On Fri, Jun 6, 2008 at 10:43 PM, Glenn Lagasse <[EMAIL PROTECTED]> wrote: > * Philip Brown ([EMAIL PROTECTED]) wrote: >> James Hughes wrote: >> > This is currently being worked on. In the mean time, you could just do >> > the command >> > alias sudo=pfexec >> > and let me know how it works for you. >> > >> > James Gosling wrote: >> >> While it isn't on the list of TBD packages, I'd like to volunteer to add >> >> "sudo". Every time I install Solaris, it's always the first upgrade I >> >> make. It seems silly that it's missing. How do I go about adding it? >> >> >> I think the fundamental issue here is: >> >> The interface for sudo, is a well-known and relatively easy interface. >> >> >> The interface for (administering) rbac, is not. >> >> Most people dont give a damn about "finer grained control". they just want >> to get done, what needs to get done, in the simplest way possible. >> sudo is the best fit for it. >> >> "alias sudo=pfexec", does not meet that want, as well as regular sudo does. > > And how exactly does it not meet that want? Particularly on OpenSolaris > 2008.05 where root is already configured as a role and the initial user > created at install time is given that role. I'm not saying it does > meet everyone's needs, but just saying that it doesn't without clear and > rational reasons *why* it doesn't isn't helpful imo. I'm all for > including sudo (or any other piece of software) but given equivalent > pre-existing integrated functionality I'd like to hear why we need to > include something else rather than fix/update the pre-existing solution > (and then add the other solution for people who just don't care that > they can do the same thing with the pre-existing solution).
A simple answer will be: Make it easy to configure RBAC on OpenSolaris. It can either be a GUI or a CLI, or even an utility that can take a sudoers file and generate equivalent RBAC configuration for the common use cases. Some of the most common usage of sudo can map directly to setting up appropriate rights profile and assigning it to roles/users. However even a simple setup needs touching multiple files /etc/security/exec_attr, /etc/security/prof_attr, /etc/user_attr. This is far more convoluted than the simple rulesets that one can specify in the sudoers file. > > FWIW I'd never used RBAC prior to Indiana (having exclusively used sudo > on Linux, Mac OS/X and Solaris). After creating an alias as mentioned > above I've never noticed a difference in behaviour (given my usage > patterns of course). So, here's at least one datapoint that pfexec just > gets done what needs to get done, simply. :-) This is because all these get pre-configured during distro construction. The configuration has already been done and you are simply using it. The confusion begins if you ever want to customize it or create new rules, roles etc. IMHO OpenSolaris RBAC is extremely capable, flexible and so on. However it is just crying out for an usable user interface, be it GUI or be it CLI. Regards, Moinak. > > Cheers, > > -- > Glenn > _______________________________________________ > pkg-discuss mailing list > [email protected] > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
