Hi Darren,
On 08/ 4/10 03:00 AM, Darren Reed wrote:
On 3/08/10 11:05 PM, Scott Rotondo wrote:
On 8/3/10 10:49 PM, Darren Reed wrote:
On 3/08/10 10:21 PM, Scott Rotondo wrote:
On 8/3/10 7:26 PM, Darren Reed wrote:
Last time I tried, I could not su to root because it was a role.
You are mistaken. When root is a role, su is the *only* way to log in
to that account. Of course, your user account must be authorized to
assume that role.
My recollection is that when I tried to do "su" from the created account
it failed with an error that was the same as when I tried to login to
the
root account - i.e. that it was not permitted because root was a role.
You must have tried this from a user account that does not have root
in its list of allowed roles. Try running roles(1) first.
Let me guess, the first account created gets put in the "Primary
Administrator" role and not the "root" role?
(I don't have the respective system handy...)
I think you are confusing two concepts, one of which I think has a bad
security implication, which you've seen, and one of which does not.
This is what a user gets in /etc/user_attr by default on OSOL installs.
user::::profiles=Primary Administrator;roles=root
The behavior you saw is being able to "pfxec blah" with uid 0 privilege.
That has nothing to do with the root role. It has to do with this
incredibly powerful profile granted to it. That profile was intended to
be a "never to be used in production" profile. There is an acknowledged
bug to change this.
Note that if you never gave the user the root role, you'd have the same
issue. i.e.
user::::profiles=Primary
still makes you all powerful dictator with pfexec. Run profiles -l as
the user to see what is actually in the profile.
Below is the root role, by default, which is powerful.
root::::type=role;auths=solaris.*,solaris.grant;profiles=All;lock_after_retries=no;min_label=admin_low;clearance=admin_high
Since it is a role, you can't log in directly.
If you have a user that is normal and doesn't have any profiles with
elevated privileges, pfexec does not impart any special powers. You
have to su to root to get the root powers. You'd only be allowed to su
to root if the role was in your user_attr line. And then the auditing
shows both that you are running as root and who you really are. That's
the idea.
Try this one:
user::::roles=root
The Primary Administrator profile being assigned to users this way has
confused people and broken the RBAC concept, IMO.
-Paul
_______________________________________________
security-discuss mailing list
[email protected]
