Gary Winiger wrote: >> Amendment 1: >> >> The pconsole-bin binary requires elevated privilege to be useful. We >> request to move the binary from the originally stated /usr/bin to >> /usr/sbin, in line with where other binaries requiring privilege >> usually exist. >> >> Amendment 2: >> >> A new execution profile and attribute will be defined. The specific >> RBAC additions are: >> >> /etc/security/prof_attr: >> Parallel Console Access:::Connect to remote consoles with pconsole: >> >> /etc/security/exec_attr: >> Parallel Console Access:suser:cmd:::/usr/sbin/pconsole-bin:euid=0 > ^^^^^ ^^^^^^ > This is fine for S7-S9, but not for S10 forward. > exec_attr(4): > policy The security policy that is associated with the > profile entry. The valid policies are suser (stan- > dard Solaris superuser) and solaris. The solaris > policy recognizes privileges (see privileges(5)); > the suser policy does not. > > The solaris and suser policies can coexist in the > same exec_attr database, so that Solaris releases > prior to the current release can use the suser > policy and the current Solaris release can use a > solaris policy. solaris is a superset of suser; it > allows you to specify privileges in addition to > UIDs. Policies that are specific to the current > release of Solaris or that contain privileges > should use solaris. Policies that use UIDs only or > that are not specific to the current Solaris > release should use suser. > > What are the elevated privileges and why are they required? > Just those privileges should be specified in the privs= attribute. > Why is there a need to specify a uid? > > Gary.. > > _______________________________________________ > opensolaris-arc mailing list > opensolaris-arc at opensolaris.org Thanks Gary,
We'll work on narrowing the privilege and send an update. -tim
