On 26/02/2010 09:35, Casper Dik wrote: > > Template Version: @(#)sac_nextcase 1.69 02/15/10 SMI > This information is Copyright 2010 Sun Microsystems > 1. Introduction > 1.1. Project/Component Working Name: > RBAC update: user attrs from profiles > 1.2. Name of Document Author/Supplier: > Author: Casper Dik > 1.3 Date of This Document: > 26 February, 2010 > 4. Technical Description > I'm sponsoring this fasttrack for myself. > > This project proposes updates to the rbac implementation. > > Release binding: minor. > > The current rbac implementation has several shortcomings: > > - it's not easy to override the default privileges > defined in /etc/security/policy.conf > > - every user *always* inherits whatever is specified in > /etc/security/policy.conf: AUTHS_GRANTED, PROFS_GRANTED > > > To fix these problems, this fasttrack defines the following new > features: > > > The prof_attr(4) database supports two new keywords: > defaultpriv, limitpriv; they have the same semantics as they > have in user_attr(4). On establishing a user credential, > the profiles database is searched and the first match for > each keyword is returned.
Why just those two ? In general other than "type" I think all of the user_attr(4) keywords should be applicable in prof_attr (I wouldn't object to type being able to be specified in prof_attr though). In particular: roles, project, lock_after_retries but all the others too. For me project would be the most useful of those but I can see an need for the others too. Similarly the TX specific ones would be useful in prof_attr(4) for defining collections of users all with the same operating label range (min_label and clearance keywords). > The new system defined profile "Stop"; when this profile > is encountered it excludes all the later profiles which would > normally be encountered. Specifically, if a user has a profile > in its list which includes "Stop", then the PROFS_GRANTED > profiles are never considered for this user and the > AUTHS_GRANTED are ignored. This is a very useful feature and I know of several customer deployments where this would have been very valuable. Glad to see it. -- Darren J Moffat
