RBAC - Setting up a basic user with
Hi,
I'm new to RBAC, I'm trying to set up a basic user, but which has the power to create and modify users (essentially permission to use useradd and usermod):
# useradd -d /export/home/newuser1 -m -P "User Management" newuser1
Which creates the user, and a cat of /etc/user_attr gives:
newuser1::::type=normal;profiles=User Management
However when I log in as newuser1 and try a useradd command, I get a
UX: /user/sbin/useradd: ERROR: Permission denied.
Which I guess means I just don't have the standard permission rights to the binary? Bar changing the permission on the binary (which would defeat the whole purpose of RBAC?) what's the correct way of setting this up?
Cheers.
[738 byte] By [
flatbreada] at [2007-11-26 17:40:28]
# 1
> # useradd -d /export/home/newuser1 -m -P "User> Management" newuser1Which shell is the user using?> However when I log in as newuser1 and try a useraddsu newuser1? http://www.ilkda.com/rbac/alan
# 2
Ok should have used one of the profile shells!
However if I now try a useradd with the user (newuser1) which has the User Management rights, I get cpio errors:
# su - newuser1
-bash-3.00$ pfsh
$ /usr/sbin/useradd -d /export/home/timmy -m -s /usr/bin/bash timmy
cpio: Error during access() of "/export/home/t_timmy", errno 13, Permission denied
USAGE:
cpio -i[bcdfkmrstuv@BSV6] [-C size] [-E file] [-H hdr] [-I file [-M msg]] [-R id] [patterns]
cpio -o[acv@ABLV] [-C size] [-H hdr] [-O file [-M msg]]
cpio -p[adlmuv@LV] [-R id] directory
UX: /usr/sbin/useradd: ERROR: Unable to copy skeleton directory into home directory: No such file or directory.
rm: Unable to remove directory /export/home/t_timmy: Permission denied
Do I need additional Rights to carry out a useradd?
# 3
> r/sbin/useradd: ERROR: Unable to copy skeleton> directory into home directory: No such file orThanks for posting the entire error message. Fix the error shown above and try again.It appears that you have missing files and not a permissions
# 4
Hi Alan,
The same useradd command works fine as root, so everything is there to complete the useradd. This seems to imply that something else is wrong with the user I've set up, probably additional permissions/rights required.
For instance after the useradd command is run, the home directory _is_ created and is assigned the next available uid (103), but the user itself isn't created:
$ ls -la /export/home/
drwxr-xr-x2 103other512 Feb 8 19:05 t_timmy
So it seems to me that something like the following is happening:
* useradd creates the home directory.
* useradd then tries to copy over the skel files (using cpio?)
* The copy of the skel's then finds that it doesn't have permissions to access the newly created directory (not owner) e.g. If I manually run:
$ cp /etc/skel/* /export/home/t_timmy
cp: cannot create /export/home/t_timmy/local.cshrc: Permission denied
cp: cannot create /export/home/t_timmy/local.login: Permission denied
cp: cannot create /export/home/t_timmy/local.profile: Permission denied
So it looks to me as if the user I've set up, needs additional rights to fully complete a useradd? (I've tried adding "Object Access Management" already)
# 5
> * useradd then tries to copy over the skel files
> (using cpio?)
? :-)
> * The copy of the skel's then finds that it doesn't
> have permissions to access the newly created
> directory (not owner) e.g. If I manually run:
>
> $ cp /etc/skel/* /export/home/t_timmy
> cp: cannot create /export/home/t_timmy/local.cshrc:
> Permission denied
> cp: cannot create /export/home/t_timmy/local.login:
> Permission denied
> cp: cannot create /export/home/t_timmy/local.profile:
> Permission denied
I'm wondering if "User Management" is for SMC. Try it through the gui and see if it just works.
If it does, then please post your "User Management" of the exec_attr file.
If the command does not exist in the exec_attr file, then you need to add it there. Might be better if copied UserManagement to something like MyUserManagementCommands and then add the missing files to it. Things like cp or cpio I guess.
Sorry, I'm still flying blind for a couple of more months otherwise I'd just look it up.
thanks,
alan
