> So in fact, now the solaris/fping uses RBAC instead of setting uid of 
> the binary file directly. If normal user wants to use fping, he/she must 
> have been granted "net_icmpaccess" privilege(but as NIS user, we do not 
> have this privilege in general).
> 
> -bash-3.2$ grep fping /etc/security/exec_attr
> Network Management:solaris:cmd:::/usr/bin/fping:privs=net_icmpaccess
> 
> -bash-3.2$ id
> uid=201400(ll200400) gid=10(staff)
> 
> -bash-3.2$ ppriv -De fping -h
> fping[18609]: missing privilege "net_icmpaccess" (euid = 201400, syscall 
> = 230) needed at secpolicy_net_icmpaccess+0x24
> fping: can't create raw socket : Permission denied
> 
> As a result, it seems not necessary to file a bug against fping.

        Are you then saying that shmux will pfexec /usr/bin/fping so
        that administrators with the Network Management Rights Profile
        can use shmux to call fping?

Gary..

Reply via email to