SUMMARY: RBAC config / x86 Sol 9

From: Geoff Lane <>
Date: Mon Nov 10 2003 - 10:56:33 EST
I wrote a little program to dump out the uid/euid and discovered that RBAC
is working correctly but you have to get the exec_attr record correct for a
given program.

In the case of apachectl you need

Apache Management:suser:cmd:::/usr/local/apache/bin/apachectl:uid=0;egid=2

Notice it's uid=0 NOT euid=0 which I was using following the general advice
given by SMC (the egid isn't relevant in this case.) When uid= is used,
apachectl (which is a shell script) works as expected from the role user
name.  When euid= is used, apachectl isn't given sufficient priviledge and

I still don't understand why this happens but I'm just happy it works now.

Nobody nailed it, but thanks for the replies.

On Mon, Nov 10, 2003 at 01:01:38PM +0000, Geoff Lane wrote:
> I'm in the process of replacing various ad-hoc methods of granting special
> privileges with RBAC.  Unfortunately I'm stuck at the first fence, creating
> a simple web server administration role.
> Here's the config on a fully patched x86 Solaris 9 system...
> exec_attr:
> Apache Management:suser:cmd:::/usr/local/apache/bin/apachectl:euid=0;egid=2
> prof_attr:
> Apache Management:::Apache Web Server Management:help=ApacheManagement.html
> user_attr:
> webadm::::profiles=Apache Management;type=role
> zzcos::::type=normal;roles=webadm
> passwd:
> webadm:x:26349:1:Apache Management:/export/home/webadm:/bin/pfsh
> I restarted nscd after creating the role.
> /export/home/webadm exists and is owned by webadm.
> SMC seems happy with the configuration.
> But when user zzcos su's into webadm and runs
> /usr/local/apache/bin/apachectl it does not run with euid=0 and fails to
> start the server (which can be started as root.)
> There's nothing in /var/adm/messages.
> /var/log/auth shows that the su into webadm worked OK.
> roles(1) shows that zzcos has the webadm role.
> The man page for su implies that /etc/pam.conf needs su-specific entries
> before RBAC will work but the Security Services manual makes no mention of
> modifying pam.conf which already has the line...
> other   account requisite
> So, where do I go from here?  Do I need the pam.conf entries given in su(1)
> or have I made a dumb mistake in the configuration?
> Thanks, summary will follow.
> -- 
> /\ Geoff. Lane. /\ Manchester Computing /\ Manchester /\ M13 9PL /\ England /\
> IBM manuals are neither written by, nor for, humans.
> _______________________________________________
> sunmanagers mailing list

/\ Geoff. Lane. /\ Manchester Computing /\ Manchester /\ M13 9PL /\ England /\

McDonalds hamburgers are made from 100% genuine clown meat.
sunmanagers mailing list
Received on Mon Nov 10 11:01:13 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:23 EST