Re: RBAC auth/profile to allow ftp?

From: James Noyes (nntp_at_retrogeeks.com)
Date: 09/28/05 

Date: Wed, 28 Sep 2005 14:39:52 -0600

On Wed, 28 Sep 2005 16:28:45 +0000, Casper H. S. *** wrote:
> Roles are not supposed to be able to login. Whether using a console
> or ftp, ssh or anything else.
>
I agree - fundamentally - with this concept. Prevention of direct login
is exactly why we used roles to begin with. But an ftp login is not an
interactive shell, and is much easier to constrain to certain directories
and capabilities. Plus roles really *are* interactive, shell-level users
once an authorized user has assumed the role. I guess this is about the
requirement for only authorized users assuming roles. Why not permit a
two-stage ftp login that lets an "authorized" user promote themselves to
the role ID within an established ftp session?
Also, if roles are not supposed to have *any* access to login, what is the
purpose of the solaris.login.enable and solaris.login.remote auths present
in auth_attr? Assigning these auths to a role doesn't seem to accomplish
anything. For that matter, where are the effects of the solaris.* auths
spelled out? I haven't found ANY reference ANYWHERE that says "auth
solaris.foo.bar allows the role/user to do such-and-such."
Are we just supposed to guess? I made an educated guess about
solaris.login.enable, and ended up being wrong.

> Ah, that's something we currently do not have; is there a requirement
> for these accounts to be roles?
>
The accounts are shared application-specific accounts (similar in
purpose to a frequent request I see regarding needing, for example, an
"oracle" user that can't log in to the system directly, but otherwise
funtions as a regular user with cron, file ownership, etc). Roles simply
provided the most obvious way to do this with a simple and manageable
implementation and enforcement. Roles also allowed us to both grant
additional privileges to these accounts, as well as restrict them, through
the use of the pf*sh shells. Roles were basically *perfect* until it was
revealed that we needed the ability to put and get files onto these
systems AS these shared application ID's using ftp.

> You can always file an RFE.

Not without a support contract, which is basically never going to happen.

I still have the pam.conf hack to fall back on, but I hate to "fall back"
unless it's absolutely necessary.