Mark Logan wrote:
> Sebastien Roy wrote:
>> On Mon, 2009-03-02 at 14:38 -0800, Phi Tran wrote:
>>
>>> The following RBAC authorizations and profile will be added.
>>>
>>> Authorization Names:
>>> solaris.admin.parted.:::Partition Editor::help=AuthPartedHeader.html
>>> solaris.admin.parted.write:::Edit Partitions::help=AuthPartedWrite.html
>>>
>>
>> Is there a technical reason why reading partition information would
>> require a special authorization?
>>
>
> Parted needs permission to access the raw disk device. Someone told me
> that I needed to use RBAC to allow non-root users to run it.
If parted is a setuid-root program (so it has the ability to modify raw
disks), then it's appropriate for it to check an authorization to see if
it should make changes on behalf of the user who is invoking it.
If it's not setuid, then it won't gain any privileges just because you
define these authorizations. You would want to include the command in an
RBAC profile so that users who have the profile can run it with the
necessary privileges. In that case, there is probably no reason for the
additional authorization check.
Scott
--
Scott Rotondo
Principal Engineer, Solaris Security Technologies
President, Trusted Computing Group
Phone/FAX: +1 408 850 3655 (Internal x68278)
