>Casper.Dik at Sun.COM wrote: >> What I would like is: >> >> - a role which you can assume by typing your own password, not the >> role > >Which is basically what sudo does.
Can we pretend that the people who post things here "know things" and that we don't require a "sudo 101"? Thanks much. >> - but I would like it to keep the same uid as the user >> (making the role a different uid in the credential) > >Though why do we need to have a role for this ? Requiring a role makes >OpenSolaris RBAC more complex to setup that sudo. The current implementation has issues. However, RBAC was designed to put the authentication at the "su role" step. Putting dangerous profiles into a user's hand is abusing RBAC. >I believe the requirement is really - needs authentication. So why not >update pfexec to call PAM ? Because we use it for tasks where we just need to use a "set-uid helper" and where we absolutely do not want authentication. Pfexec is called too late; if you have a role with a profile shell, you have already authenticated. (Don't forget that pfexec was invented because we felt that the initial RBAC implementation which used set-uid root pfcsh/pfsh was dangerous.) >We could even mimic what sudo does and provide the ability on a per >profile basis to determine if the authentication step is necessary or not. > >I also believe it would be useful if pfexec when it called PAM had the >ability to have a embedded_pfexec(1M) version like we have >embedded_su(1M). Though maybe that isn't as necessary given gksu(1M) ? > >There are existing RFEs already logged for the above functionality. pfexec is used for authenticated users and pfexec should not authenticate. I believe that such RFEs are wrong. That doesn't mean that there's something wrong with how we use RBAC; clearly the giving users "Primary Administrator" it not how RBAC was intended to be used. Casper
