On Mon, Sep 29, 2008 at 01:56:12PM -0700, John Sonnenschein wrote: > Hey security people > > I'm fishing for feedback on something. A user can't change his or her > own shell in [Open]Solaris. > > What's everyone's thoughts on this approach to a solution to that: > > suid binary in /usr/bin: > - allows users to change their own shell > - via RBAC allows users with the solaris.admin.usermgr.write privilege > to change anyone's shell
I think solving this problem is a good idea. It might be desirable to allow users to change their GECOS information as well; the *BSD chpass utility (installed as chfn and chsh as well) allows this - see http://man.freebsd.org/chpass/1 and http://cvsweb.freebsd.org/src/usr.bin/chpass/ for implementation details. That code is pretty mature which might be to its advantage. Ceri -- That must be wonderful! I don't understand it at all. -- Moliere -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080929/77332dbd/attachment.bin>
