Alan Coopersmith wrote: > Darren J Moffat wrote: >> Alan Coopersmith wrote: >>> scanpci continues to require extra privileges to run. The exec_attr >>> RBAC entry to grant these privileges to users with the "Desktop >>> Configuration" role will be updated to add the new scanpci path. >> ^^^^ profile not role, roles are user ids. >> >> The name of a new profile is an exported interface. >> >> What does the entry for scanpci in this exec_attr(4) profile look like ? >> Is it running it as euid=0 with all privs or something less ? > > This is not a new profile, this is just duplicating the entry added for > scanpci by the TCR for PSARC 2004/187 that's already in exec_attr to have > the new path (leaving the old path so that pfexec of either path works). > > That entry is: > Desktop > Configuration:solaris:cmd:::/usr/X11/bin/scanpci:euid=0;privs=sys_config > > So this case will add: > Desktop Configuration:solaris:cmd:::/usr/bin/scanpci:euid=0;privs=sys_config
Doh thats what I get for looking at a SPARC (snv_100) machine instead of an x86 one! Thought that does bring up an interesting side issue about how the nameservice versions of these will get fully populated if we don't deliver the same content on SPARC and x86. Also shouldn't at least some of that profile apply to SPARC too (not this case though). -- Darren J Moffat
