RBAC config / x86 Sol 9
2007-12-25 2:20:00
privileges with RBAC. Unfortunately I'm stuck at the first fence, creating
a simple web server administration role.
Here's the config on a fully patched x86 Solaris 9 system...
exec_attr:
Apache Management:suser:cmd:::/usr/local/apache/bin/apachectl:euid=0;egid=2
prof_attr:
Apache Management:::Apache Web Server Management:help=ApacheManagement.html
user_attr:
webadm::::profiles=Apache Management;type=role
zzcos::::type=normal;roles=webadm
passwd:
webadm:x:26349:1:Apache Management:/export/home/webadm:/bin/pfsh
I restarted nscd after creating the role.
/export/home/webadm exists and is owned by webadm.
SMC seems happy with the configuration.
But when user zzcos su's into webadm and runs
/usr/local/apache/bin/apachectl it does not run with euid=0 and fails to
start the server (which can be started as root.)
There's nothing in /var/adm/messages.
/var/log/auth shows that the su into webadm worked OK.
roles(1) shows that zzcos has the webadm role.
The man page for su implies that /etc/pam.conf needs su-specific entries
before RBAC will work but the Security Services manual makes no mention of
modifying pam.conf which already has the line...
other account requisite pam_roles.so.1
So, where do I go from here? Do I need the pam.conf entries given in su(1)
or have I made a dumb mistake in the configuration?
Thanks, summary will follow.
--
/\ Geoff. Lane. /\ Manchester Computing /\ Manchester /\ M13 9PL /\ England /\
IBM manuals are neither written by, nor for, humans.
Comments
Got something to say?
You must be logged in to post a comment.
