Tester,
> Hi,
>
> I want to run an app using a role (e.g role1);I have assigned the required
> auths to the role and and modified the manifest to reflect the same. This
> basically works; but when I also require that users that switch to the role
> assume the id of the application for e.g(app1). This is the id that was used
> to start the app before the role implementation. To do this exec_attr was
> modified to something like this
>
> role1:......:/*:uid=app1.
>
> After this role loses the authorizations to run svcadm enable app. What is a
> possible workwround?
I'm unclear what policy you're trying to create. There are no
workarounds needed, because the system is functioning as you've
configured it. Authorizations are granted to the user associated
with the process' real userid. In your example all commands
run from the Rights Profile "role1," which I presume you have
granted to the role user "role1", are run with the real userid
of the user "app1". Thus any authorizations granted to the
role user "role1" have no effect when "role1" role executes any
command.
You say you've modified a manifest. I presume this is a manifest
in your source that you then deliver to your running copy of
OpenSolaris and not an OpenSolaris delivered manifest. Manifests
files are "read only" and should not be modified from what is
delivered from the OpenSolaris source. Perhaps you mean you've
used svccfg(1M) to modify an existing *_authorization property
value, or to add new property groups with *_authorization
properties.
Anyhow, presuming I've interpreted what you've done correctly and
you really do want to do what I've interpreted, you need to grant
the user "app1" the appropriate authorizations.
> Thanks
HTH,
Gary..
