>It seems to be forbidden to log into a rule directly, but how is this >impleted? Does the 'login' program check /etc/user_attr and forbids >a login into a role directly?
It's implemented through a pam module (pam_roles.so.1) which checks when authenticating a role whether this is a login or secondary auhentications. >Other places mention that a user may "assume" a role. But there is no >hint on how this could be done. Is this done via the "su" command? >If yes, is then the su man page incopmplete? "su", yes. > >BTW: the current result is that I am now able to run cdrecord in root-less >mode via pfexec. Which should be possible without roles but just the appropriate profile and additions to exec_attr. Casper _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org