Danny Hayes wrote: > > While there are several bugs related to roles and starting consoles and apps > in labeled zones, I could not find a bug ID for this specific problem. Has > anyone seen a bug for this? Has anyone using Solaris 10 w/ Extensions been > able to open a console in a labeled zone as primaryadmin? > Your analysis of the Tooltalk issue is actually pretty good. You're correct that the problem with the Primary Admin rights profile in Solaris 10 is that it is effectively the same as root. I never use that profile for anything anymore. I just make root a role, and use root when I need it. It made sense to have a Primary Admin role in TSOL 8 when root didn't have all privileges by default.
This is similar to another historic problem that I've seen people do, which is assigning uid 0 to other usernames besides root. They rationalize doing this because they can have multiple superuser passwords, but it is fundamentally flawed. For example, each user with uid 0 can change all the passwords. The Tooltalk story in Trusted CDE is actually a bit complex. As you stated, there is a Tooltalk session for each combination of roles and labels. The glue that maps Tooltalk requests to the proper instance of ttsession is the polyinstantiation of root window properties in the X11 server. There are multiple TT_SESSION properties, and the instance you get when your client reads the property is based on the client's label and uid. Since the Primary Admin role is running everything with uid 0, the X11 server cannot distinguish between Primary Admin and root. So it gets root's Tooltalk handle instead of the one associated with it's own uid. The global zone is special in that it has additional privileges, and that may be causing the strange behavior you're seeing. If you really want something the Primary Admin role to work like in TSOL 8, you should create a profile more like the way sudo works. The role's login shell should not have uid 0 associated with it. It should invoke a privileged shell only when it needs it. --Glenn
