Trouble configuring RBAC to allow a dameon to execute set of commands
I have a daemon that is not running as root but needs to run several restricted commands. The daemon is spawned via the cron table of a normal user.
Most of the documentation I've seen discusses role based access which assumes a logged in user using 'su' and entering a password. I cannot get RBAC to work in either case.
To prototype the RBAC configuration, I created 2 simple shells executable by root (my1 and my2) and copied /usr/bin/who as mywho and made it executable by root. my1 executes mywho. All 3 commands run fine as root user.
-rwxr--r--1 rootroot 27 Jun 11 10:35 my1*
-rwxr--r--1 rootroot 19 Jun 11 10:03 my2*
-rwxr--r--1 rootroot18556 Jun 11 10:21 mywho*
The following is one of many flavors of RBAC configuration. This is one with which I have had limted success.
/etc/security/exec_attr
MY:suser:cmd:::/home/myuser/rootbin/my1:uid=0
MY:suser:cmd:::/home/myuser/rootbin/my2:uid=0
MY:suser:cmd:::/home/myuser/rootbin/mywho:uid=0
/etc/security/prof_attr
MY:::MY Management:auths=abc.my
/etc/security/auth_attr
abc.my:::MY Managment::
/etc/user_attr
myuser::::type=normal;profile=MY;defaultpriv=basic
I get the following results logged in as myuser
> ./my1
ksh: ./my1: cannot execute
This is expected.
> pfexec ./my1
pfexec: Permission denied
I would thinkthis should work, but doesn't.
> pfexec ksh ./my1
Running my1
./my1[2]: ./mywho: cannot execute
Almost works but cannot execute mywho
> pfexec ksh ./my2
Running my2
Simple shell works OK.
> pfexec ./mywho
pfexec: Permission denied
This is what I need to work.
> pfexec ksh ./mywho
ksh: ./mywho: cannot execute
This won't work either
What am I missing?
Thanks
Jerry
