James Hardwick wrote:
So I have been working in Solaris, and *nix in general recently for the
first time in a long long while. Trying to do various things which may
be easy to you guys, but not so much to me. Anyways, here goes it...
I am currently running in Solaris 10 w/ TX, build 42. I have a script
Nit: You're running Solaris Nevada, not Solaris 10. It doesn't matter
for this issue, but it might for some future question.
which needs to run as though it were root, only when a certain user
calls it. I create a rights profile within the SMC modeling it nearly
identically to Basic Solaris User, add the desired script as a command,
go into "Set Attributes" and set its EUID as root. I then add this
rights profile to the user I desire to execute it as root. Within the
script, I do an:
echo `/usr/ucb/whoami` > blah/blah/blah/blah.log
Since I figure this should print out the EUID running the script, which
I expect to be root. Well, when run, the log shows the user I assigned
the rights profile to, NOT root as I expected (or rather hoped for).
I tested to see if that truly was the case by placing shutdown in the
script. When running the script, I get an error along the lines
"/usr/sbin/shutdown can only be run as root". So I know for a fact the
script is not running with an EUID of root.
So, why is this? I thought you were supposed to be able to do this with
the Rights Profiles?
It's possible, of course, that the new Rights Profile you created is not
set up correctly. However, it's more likely that RBAC is working just
fine and you've run into a subtlety of shell script behavior.
In general, shell scripts don't behave like other programs when the real
and effective uids don't match. You will see different behavior
depending on which shell interprets your shell script (determined by the
#! directive at the top of the script). Here's what you can expect:
#!/bin/sh
Effective uid is reset to match real uid.
#!/bin/sh -p
Mismatched real/effective uid allowed.
#!/bin/ksh
Allows mismatched real/effective uid, like sh -p.
#!/bin/csh
Refuses to run if real and effective uids don't match.
You can see these different behaviors by changing the first line of your
shell script to the various possibilities above. The behavior you
observed is correct if the shell interpreter is /bin/sh. You can get the
effect you want by changing it to /bin/sh -p or /bin/ksh.
Scott
_______________________________________________
opensolaris-discuss mailing list
[email protected]
