James Carlson wrote: > That's it exactly. The GUI that will be running won't have any > special privileges, but the user will have authorizations (through > some means) to perform the necessary actions. nwamd (which does run > with elevated privileges) needs to check that the user's command is > valid. > > Thanks; I'll give chkauthattr(3SECDB) a try.
Just to complete the picture, the "some means" is quite likely the new "Console User" RBAC profile that is automatically granted to users on /dev/console. It was designed for exactly this type of use case. -- Darren J Moffat