Jesse writes:
> The authorizations were set through manifests, before importing, as you
> did. I'm running 5.10.
>
> I have no idea why interactive would be different either, that's my main
> confusion. Today, for no apparent reason, the user can't make changes via
> interactive or command line modes, so at least it's denying me across the
> board. This sudden change makes me suspect the problem is more to do with
> my system, but for my edification, what permissions/authorizations do you
> give the user to allow them to make changes at all? When I give the user
> the 'solaris.smf.modify' authorization, they can make changes to any
> services. This is what I want to avoid. Am I missing something obvious?
>
>
> This message posted from opensolaris.org
> _______________________________________________
> smf-discuss mailing list
> smf-discuss at opensolaris.org
You're correct. solaris.smf.modify allows the user to manipulate all
services.
Here is what I did. This should work in 5.10, too. It's just that all my
test machines are currently running Nevada.
First here is my manifest (take a look at the property_group for general):
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type='manifest' name='nopkg:bogus_2'>
<service
name='system/bogus_2'
type='service'
version='1'>
<create_default_instance enabled='true' />
<single_instance />
<dependency
name='usr'
type='service'
grouping='require_all'
restart_on='none'>
<service_fmri value='svc:/system/filesystem/local' />
</dependency>
<exec_method
type='method'
name='start'
exec=':true'
timeout_seconds='60' />
<exec_method
type='method'
name='stop'
exec=':true'
timeout_seconds='60' />
<property_group name='startd' type='framework'>
<propval name='duration' type='astring'
value='transient' />
</property_group>
<property_group name='general' type='framework'>
<!-- to start and stop bogus_2 -->
<propval name='action_authorization' type='astring'
value='solaris.smf.manage.bogus2' />
<!-- change values of existing properties -->
<propval name='value_authorization' type='astring'
value='solaris.smf.value.bogus2' />
<!-- change, add or delete properties -->
<propval name='modify_authorization' type='astring'
value='solaris.smf.modify.bogus2' />
</property_group>
</service>
</service_bundle>
Next I add lines like the following to /etc/security/auth_attr. You will
of course want to use more meaningful strings for the descriptions:
solaris.smf.manage.bogus2:::SMF testing:bogus_2 service:
solaris.smf.value.bogus2:::SMF testing:bogus_2 service:
solaris.smf.modify.bogus2:::SMF testing:bogus_2 service:
Now you can import your service.
Finally, I give user, smf_tst, these authorizations using /usr/sbin/usermod:
usermod -A \
"solaris.smf.manage.bogus2,solaris.smf.value.bogus2,solaris.smf.modify.bogus2" \
smf_tst
Now smf_tst can manipulate the bogus_2 service, but it cannot modify any
off the other services.
