a full > time demigod, rather than having to duck into a phone booth > first.
Your issue then is with the whole concept of how security in Solaris is done and with things like SMF. Not this case so please lets not discuss it here. This case doesn't actually change anything in that area anyway. The 'pfexec svcadm' vs 'svcadm' case has nothing to do with RBAC roles and everything to do with how SMF uses RBAC Authorisations. This is fundamental to how SMF works and is how it provides fine grained control over who can do what to service status and configuration. There is no meaning full use of svcadm/svcfg if you don't have an authorisation to do the operation. on a service so there is no need to "prefix" it first. -- Darren J Moffat
