Is there a particular reason we require the Primary Administrator
profile to be in effect in order to run pkg(5) ?
Short-term adding a line like "Software
Installation:solaris:cmd:::/usr/bin/pkg:euid=0" to
/etc/security/exec_attr would allow a sysadmin to grant Software
Installation to a junior admin without requiring full privs.
It effectively makes /usr/bin/pkg suid root to the person granted
Software Installation profile, but considering that the current
situation is you have to grant total root privs to a user in order to
use pkg(5) it's much less of a security problem than now. Also the
matter that /usr/bin/pkgadd is already listed in exec_attr this way, the
security issues with the Software Installation profile ought already be
known to an admin wishing to make use of the facility
-JohnS
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
