SUMMARY: pkgadd for operators (non-root users)
2007-12-25 4:10:00
second choice. However, I can't user sudo because
though it works with Etrust, NIS+, and Stand-alone systems ...
it does not work with the older security modesl
Keon/SMax/and PowerPack...
PowerBrooker makes Sudo authenticate to the PowerBrooker
database and not really to Sudo (perhaps my mistake... but I get
it to work on NIS+, Stand-Alone... but same configuration failed
on PowerBrooker).
A SUID program released via a One-Time Safeword/Desgold password
bound to a funcional account that is on a captive
menu is the way to go (in my case). Zion Huang helped with the
C code to get a basic suid file working. Again, if I did not
have four or five security models sudo would be the best choice
with rbac as a second choice.
Thanks to:
Zion_Huang at concentra.com
David Foster <foster at ncmir.ucsd.edu>
"Alan Pae" <alanpae at lycos.com>
"Dell, Mary" <mdell at mesirowfinancial.com>
Neezam Haniff <nhaniff at ca.mci.com>
"Baker, Darryl" <Darryl.Baker at gedas.com>
> Here is the code:
>
> #include <sys/types.h>
> #include <stdio.h>
>
> main()
> {
> setuid(0); <---------- this is the line that is
difference
> setgid(0);
> system("/bin/sh");
> exit();
> }
>
> After compiling this, this is similar to .sudo to get into
super user
> mode.
>
> Hope this help.
>
>
> Zion
** Thanks this code works... I am adding traps etc... putting a
section to have the insecure code and only swith to
secure to run the pkgadd command etc.
"Alan Pae" <alanpae at lycos.com>
have you tried sudo or rbac?
---
Sun Country - Hundreds of links and technical articles.
http://alanpae.tripod.com/sitemap.htm
http://resources.solaris-x86.org/sitemap.htm
** rbac is good... but still have some legacy solaris 2.6. Also
would add one more security model to my
Infrastructure. Most of the native support was provided for
Solaris 9... I'll have to look up Solaris 8 support
but, still one more security model.
David Foster <foster at ncmir.ucsd.edu>
Did you try sudo? Or perhaps RBAC in Solaris 9.
I wouldn't use Perl for this any longer, as of 5.5.8
Perl no longer supports this, for security reasons.
** thanks... good thing you mentioned it... I went asking for
help on C instead of Perl which would have been
my first choice.
"Dell, Mary" <mdell at mesirowfinancial.com>
I use sudo to allow my operators to do a couple of root
functions - I don't know if it works with any fancy auth
methods, but it works great with regular unix. you can allow
different users to use different apps; you can
specify whether they need to have a password or not, and you can
create groups to give access to. My operators
only have root access to one app, nsrjb, and otherwise they're
not able to do root stuff.
** Thanks Sudo works on about half of my security models. I was
looking for something that could be used in all
my environments. The suid C program works on all of them... I
wish I could use sudo.
Neezam Haniff <nhaniff at ca.mci.com>
This sounds like a job for sudo. Sudo gives you the ability to
scope out what a particular userid is allowed to run with 'root'
priviledges. I think it will give you the granularity you need
to
accomplish the task at hand.
Using the said script with sudo should work. Unfortunately, I
have
not come across an environment with these particular
requirements.
Hopefully this will provide some insight into a possible
solution, though.
** thanks.
"Baker, Darryl" <Darryl.Baker at gedas.com>
The 2 best solutions are sudo (switch user and do) and RBAC
(role
based access control). Both allow non-root users root privileges
to
run some defined set of commands. While RBAC comes with Solaris
8 and
9 it is cumbersome to set up. Sudo if available in a package
form
from Sun Freeware (www.sunfreeware.com) and is widely used on
many
platforms.
** Thanks.
Carlos
________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag
Comments
Got something to say?
You must be logged in to post a comment.
