Roland Mainz wrote: >>> is this a restriction issue? is a user knowingly executing an explicit >>> builtin >>> a violation (as in a restricted shell sense)? >> It could be. RBAC does have the ability to revoke privileges. > > Uhm... could you describe an example ? AFAIK RBAC only grants extended > priviledges via the RBAC context but it cannot remove them if they are > part of what a plain, normal user can do (because he/she could simply > run a normal shell and/or switch the shell to the normal, non-profile > shell mode, bypassing the execution within a RBAC context)... or not ?
I use zsh as my shell and there is no zsh. So for me I use RBAC like people use sudo, ie like this: darrenm at host$ pfexec ifconfig plumb bge0 ... darrenm at host$ pfexec chown bob:staff foobar If I was using pfksh I would do this instead: darrenm at host$ ifconfig plumb bge0 darrenm at host$ chown bob:staff foobar An RBAC profile can actually remove privileges that a process would otherwise inherit from its parent (because it was privileged) or that you would get by being setuid root. You do this by setting the limitprivs= attribute in the exec_attr(4) entry. While we don't do this for anything today it is fully supported to do so. If a user has one of the profile shells as their login shell and you change the system wide default so that they don't have the special 'All' profile and use run the profile shell as a restricted shell, then you can have an environment where RBAC is working with the restricted shell functionality to restrict a user. -- Darren J Moffat
