RBAC solaris.admin.usermgr.pswd not doing
Hi
I modify the user authorithy using the command below.
usermod -A "solaris.admin.usermgr.pswd,solaris.admin.usermgr.read,solaris.admin.usermgr.wr ite" paul
However, I login and try to passwd of another user, the process fail with an error "Permission Deny".
On executing "auths paul", the result is
solaris.admin.usermgr.pswd,solaris.admin.usermgr.read,solaris.admin.usermgr.wri te,solaris.jobs.*,solaris.smf.manage.cron,solaris.device.cdrw,solaris.profmgr.re ad,solaris.jobs.users,solaris.mail.mailq,solaris.admin.logsvc.read,solaris.admin .fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admi n.procmgr.user,solaris.compsys.read,solaris.admin.printer.read,solaris.admin.pro dreg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solari s.admin.patchmgr.read,solaris.network.hosts.read,solaris.admin.volmgr.read
Why the login paul can't change the passwd of users ?
Please help
[978 byte] By [
fire-fly] at [2007-11-26 7:33:24]
# 2
> You have to type
>
> pfexec /usr/bin/passwd <other_user>
>
> The other way is to start a RBAC aware shell (like
> pfksh) and issue commands from there.
Thanks for the help but did not work.
Both using pfexec /usr/bin/passwd <other_user> and pfsh.
Permission denied
Executing auths
$ auths
solaris.admin.usermgr.pswd,solaris.admin.usermgr.read,solaris.admin.usermgr.wri te,solaris.jobs.*,solaris.smf.manage.cron,solaris.device.cdrw,solaris.profmgr.re ad,solaris.jobs.users,solaris.mail.mailq,solaris.admin.logsvc.read,solaris.admin .fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr.read,solaris.admi n.procmgr.user,solaris.compsys.read,solaris.admin.printer.read,solaris.admin.pro dreg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,solari s.admin.patchmgr.read,solaris.network.hosts.read,solaris.admin.volmgr.read
The user has solaris.admin.usermgr.pswd,solaris.admin.usermgr.read,solaris.admin.usermgr.wri te
# 4
As has already been suggested is true; you gave the user too little options. For example, it seems the user won't be able to change the password of roles, which do form a big part of the process to change passwords.
If you then take a closer look at /etc/security/prof_attr you'll see that the other poster is absolutely right, this is the role to change passwords:
User Security:::Manage passwords, clearances:auths=solaris.role.*,solaris.profmg
r.*,solaris.admin.usermgr.*;help=RtUserSecurity.html
So in this case using a role would be the easiest and best solution.
LionO at 2007-7-6 19:30:26 >
# 5
> Try using a profile instead of an Auth.
>
> usermod -P "User Management" <username>
>
> then do try the
> pfexec /usr/bin/passwd <other user>
> thing
>
> Let me know how you get on
Hi
Thanks
I did as suggested, as root user,
bash-3.00# usermod -P "User Management" paul
login as paul and executed pfexec /usr/bin/passwd <other user>
but permission deny.
bash-3.00$ id
uid=102(paul) gid=1(other)
bash-3.00$ profiles
User Management
Basic Solaris User
All
bash-3.00$ pfexec /usr/bin/passwd chris
Permission denied
bash-3.00$
# 7
> You need 'User Security', not management. Look into
> /etc/security/prof_attr for more details on this. In
> this case:
>
> User Security:::Manage passwords, clearances:
> User Management:::Manage users, groups, home
> directory:
Thanks ! Working now.
