> it was exactly my intent. maybe the fain grain access policy
> project will have to change it that way (http://opensolaris.org/os/
> project/fgap/)
I doubt that FGAP will address this: its current goals seem to focus
more around controlling things on a finer level than what privileges
permit (i.e. instead of allowing some process "file_dac_read" we
allow "file_dac_read" only when it tries to read one of a specific
set of files, or rather than allowing Apache access to all privileged
ports we'd only allow it access to port 80).
>> From usermod perspective, behavior between profiles and ppriv is
>> not consistant as ppriv will delete every privileges not specified
>> but profile will always include "All" and "Basic Solaris User".
There is indeed a difference in that specifying defaultpriv=/
limitpriv= in a user_attr entry will overrule the defaults from
policy.conf, while specifying profiles= or authorisations= merges in
their defaults as set in policy.conf. It seems to make sense to me,
but this difference doesn't seem to be overly well documented in the
manpages. The usermod(1M) manpage doesn't seem to touch upon which
defaults, if any, are used for any of these cases.
It is also not made clear in policy.conf(4) directly, though for
AUTHS_GRANTED and PROFS_GRANTED it does point to things like
chkauthattr(3SECDB) which in turn does expand on how things fit
together. It doesn't seem to be addressed in user_attr(4) either,
where it would make sense to address it in the keywords section. I
have filed CR6657771 "user_attr doesn't explain auths/privs/profile
merging (or lack thereof)" to track this.
> Furthermore I think the man page is incorrect stating :
>
> -P profile
>
> One or more comma-separated rights profiles defined in prof_attr
> (4). This replaces any existing profile setting. If no profile list
> is specified, the existing setting is removed.
>
It's not so much incorrect as in that it's not as clear as it should be:
# useradd -u 242 -s /bin/ksh -c test -P "Log Management",Bart test
# profiles test
Log Management
Bart
Basic Solaris User
All
# usermod -P test
UX: usermod: ERROR: test is not a valid profile name. Choose another.
# usermod -P "" test
# profiles test
Basic Solaris User
All
so the man page could probably be made clearer by rephrasing it a bit:
-P profile
One or more comma-separated rights profiles defined in prof_attr
(4). This replaces any existing profile setting in user_attr(4). If
an empty profile list is specified, the existing setting is removed.
And adding an EXAMPLE would clarify matters further:
Example 5: Removing all profiles from a User
The following command removes all profiles that were granted
to the user directly. The user will still have any rights
profiles that are granted via policy.conf(4)'s PROFS_GRANTED.
# usermod -P "" jdoe
I have filed CR6657712, "usermod -P not as clear as it should be", to
track this.
Bart
