SUMMARY: pkgadd for operators (non-root users)

From: Carlos Sevillano (carlos_sevillano_at_ureach.com)
Date: 11/08/04

  • Next message: LAI Yiu Fai: "V440 or V480 for large email server?" 
    Date: Sun, 7 Nov 2004 23:04:31 -0500
To: sunmanagers@sunmanagers.org

    In a Nutshell... Sudo is the way to go with maybe rbac as a
    second choice. However, I can't user sudo because
    though it works with Etrust, NIS+, and Stand-alone systems ...
    it does not work with the older security modesl
    Keon/SMax/and PowerPack...

    PowerBrooker makes Sudo authenticate to the PowerBrooker
    database and not really to Sudo (perhaps my mistake... but I get
    it to work on NIS+, Stand-Alone... but same configuration failed
    on PowerBrooker).

    A SUID program released via a One-Time Safeword/Desgold password
    bound to a funcional account that is on a captive
    menu is the way to go (in my case). Zion Huang helped with the
    C code to get a basic suid file working. Again, if I did not
    have four or five security models sudo would be the best choice
    with rbac as a second choice.

    Thanks to:
    Zion_Huang@concentra.com
    David Foster <foster@ncmir.ucsd.edu>
    "Alan Pae" <alanpae@lycos.com>
    "Dell, Mary" <mdell@mesirowfinancial.com>
    Neezam Haniff <nhaniff@ca.mci.com>
    "Baker, Darryl" <Darryl.Baker@gedas.com>

    Zion_Huang@concentra.com:

    > Here is the code:
    >
    > #include <sys/types.h>
    > #include <stdio.h>
    >
    > main()
    > {
    > setuid(0); <---------- this is the line that is
    difference
    > setgid(0);
    > system("/bin/sh");
    > exit();
    > }
    >
    > After compiling this, this is similar to .sudo to get into
    super user
    > mode.
    >
    > Hope this help.
    >
    >
    > Zion

    ** Thanks this code works... I am adding traps etc... putting a
    section to have the insecure code and only swith to
    secure to run the pkgadd command etc.

    "Alan Pae" <alanpae@lycos.com>

    have you tried sudo or rbac? 

    ---
Sun Country  - Hundreds of links and technical articles.
http://alanpae.tripod.com/sitemap.htm
http://resources.solaris-x86.org/sitemap.htm
** rbac is good... but still have some legacy solaris 2.6.  Also
would add one more security model to my 
Infrastructure.  Most of the native support was provided for
Solaris 9... I'll have to look up Solaris 8 support
but, still one more security model.
David Foster <foster@ncmir.ucsd.edu>
Did you try sudo?  Or perhaps RBAC in Solaris 9.
I wouldn't use Perl for this any longer, as of 5.5.8
Perl no longer supports this, for security reasons.
** thanks... good thing you mentioned it... I went asking for
help on C instead of Perl which would have been
my first choice.
"Dell, Mary" <mdell@mesirowfinancial.com>
I use sudo to allow my operators to do a couple of root
functions - I don't know if it works with any fancy auth 
methods, but it works great with regular unix.  you can allow
different users to use different apps; you can 
specify whether they need to have a password or not, and you can
create groups to give access to.  My operators 
only have root access to one app, nsrjb, and otherwise they're
not able to do root stuff.  
** Thanks Sudo works on about half of my security models.  I was
looking for something that could be used in all
my environments.  The suid C program works on all of them... I
wish I could use sudo.
Neezam Haniff <nhaniff@ca.mci.com>
	This sounds like a job for sudo. Sudo gives you the ability to
scope out what a particular userid is allowed to run with 'root'
priviledges. I think it will give you the granularity you need
to
accomplish the task at hand.
Using the said script with sudo should work. Unfortunately, I
have
not come across an environment with these particular
requirements.
Hopefully this will provide some insight into a possible
solution, though.
** thanks.
"Baker, Darryl" <Darryl.Baker@gedas.com>
The 2 best solutions are sudo (switch user and do) and RBAC
(role
based access control). Both allow non-root users root privileges
to
run some defined set of commands. While RBAC comes with Solaris
8 and
9 it is cumbersome to set up. Sudo if available in a package
form
from Sun Freeware (www.sunfreeware.com) and is widely used on
many
platforms.
** Thanks.
Carlos
________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
  • Next message: LAI Yiu Fai: "V440 or V480 for large email server?"

    Relevant Pages

    • SUMMARY: Create additional superuser
      ... A simple way (but not recommended for lack of audit) of doing it is by ... RBAC doesnt work if you want to assign special authorizations that are not ... Sudo helps you assign any authorizations ... Rbac I would say controls more system level controls, printing, ufsdumps, ...
      (SunManagers)
    • SUMMARY: sudo vs RBAC
      ... RBAC Advantages: ... -Possibility to configure with gui (Sun Management ... -Not as granular as sudo ... The size of your environment and your requirements ...
      (SunManagers)
    • RBAC vs Sudo, once and for all
      ... I have been wrestling with getting rid of sudo in favor of RBAC. ... If I was in a multi-flavor UNIX environment, ... I guess support by SUN versus no support might be one argument, ...
      (comp.unix.solaris)
    • Re: Good news for SPARC
      ... >> and Access Control Lists. ... > RBAC is not a solution, it's strictly userland. ... RBAC is not sudo - it is really the opposite of sudo. ...
      (comp.unix.solaris)
    • Re: Good news for SPARC
      ... >> and Access Control Lists. ... > RBAC is not a solution, it's strictly userland. ... RBAC is not sudo - it is really the opposite of sudo. ...
      (comp.sys.sun.hardware)