Hoa Nguyen wrote: > Hi, > > I am wondering if SMF have a way to restrict authorized users that does > not have all root privileges to edit values of specific SMF properties > of a service via svccfg. There are certain properties that we may want > only authorized users that have all root privileges to edit to prevent > privilege escalation.
For a service with no specific RBAC configuration, only users with the smf.* authorizations can modify properties in the repository. As Solaris ships, only root and the root role have those authorizations. That means that only root should be able to modify your service properties unless if you or the administrator has done something (as root) to specifically allow otherwise. More detail about the SMF RBAC integration is in smf_security(5), but the default usage should already achieve what you're looking for. liane
