On Fri, May 29, 2009 at 11:33:01AM -0500, Shawn Walker wrote: > >RBAC offers a lot of functionality, but without pfexec using password > >authentication, I don't think it is the best fit as used here. > > Arguably, RBAC and the use of roles offers better security than sudo > depending on the setup you use. (I'm speaking only of role-based > authentication here, not pfexec.)
RBAC is better than SUDO, IMO, because it can be used from contexts where SUDO can't be, such as IPC services. (For example, SMF itself, where svc.configd authorizes the requests it gets by checking the RBAC authorizations of the caller's euid.) However, the lack of a password prompt and convenience "ticketing" feature like SUDO's does hurt RBAC. Nico -- _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
