Hey everyone.
So, I've been working on an RBAC module for Python to make Python priv-
aware. I'm seeking any comments on it at the moment
It's mostly just marshalling and unmarshalling arguments from C to
PyObject*'s but it exposes all the user|exec|auth_attr functions and
privileges(5) functions. It works the same way that the regular RBAC
functions do ( which is to say, they don't grant you privileges you
don't already have but you can drop privileges that you do have )
I figure it's useful for things like adding a "Software Installation"
profile that a SUID pkg(5) can check for on startup, maybe the ON gk
can find some use for it, customers/community members can use it , etc.
For instance if you wanted to drop proc_fork, you could do something
like this:
>>> import PyRBAC
>>> import os
>>>
>>> privs = PyRBAC.Privileges()
>>> privs.getppriv("PRIV_EFFECTIVE")
'file_link_any,proc_exec,proc_fork,proc_info,proc_session'
>>> os.fork()
19880
0
>>> >>> privs.setppriv("PRIV_OFF", "PRIV_PERMITTED", "proc_fork")
False
>>> os.fork()
Traceback (most recent call last):
File "<stdin>", line 1, in ?
OSError: [Errno 1] Not owner
>>>
Tada. (the error message is Python's fault)
Or, if you wanted to see if the dladm user had access to
solaris.smf.manage.wpa ?
>>> authattr = PyRBAC.Authattr()
>>> authattr.chkauthattr("solaris.smf.manage.wpa", "dladm")
True
code here: http://cr.opensolaris.org/~error404/pyrbac.tar.gz
