msl wrote: > > Imagine the /etc/sudoers file configuration: > %root ALL=(root) /bin/su -, /bin/su "" > With the above configuration everyone in the root group can su (for any > account) with his own password. If i can specify the "role" for wich the user > can "sudo su", would be perfect. >
Yes, that should work. You can specify a user or role in this case. However, the restriction that the user can only assume specific roles won't be enforced in this case because root is exempt from the role assumption policy. > ps.: I did not install sudo and test that configuration, because i want to > know if i would be "breaking" some "security" rule, or some RBAC definition. > You can't break RBAC by installing sudo. However, to the extent that you use sudo instead of RBAC, then you aren't following the policy for which Solaris has been certified. The RBAC protection profile requirements for Common Criteria certification are not met be sudo. -Glenn
