Scott Rotondo wrote: > Mark Logan wrote: >> Sebastien Roy wrote: >>> On Mon, 2009-03-02 at 14:38 -0800, Phi Tran wrote: >>> >>>> The following RBAC authorizations and profile will be added. >>>> >>>> Authorization Names: >>>> solaris.admin.parted.:::Partition Editor::help=AuthPartedHeader.html >>>> solaris.admin.parted.write:::Edit Partitions::help=AuthPartedWrite.html >>>> >>> >>> Is there a technical reason why reading partition information would >>> require a special authorization? >>> >> >> Parted needs permission to access the raw disk device. Someone told me >> that I needed to use RBAC to allow non-root users to run it. > > If parted is a setuid-root program (so it has the ability to modify raw > disks), then it's appropriate for it to check an authorization to see if > it should make changes on behalf of the user who is invoking it. > > If it's not setuid, then it won't gain any privileges just because you > define these authorizations. You would want to include the command in an > RBAC profile so that users who have the profile can run it with the > necessary privileges. In that case, there is probably no reason for the > additional authorization check.
The program isn't setuid. The model would be to include the command with the sys_devices privileges as you stated. However, we thought that there still needs to be a write authorization. Phi
