Re: Now Solaris has ACL's is there any need for sudo?
From: Akop Pogosian (akopps+usenet_at_ocf.berkeley.edu)
Date: 08/16/03
- Next message: Akop Pogosian: "Re: Locale selections in dtlogin in Solaris 9 08/03"
- Previous message: Dave Uhring: "Re: Help troubleshooting no CDE login screen on Sol9"
- In reply to: Wayne: "Re: Now Solaris has ACL's is there any need for sudo?"
- Next in thread: Philip Brown: "Re: Now Solaris has ACL's is there any need for sudo?"
- Reply: Philip Brown: "Re: Now Solaris has ACL's is there any need for sudo?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 16 Aug 2003 03:50:15 +0000 (UTC)
Wayne <nospam@all.4me> wrote:
> Akop Pogosian wrote:
>> chud@chud.is-a-geek.net wrote:
>>
>>
>>>Have you ever tried to set up ACL's? I have, and it is a big pain in
>>>the ass. Granted, you have finer granularity with ACL's but when you
>>>want to give fast and dirty access to otherwise root run commands to
>>>some operators, sudo is the way to go. This is IMHO of course ;)
>>
>> Of course, the additional granularity of file ACLs comes at the price
>> of higher learning curve though I don't find ACLs to be too much pain
>> to use. The setfacl syntax is more complicated that chmod but I
>> usually only use setfacl with -f option which accepts as its input, (a
>> possibly edited) output of getfacl command.
>>
>> Though, I don't think this answer's OPs question because he was
>> looking for a sudo replacement. More granular file ACLs of course can
>> remove the necessity for using sudo in certain cases but a more
>> general solution is the Solaris RBAC/pfexec facility.
> In my opinion:
> Neither ACLs nor RBACs provide the flexibility, ease, and granularity
> of sudo. While an ACL can be set on a project directory, it is
> sometimes the case that you wish to limit execute permission to
> certain commands. The ancient technique of setting up extra groups
> (e.g., a group per command, and add users to the groups to control
> who can run which commands) may not work, there is a
> limit of 16-32 for the number of groups per user. And setting an
> ACL on each command, directory, and the odd data files, libraries,
> etc., could easily be a maintenance nightmare.
> RBAC is for sites that don't permit 3rd party software such as sudo,
> but near as I can see from the RBAC docs I've read, while you can
> restrict usage to commands, you can't control which options.
You could use shell wrapper scripts or RBAC authorizations to overcome
this limitation but the later will work only with certain RBAC-enabled
Sun applications and only for certain commonly used tasks. I think too
that it's probably not worth spending the time reinwenting the wheel
with RBAC when you can use sudo but for certain corner cases RBAC
might still be useful.
-- Akop Pogosian This space has been accidentally left blank.
- Next message: Akop Pogosian: "Re: Locale selections in dtlogin in Solaris 9 08/03"
- Previous message: Dave Uhring: "Re: Help troubleshooting no CDE login screen on Sol9"
- In reply to: Wayne: "Re: Now Solaris has ACL's is there any need for sudo?"
- Next in thread: Philip Brown: "Re: Now Solaris has ACL's is there any need for sudo?"
- Reply: Philip Brown: "Re: Now Solaris has ACL's is there any need for sudo?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
