SUMMARY: pkgadd for operators (non-root users)

From: Carlos Sevillano <carlos_sevillano_at_ureach.com>
Date: Sun Nov 07 2004 - 23:04:31 EST
In a Nutshell... Sudo is the way to go with maybe rbac as a
second choice.  However, I can't user sudo because 
though it works with Etrust, NIS+, and Stand-alone systems ...
it does not work with the older security modesl 
Keon/SMax/and PowerPack... 

PowerBrooker makes Sudo authenticate to the PowerBrooker
database and not really to Sudo (perhaps my mistake... but I get
it to work on NIS+, Stand-Alone... but same configuration failed
on PowerBrooker).

A SUID program released via a One-Time Safeword/Desgold password
bound to a funcional account that is on a captive 
menu is the way to go (in my case).  Zion Huang helped with the
C code to get a basic suid file working.  Again, if I did not
have four or five security models sudo would be the best choice
with rbac as a second choice.



Thanks to:
Zion_Huang@concentra.com
David Foster <foster@ncmir.ucsd.edu>
"Alan Pae" <alanpae@lycos.com>
"Dell, Mary" <mdell@mesirowfinancial.com>
Neezam Haniff <nhaniff@ca.mci.com>
"Baker, Darryl" <Darryl.Baker@gedas.com>



Zion_Huang@concentra.com:

> Here is the code:
> 
> #include <sys/types.h>
> #include <stdio.h>
> 
> main()
> {
> setuid(0);              <---------- this is the line that is
difference
> setgid(0);
> system("/bin/sh");
> exit();
> }
> 
> After compiling this, this is similar to .sudo to get into
super user 
> mode.
> 
> Hope this help.
> 
> 
> Zion

** Thanks this code works... I am adding traps etc... putting a
section to have the insecure code and only swith to
secure to run the pkgadd command etc.



"Alan Pae" <alanpae@lycos.com>

have you tried sudo or rbac?

---
Sun Country  - Hundreds of links and technical articles.
http://alanpae.tripod.com/sitemap.htm
http://resources.solaris-x86.org/sitemap.htm

** rbac is good... but still have some legacy solaris 2.6.  Also
would add one more security model to my 
Infrastructure.  Most of the native support was provided for
Solaris 9... I'll have to look up Solaris 8 support
but, still one more security model.


David Foster <foster@ncmir.ucsd.edu>

Did you try sudo?  Or perhaps RBAC in Solaris 9.

I wouldn't use Perl for this any longer, as of 5.5.8
Perl no longer supports this, for security reasons.


** thanks... good thing you mentioned it... I went asking for
help on C instead of Perl which would have been
my first choice.



"Dell, Mary" <mdell@mesirowfinancial.com>

I use sudo to allow my operators to do a couple of root
functions - I don't know if it works with any fancy auth 
methods, but it works great with regular unix.  you can allow
different users to use different apps; you can 
specify whether they need to have a password or not, and you can
create groups to give access to.  My operators 
only have root access to one app, nsrjb, and otherwise they're
not able to do root stuff.  

** Thanks Sudo works on about half of my security models.  I was
looking for something that could be used in all
my environments.  The suid C program works on all of them... I
wish I could use sudo.



Neezam Haniff <nhaniff@ca.mci.com>

	This sounds like a job for sudo. Sudo gives you the ability to
scope out what a particular userid is allowed to run with 'root'
priviledges. I think it will give you the granularity you need
to
accomplish the task at hand.

Using the said script with sudo should work. Unfortunately, I
have
not come across an environment with these particular
requirements.
Hopefully this will provide some insight into a possible
solution, though.

** thanks.



"Baker, Darryl" <Darryl.Baker@gedas.com>
The 2 best solutions are sudo (switch user and do) and RBAC
(role
based access control). Both allow non-root users root privileges
to
run some defined set of commands. While RBAC comes with Solaris
8 and
9 it is cumbersome to set up. Sudo if available in a package
form
from Sun Freeware (www.sunfreeware.com) and is widely used on
many
platforms.

** Thanks.


Carlos



________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Sun Nov 7 23:04:51 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:39 EST