> You need 'modify_authorization' besides 'action_authorization' to be
> able to stop/start a service. Stop/start requires the enabled
> property to be changed, that's why you need modify.
I believe that's too strong. IIRC, see the SMF policy:
http://opensolaris.org/os/community/arc/policies/SMF-policy/
or
http://sac.eng.sun.com/cgi-bin/bp.cgi?NAME=SMF.bp and smf_security(5),
the general/framework/action_authorization (with a value pattern
similar to solaris.smf.manage.<service> for Sun delivered services)
should allow you to start, stop, restart, refresh the named service.
IIRC, modify_authorization is a superset of action_authorization and
allows you to add and delete things from the service.
value_authorization allows you to change the values of properites,
(accept the modify_authorization property which would lead to
"privilege escalation" ;-)
> > What did I miss here? I am trying to grant myself permission to
> > start/stop my spsms service...
> >
> >
> > # grep echiquet /etc/user_attr
> > echiquet:::auths=solaris.smf.manage.spsms
You might want to either use user_mod, or actually get the syntax
correct.
user:qualifier:res1:res2:attr
> > # svcprop -p general/action_authorization spsms
Is this the general/framework/action_authorization for the service?
I suspect it's that you really don't have the auth you think.
What does auths(1) say?
> > solaris.smf.manage.spsms
> > # su - echiquet
You shouldn't really have to su to obtain the authorization. They
should available at any time they are defined in user/prof_attr.
> > Sun Microsystems Inc. SunOS 5.10 Generic January 2005
> > -bash-3.00$ /usr/sbin/svcadm disable spsms
> > svcadm: svc:/application/management/spsms:default: Permission denied.
> > -bash-3.00$
Gary..
