On Mon, May 04, 2009 at 09:43:54PM +0200, max at bruningsystems.com wrote: > # usermod -K 'limitpriv=all,!sys_time' root > > This works fine. Root can no longer set the date. However, the > service (which runs as root) is still quite happy to change the date. > So, the question is: When do the privileges take effect when using > usermod? Is this only on login? Is there a way to set privileges for > all root id processes, including processes started from SMF?
Only at login, or, rather, whenever PAM is used with pam_unix_cred(5) in the auth/cred stack. Thus the above applies to cron, for example, but not to SMF. SMF does not use PAM. Instead SMF expects you to fully specify the service's method context. If SMF were to use PAM then you could trivially turn your system into a brick with incantations like the above! Nico --
