James Carlson wrote: > John Sonnenschein writes: >> putting it in a separate package sufficient, or would an /etc/chsh.deny >> file be the preferred method? > > Neither. I think this ought to be an authorization that can be > granted or revoked. Something like: > > solaris.admin.usermgr.shell > solaris.admin.usermgr.gecos > > Inventing yet another independent permissions system would be (I > think) a bad thing.
I completely agree with Jim here. This follows the existing scheme where we already have fine grained auths for allowing change of other user properties such as audit config and user clearance and label (TX features), though today only smc(1M) checks them. -- Darren J Moffat
