On Wed, 2009-04-08 at 12:55 +0100, Darren J Moffat wrote: > Mark Phalan wrote: > > > 3) The program will be run as root (if I correctly understand what gksu > > does) which means that when browsing for files it will see a different > > home directory (root's) and may not even be able to access the proper > > user's home directory if on NFS. The application may also look different > > due to themeing configuration , recent files list etc. From a usability > > point of view this isn't very nice. > > gksu on OpenSolaris has been modified (though strangely the man page > doesn't talk about this - I'll file a man page bug) to first look to see > if the user has an RBAC profile for the command being run if it does > then it uses pfexec(1). > > If the user doesn't have a direct RBAC profile entry for the command but > the user can assume a role that does have an RBAC profile entry then > gksu prompts for the role password. Failing all that then gksu prompts > for the root password (which given gksu is really using su(1M) will fail > it root is a role that the user can't assume). > > For example, I created the "Desktop CD User" profile and assign it as > the case defines it to "CONSOLE_USER" in policy.conf and have an entry > for rhythmbox with privs=sys_devices in exec_attr. I then used gksu to > start up rhythmbox and we see: > > islay:pts/16$ gksu /usr/bin/rhythmbox > islay:pts/16$ ppriv $(pgrep rhythmbox) > 27049: /usr/lib/rhythmbox-metadata unix:tmpdir=/tmp > flags = <none> > E: basic,sys_devices > I: basic,sys_devices > P: basic,sys_devices > L: all > 27037: /usr/bin/rhythmbox > flags = <none> > E: basic,sys_devices > I: basic,sys_devices > P: basic,sys_devices > L: all > islay:pts/16$ pcred $(pgrep rhythmbox) > 27049: e/r/suid=101 e/r/sgid=10 > 27037: e/r/suid=101 e/r/sgid=10 > >
Ok, that makes a lot more sense. Thanks for the explanation. -M
