> Amendment 1: > > The pconsole-bin binary requires elevated privilege to be useful. We > request to move the binary from the originally stated /usr/bin to > /usr/sbin, in line with where other binaries requiring privilege > usually exist. > > Amendment 2: > > A new execution profile and attribute will be defined. The specific > RBAC additions are: > > /etc/security/prof_attr: > Parallel Console Access:::Connect to remote consoles with pconsole: > > /etc/security/exec_attr: > Parallel Console Access:suser:cmd:::/usr/sbin/pconsole-bin:euid=0 ^^^^^ ^^^^^^ This is fine for S7-S9, but not for S10 forward. exec_attr(4): policy The security policy that is associated with the profile entry. The valid policies are suser (stan- dard Solaris superuser) and solaris. The solaris policy recognizes privileges (see privileges(5)); the suser policy does not.
The solaris and suser policies can coexist in the same exec_attr database, so that Solaris releases prior to the current release can use the suser policy and the current Solaris release can use a solaris policy. solaris is a superset of suser; it allows you to specify privileges in addition to UIDs. Policies that are specific to the current release of Solaris or that contain privileges should use solaris. Policies that use UIDs only or that are not specific to the current Solaris release should use suser. What are the elevated privileges and why are they required? Just those privileges should be specified in the privs= attribute. Why is there a need to specify a uid? Gary..