SUMMARY: passwordless su

From: Aleks Feltin <aleks.feltin_at_sunsetwireless.fi>
Date: Thu Apr 17 2008 - 03:39:21 EDT
Hello,

I got many answers. Special thanks to Charles Morris, Ryan A. Krenzis, Brad
Morrison.
There was an idea to use profile shell to execute user shell with UID and GID
of the user by passing uid, gid parameters to exec_attr.
Profile shell doesn't require for user to provide a password. I faced some
difficulties while implementing it - I didn't find how to execute a certain
shell with pfexec, if you have 2 similar commands only differing by uid,gid.

Another solution was to use kerberized su (ksu). Again, Kerberos is too
powerful, to use it to achieve my goal. In addition, whenever a user principal
assumes an identity of other user principal, he/she can add unwanted entries
to .k5login.

There could be an option to write or port PAM module from Linux which, allows
doing su to superuser to a certain group, defined in pam config. In fact I
didn't find a similar module for Solaris. OpenSolaris RBAC project raised an
excellent objective to implement arguments for RBAC, however it may take a
quite long time for it to appear in Solaris. At the moment there is no
complete alternative for sudo, because of its ability to take command
arguments, so I have to keep using it.


On 14/04/08 12:34 +0300, aleks.feltin@sunsetwireless.fi wrote:
>Hi Managers,
>
>I am implementing RBAC on Solaris 10. I wonder what the possibilities to run
>passwordless su to assume indetities of certain users without providing the
>password are. RBAC has to replace sudo in future, however at the moment, the
>only possibility to use su without password is doing it throught sudo. That
is
>the biggest obstacle to completely swith to RBAC from sudo.
>
>--
>A
>
>[demime 1.01b removed an attachment of type application/pgp-signature which
had a name of signature.asc]
>_______________________________________________
>sunmanagers mailing list
>sunmanagers@sunmanagers.org
>http://www.sunmanagers.org/mailman/listinfo/sunmanagers

--
A

[demime 1.01b removed an attachment of type application/pgp-signature which had a name of signature.asc]
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Thu Apr 17 03:39:58 2008

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:10 EST