Scott Rotondo wrote: > Glenn Faden wrote: >> It is a mistake to be telling users to constantly use pfexec. It was >> not designed for that purpose. We should be telling people to assume >> roles, via su, or to use sudo. > > What? How would it be better if they were using sudo instead of RBAC? > I can think of a couple of ways in which it would be worse. > > Scott > Both RBAC and sudo require proper configuration so that they can be used securely. Assigning Primary Administrator to the initial user is an example of such a misconfiguration.
Currently the sudo version in Solaris doesn't support roles or privileges. That would make it work better with Solaris RBAC. The Linux version supports roles and types when SELinux is enabled. --Glenn
