RBAC security

Hi,

Problem: (Solaris OE - 5.8)

I want to create a user - "user1" who would be able to kill other normal users' shell process to log them out forcefully. For this he will su into a role - "killuser". This role has been assigned with a profile - "Killuser". The definition supplied in /etc/security/prof_attr and /etc/security/exec_attr are as follows:

/etc/security/prof_attr :

Killuser:::Kill Other users:

/etc/security/exec_attr:

Killuser:suser:cmd:::/usr/bin/kill:uid=0

I have assigned the profile to role - "killuser" and the role "killuser" to user - "user1" using rolemod and usermod. After modifications containts of /etc/user_attr is also getting updated. But by logging as user1 and suing into killuser, I am not able kill shell process of any other normal user. I am getting response as "Permission Denied".

Please suggest.

[967 byte] By [mrrout] at [2007-11-25 22:59:31]

«« RBAC security
»» is solaris 10 ipsec interoperable with windows w2k/xp/w2k3?

# 1

A better approach (IMO ofcourse) would be to present the users with the PRIV_PROC_INFO and PRIV_PROC_OWNER privileges. This allows them to examine and control other processes running on the system. It is by far more secure than relying on a single command.

Another approach is creating a new profile (/etc/security/prof_attr) and allow it the solaris.admin.procmgr.admin authorisation. Then proceed as you first did; simply create a role but make sure it has this new profile associated.

LionO at 2007-7-5 17:14:50 >

top of Java-index,General,Sun Alert and Security Discussion...

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

RBAC security

General New Topic

General Hot Topic

General

All Classified