using rbac cannot create roles
I need to let a nonroot user mount and unmount drives. It is neccessary i use RBAC, cant use SUDO or whatever.
Ive looked up loads of stuff on this, including:
http://www.samag.com/documents/s=7667/sam0213c/0213c.htm
I have tried defining a specific profile for mounting by adding the following lines to /etc/security/exec_attr
DRIVEMOUNTER:suser:cmd:::/usr/sbin/mount:euid=root,egid=bin
DRIVEMOUNTER:suser:cmd:::/usr/sbin/umount:euid=root,egid=bin
I get as for the roleadd command:
roleadd -m -P"DRIVEMOUNTER" drvmount
but i get the error message : error "DRIVEMOUNTER" is not a valid profile name
I have also tried simply assigning a role the the ready-made profile "System Administrator":
roleadd -m -P"System Administrator" sysadmin
but this doesnt work either: ERROR: Unable to create the home directory: Operation not applicable
Message was edited by:
ChrisDB
[1003 byte] By [
ChrisDBa] at [2007-11-26 14:06:16]
# 1
I guess you have to modify the prof_attr as weel, otherwise it should not work.CheersTiziana
# 2
Just create the role like usual and grant it the "PRIV_SYS_MOUNT" (see the privilege(5) manpage) privilege. Also known as 'sys_mount' (see /etc/security/priv_names'.
Basicly you'd use roleadd(1M) and user_attr(4) (/etc/user_attr) to set this up although I think you can directly specify the privilege through use of the -K option in roleadd. What you're looking for is setting the "defaultpriv" to include sys_mount. Its seems to me as if you've been mixing up profiles(1) privileges(5). A profile is basicly a "set" of privileges and associated commands, while a privilege is basicly a system setting which allows the user certain tasks no matter what.
PS: naturally its also perfectly possible to grant this privilege to a single user account. That can make life easier if this only affects one user. Then he doesn't always have to logon into a role but basicly can use "pfexec mount ...." to get the job done.
Message was edited by Lion-O to add something he forgot to mention
# 3
> but i get the error message : error "DRIVEMOUNTER" is
> not a valid profile name
That's because it's in the exec_attr file.
> roleadd -m -P "System Administrator"
> sysadmin
Does the sysadmin role have home directory?
You're on the right track with your first example, you just need to get things into the right files.
See:
http://www.ilkda.com/rbac/index.htm for help with getting things in the proper places.
alan
# 4
Thanks guys
Ive setup the profile and the role 'drvmount', and assigned the role to the user account 'chris'. However, when I su into drvmount from chris, and try to run mount, i get the error 'insufficient priviledges'.
I have also tried setting up a role for the default profiles. I can create a role for "System Administrator" and su into that, and that works fine for stuff like useradd, usermod, etc. However, when I create a role for "File system Management" (which contains mount and umount), and su into that and try to mount, i get the error again: 'insufficient priviledges'. So i guess the problem is not associated with how the profile is set up.
# 5
could you share with us your prof_attr file please ?
# 6
and, just to know, does the exec_attr contain the following entry ?privs=sys_mount
# 7
also, you should be able to see what wrong using pprivfor examplegleurex2:gleurex:/etc/security>ppriv -eD cat /etc/shadowcat[4685]: missing privilege "file_dac_read" (euid = 2112, syscall = 225) needed at ufs_access+0x3ccat: cannot open /etc/shadow
# 8
> Ive setup the profile and the role 'drvmount', and
> assigned the role to the user account 'chris'.
> However, when I su into drvmount from chris, and try
> to run mount, i get the error 'insufficient
> priviledges'.
Then you're probably not running a privilege aware shell. Try using "pfexec mount ..." when trying to mount the drives.
# 9
I've tried what you're doing and I've got exactly the same error message about the missing privilege (I guess the umount/mount is complaining about the ALL missing privilege)
I've modified the /etc/user_attr in this way:
prova::::type=role;profiles=DRIVEMOUNTER,All:defaultpriv=sys_mount,basic
If I run (after switching from the normal user to the role 'prova')
ppriv $$
I get:
E:basic,sys_mount
I:basic,sys_mount
P:basic,sys_mount
L:all
still, the mount doesn't seem to work !!!
only if I add "ALL" to the deafultpriv attribute of the role (in /etc/user_attr) it works.
It happens exactly the same if I run, for example for normal user 'test' from root
usermod -K defaultpriv=basic,sys_mount test
If I try to umount a fs I receive the ALL missing privilege
I'm a bit buffled
# 10
First I'd suggest swapping the order of privileges, so 'basic' first and then whatever comes next. Secondly I'd ditch the role for now. Don't try to take on too many possible problems at once. And why didn't you simply try to specify this extra privilege with roleadd instead of manually editing /etc/user_attr ?
So, my suggestion if you insist on manually editing; first add a plain entry where a user gets the default privileges and these extra ones. Something in the likes of:
user::::type=normal;defaultpriv=basic,sys_mount;limitpriv=basic,sys_mount
Come to think of it.. There maybe another problem here, and it would have helped if you gave us the exact error messages. Alas; next to mounting a filesystem the user would also need some access to it. For example; I can imagine that the useraccount needs to be able to read it in order to allow the system to make sure that everything went well.
The 'all' option which works also points to that direction; missing privileges. So, its just a guess, but I think you may benefit from adding the 'PRIV_FILE_DAC_READ' privilege so that the user will be able to read the filesystem even when he doesn't have enough rights for that.
Another possible problem could be /etc/mnttab which is constantly being updated the moment when someone mounts/dismounts a filesystem. When your user doesn't have write access to this file its only natural that something is bound to fail. Hence the importance to present full error messages. Alas; you can test this by simply telling mount not to update the mnttab file.
# 11
I've added the file_dac_execute, file_dac_read,file_dac_search and file_dac_write to the role (and then directly to the user) but I go on having the same error message (complaining about missing ALL privilege)
I did underestimate this issue
I've read lots of documents on the web and some handbooks I have at home but I have NOT found a way to solve this problem (if we don't take into consideration adding the 'ALL' privilege)
If somebody else has some suggestions...I would appreciate it
# 12
For starters, use SMC to do all this. Tweaking these files by hand is a pain.
# 13
On Solaris 10 11/06 there appears to be a profile for File Management.
In the /etc/security/exec_attr file there are listings for the mount/umount command associated with this role.
So in theory, just giving the user access to this profile should fit the bill but I haven't tested it.
alan
