How to remove a user from my friend list?
Allowing a group of users to manage a service
Hello Guest		   
  • Login
• Register…
• Start blog		   • Who, Where, When
• What can I do?
• What to Read?		   • Polls
• Avatars
• Interests		   • Cities and Countries
• Random blog
• Users search		   • Search
• Games
• Tests
• RYXI		   • Сообщества
• Talxy Chat
• Horoscope
• Online		  
Зарегистрируйся!
RYXI > Solaris > Allowing a group of users to manage a service 6 April 2008 22:34:32
  Recent blog posts: 
auuuuu
ljudi gde vy?

~~~~~~~~~~~kOrOcHe…
~~~~~~~~~~~kOrOcHe TaK~~~~~~~~~~ pRaViLa!!! 1) nI kAkIx PiSeM sHjAsT'Ja!!! 2) nA mnU nE gnAt' eSlE…

Sad
Heeeergh!!!!!!!!!!!!­­!No who to me unjoin!!!!!!!!!!:'(­­­

Winx
Who love Winx, go here!

Witch
Who love Witch, go here!

merhaba
merhabalar,

canon pixma ip1500 service
canon ip1500 service manual search...

Pencil and pastel portraits by…
Pencil and pastel portraits by this portrait artist from picturedraw&hell­ip;

Cisco CallManager Express 5.0…
HI, We are trying to find a way to dump CDR records (call related only )from Cisco CallManager Express…

The Environement man !
I'm seeking fellow Lebanese who share the same interest to protect our environment..

  They have birthday today: 
techno
  Forums:   
    topic feeds

• RYXI  all topics, blogs and comments

• General hardware

• General software

• Games

• Homebuilt

• Overclocking

• Drivers

• Hard Drives, IDE, SCSI, RAID

• Motherboards

• Chips

• Videocards

• Scanners

• Printers

• Laptops

• CD, DVD, burning, authoring

• Audio

• digital and webcams, digital-tv

• Telecom, VPN, VoIP, DSL, Lans

• Security

• MS Windows

• Linux

• FreeBSD

• Solaris

• OS/2

• Buy / Sell

• Open discussion

• Anonymous
  Discuss: 
san surfer
Hi Can anyone help me get qlogic san surfer i know it is a free tool but its not on their website. I…

OpenSolaris Custom Install
is there any way to do a custom install of this release? talking about the 05/08 just released.. I'm…

Re: Is Solaris Dead?
On Sat, 03 May 2008 21:02:26 +0000, Canuck57 wrote: That's because they are both as good as dead…

adding packages after…
I have a sun box running Solaris 9. I had been instructed to remove SSH from this server, however we…

Solaris Zones - memory…
This link states that it is not possible to constrain memory usage in zones. Is this still the case…
  Recent forum topics: 
Pictures and Printing
Sir: I scanned into my computer a 3 by 5 picture using Tame/2 at a resolution of 1200 dpi. My…

cannot scan after install…
haiiii.... why i cannot scan after install software canonscan n640p.... all cabel sacnner i…

usb bluetooth driver
HELLO, I need USB BLUETOOTH DRIVER of ISSCBTA. I lost the DRIVER CD, and my PC didn't know my cell phone…

WDM Drivers for DVR AJ214 on…
Hello, I need WDM drivers for a TW6800 based video card (4 inputs). Anyone knows other cards built on…
  Recent forum comments:
RE: usb bluetooth driver
thats good

RE: ICUVGA-GW710 Driver ?
Hi guys, you can download the display card drivers for FCC ID: ICUVGA-GW807C from the follwoing site for…

RE: LEXMARK SERVICE MANUALS
Hi All www.feedroller.com has loads of free manuals

RE: ICUVGA-GW710 Driver ?
Hi!, I've a video Card and his reference is FCC ID : ICUVGA-GW807C. I lost the driver. I am using…

RE: san surfer
Dean I just downloaded it from Qlogic web site it there! Sun storedge 3510 just us "sccli -h"…

RE: NEC LaVie Drivers
my e mail is bake_heelys@hotmail­.com

RE: NEC LaVie Drivers
please help me. i can't hear sound of LaVie LL700/E. because i install new window XP, and i wana to…

RE: [very_newbie] internet problem
Dave wrote: DNS servers I mean!

RE: [very_newbie] internet problem
On May 6, 4:01pm, Dave <f...@coo.com> wrote: yes I have done the all things that u mentioned…

RE: ld: fatal: library -ltli: not…
276vaibhav@gmail.com­ wrote: I don't see "tli" anywhere in what you've posted…
  Moderators:
 Administrator
 Protorioris

Allowing a group of users to manage a service

Michael Schmarck 6 April 2008 22:34:32
 Hello.

I'd like to allow a group of users to manage (ie. disable, enable, ...)
a service, WITHOUT having to use sudo. That's supposed to be on a
Solaris 10 U4 system.

To allow one (or many indivial) user(s) to do the management, I followed
http://learningsola­ris.com/archives/200­5/04/25/smf_and_rbac­/, ie.
I did:

# usermod -A solaris.smf.manage.­nfs/server bob
# svccfg -s nfs/server setprop general/action_auth­orization=astring: \
'solaris.smf.manage­.nfs/server'
# svccfg -s nfs/server setprop general/value_autho­rization=astring: \
'solaris.smf.manage­.nfs/server'
# svcadm refresh nfs/server

After that, "bob" was able to do "/usr/sbin/svcadm disable nfs/server".

But now I'd like to have a group, let's call it "nfsadmins", that
should be able to do this.

How would I do this? I cannot do

# usermod -A solaris.smf.manage.­nfs/server nfsadmins

as there's no such user.

Thanks a lot,

Michael
Add comment
Chris Mattern 1 April 2008 21:03:49 permanent link ]
 On 2008-04-01, Michael Schmarck <usenet-michael@sch­marck.cn> wrote:
Hello.
I'd like to allow a group of users to manage (ie. disable, enable, ...)
a service, WITHOUT having to use sudo. That's supposed to be on a
Solaris 10 U4 system.
To allow one (or many indivial) user(s) to do the management, I followed
http://learningsola­ris.com/archives/200­5/04/25/smf_and_rbac­/, ie.
I did:
# usermod -A solaris.smf.manage.­nfs/server bob
# svccfg -s nfs/server setprop general/action_auth­orization=astring: \
'solaris.smf.manage­.nfs/server'
# svccfg -s nfs/server setprop general/value_autho­rization=astring: \
'solaris.smf.manage­.nfs/server'
# svcadm refresh nfs/server
After that, "bob" was able to do "/usr/sbin/svcadm disable nfs/server".
But now I'd like to have a group, let's call it "nfsadmins", that
should be able to do this.
How would I do this? I cannot do
# usermod -A solaris.smf.manage.­nfs/server nfsadmins
as there's no such user.
Obviously, this should be part of groupmod, except that it isn't. That
sucks.

--
Christopher Mattern

NOTICE
Thank you for noticing this new notice
Your noticing it has been noted
And will be reported to the authorities
Add comment
Michael Vilain 1 April 2008 21:46:38 permanent link ]
 In article <1385912.HgAgHZWx1O­@schmarck.cn>,
Michael Schmarck <usenet-michael@sch­marck.cn> wrote:

Hello.
I'd like to allow a group of users to manage (ie. disable, enable, ...)
a service, WITHOUT having to use sudo. That's supposed to be on a
Solaris 10 U4 system.
To allow one (or many indivial) user(s) to do the management, I followed
http://learningsola­ris.com/archives/200­5/04/25/smf_and_rbac­/, ie.
I did:
# usermod -A solaris.smf.manage.­nfs/server bob
# svccfg -s nfs/server setprop general/action_auth­orization=astring: \
'solaris.smf.manage­.nfs/server'
# svccfg -s nfs/server setprop general/value_autho­rization=astring: \
'solaris.smf.manage­.nfs/server'
# svcadm refresh nfs/server
After that, "bob" was able to do "/usr/sbin/svcadm disable nfs/server".
But now I'd like to have a group, let's call it "nfsadmins", that
should be able to do this.
How would I do this? I cannot do
# usermod -A solaris.smf.manage.­nfs/server nfsadmins
as there's no such user.
Thanks a lot,
Michael

If Roles won't do this, you're stuck using sudo or rethinking your
approach. Your call...

--
DeeDee, don't press that button! DeeDee! NO! Dee...



Add comment
Michael Schmarck 1 April 2008 22:09:18 permanent link ]
 · Chris Mattern <syscjm@sumire.gwu.­edu>:

Obviously, this should be part of groupmod, except that it isn't. That
sucks.

"LOL" - sort of...

Okay, groupmod doesn't do that. Can this somehow be done manually?
Would it work, if, I don't know, I'd add something like

%groupname::::auths­=solaris.*,solaris.g­rant;profiles=All;ty­pe=normal

to /etc/user_attr?

Reading user_attr(4), I wouldn't think so :(­

There's no "hidden" /etc/group_attr, is there?

Michael Schmarck
--
At no time is freedom of speech more precious than when a man hits his
thumb with a hammer.
-- Marshall Lumsden

Add comment
Michael Schmarck 2 April 2008 09:42:10 permanent link ]
 Michael Vilain <vilain@NOspamcop.n­et> wrote:

If Roles won't do this, you're stuck using sudo or rethinking your
approach. Your call...

Thanks for your reply. Maybe my approach isn't good. Let me tell,
what I'd like to be able to do.

On a development box, I've got developers doing their thing. This
includes building an application and "deploying" it, as they call
it. To do this, a service needs to be restarted. The service is
managed by SMF.

All these developers are in a Unix group called tcalpha. How would
I now go about allowing anyone, who's a member of "tcalpha", to
disable/enable/rest­art/mark the service called "tcalpha"? With sudo,
I'd know how to do this. I'd rather not allow every single user
to do this, but I'd rather make this permission dependent on the
group membership status.

How to do that in the "Solaris 10 way" (ie. with only Solaris 10
tools and esp. without sudo)?

Thanks,

Michael
Add comment
Wolfgang 3 April 2008 02:24:48 permanent link ]
 Michael Schmarck schrieb:
Michael Vilain <vilain@NOspamcop.n­et> wrote:
If Roles won't do this, you're stuck using sudo or rethinking your
approach. Your call...
Thanks for your reply. Maybe my approach isn't good. Let me tell,
what I'd like to be able to do.
On a development box, I've got developers doing their thing. This
includes building an application and "deploying" it, as they call
it. To do this, a service needs to be restarted. The service is
managed by SMF.
All these developers are in a Unix group called tcalpha. How would
I now go about allowing anyone, who's a member of "tcalpha", to
disable/enable/rest­art/mark the service called "tcalpha"? With sudo,
I'd know how to do this. I'd rather not allow every single user
to do this, but I'd rather make this permission dependent on the
group membership status.
How to do that in the "Solaris 10 way" (ie. with only Solaris 10
tools and esp. without sudo)?
Thanks,
Michael

very simple i assume (not tested ;-)­:

write a short wrapper script, make it suid root (or user you want) and
give execute permission to the group. you can also use ACLs instead of
group permissions to give execute rights.

i am not shure if suid can be achieved by ACL, i dont think so.

Wolfgang
Add comment
Darren Dunham 3 April 2008 20:04:19 permanent link ]
 Michael Schmarck <usenet-michael@sch­marck.cn> wrote:
As expected - it does not work; at least not with bash.
--($:~/tmp)-- cat suid-script.sh
#! /bin/sh
touch /tmp/touch.suid

/bin/sh is not bash on Solaris. But that's not your problem.

See the '-p' option. SUID scripts are possible, but discouraged due to
the possiblity of exploiting them. Binary files are preferred.

--
Darren Dunham ddunham@taos.com
Senior Technical Consultant TAOS http://www.taos.com­/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >
Add comment
Wolfgang 4 April 2008 02:17:32 permanent link ]
 Michael Schmarck schrieb:
Michael Schmarck <usenet-michael@sch­marck.cn> wrote:
Wolfgang <wtrappe@AT.web.de>­ wrote:
write a short wrapper script, make it suid root (or user you want) and
give execute permission to the group.
Does that actually work on Solaris? On Linux, suid scripts don't
work - ie. they lose the "suid" part.
As expected - it does not work; at least not with bash.
--($:~/tmp)-- cat suid-script.sh
#! /bin/sh
touch /tmp/touch.suid
--($:~/tmp)-- ls -la suid-script.sh
-rwsrwxrwx 1 root dba 34 Apr 3 06:56 suid-script.sh
--($:~/tmp)-- ./suid-script.sh
--($:~/tmp)--
--($:~/tmp)-- ls -la /tmp/touch.suid
-rw-r--r-- 1 mike staff 0 Apr 3 06:57 /tmp/touch.suid
If the suid part would've worked, the file /tmp/touch.suid would be
owned by root, wouldn't it?
Michael

i have no solaris by hand, but beside the -p Option for sh maybe this works:
#!/bin/sh
su - root -c touch /tmp/touch.suid

dont forget to delete the file between touches...
Add comment
Michael Schmarck 5 April 2008 22:38:20 permanent link ]
 · Wolfgang <wtrappe@AT.web.de>­:

Michael Schmarck schrieb:
Michael Schmarck <usenet-michael@sch­marck.cn> wrote:
Wolfgang <wtrappe@AT.web.de>­ wrote:
write a short wrapper script, make it suid root (or user you want) and
give execute permission to the group.
Does that actually work on Solaris? On Linux, suid scripts don't
work - ie. they lose the "suid" part.
As expected - it does not work; at least not with bash.
--($:~/tmp)-- cat suid-script.sh
#! /bin/sh
touch /tmp/touch.suid
--($:~/tmp)-- ls -la suid-script.sh
-rwsrwxrwx 1 root dba 34 Apr 3 06:56 suid-script.sh
--($:~/tmp)-- ./suid-script.sh
--($:~/tmp)--
--($:~/tmp)-- ls -la /tmp/touch.suid
-rw-r--r-- 1 mike staff 0 Apr 3 06:57 /tmp/touch.suid
If the suid part would've worked, the file /tmp/touch.suid would be
owned by root, wouldn't it?
Michael
i have no solaris by hand, but beside the -p Option for sh maybe this works:
#!/bin/sh
su - root -c touch /tmp/touch.suid

Why should I by using su? I don't really want to create a file
owned by right by using touch. That was just a test (suggested
by you, Wolfgang).

Michael Schmarck
--
You look like a million dollars. All green and wrinkled.

Add comment
Wolfgang 6 April 2008 01:02:07 permanent link ]
 Michael Schmarck schrieb:
· Wolfgang <wtrappe@AT.web.de>­:
Michael Schmarck schrieb:
Michael Schmarck <usenet-michael@sch­marck.cn> wrote:
Wolfgang <wtrappe@AT.web.de>­ wrote:
write a short wrapper script, make it suid root (or user you want) and
give execute permission to the group.
Does that actually work on Solaris? On Linux, suid scripts don't
work - ie. they lose the "suid" part.
As expected - it does not work; at least not with bash.
--($:~/tmp)-- cat suid-script.sh
#! /bin/sh
touch /tmp/touch.suid
--($:~/tmp)-- ls -la suid-script.sh
-rwsrwxrwx 1 root dba 34 Apr 3 06:56 suid-script.sh
--($:~/tmp)-- ./suid-script.sh
--($:~/tmp)--
--($:~/tmp)-- ls -la /tmp/touch.suid
-rw-r--r-- 1 mike staff 0 Apr 3 06:57 /tmp/touch.suid
If the suid part would've worked, the file /tmp/touch.suid would be
owned by root, wouldn't it?
Michael
i have no solaris by hand, but beside the -p Option for sh maybe this works:
#!/bin/sh
su - root -c touch /tmp/touch.suid
Why should I by using su? I don't really want to create a file
owned by right by using touch. That was just a test (suggested
by you, Wolfgang).
Michael Schmarck

i thought that a exec of a suid file maybe sets the euid and uid other
than su ... just a idea.
Add comment
Michael Schmarck 6 April 2008 22:34:32 permanent link ]
 · Wolfgang <wtrappe@AT.web.de>­:
Michael Schmarck schrieb:
· Wolfgang <wtrappe@AT.web.de>­:

i have no solaris by hand, but beside the -p Option for sh maybe this works:
#!/bin/sh
su - root -c touch /tmp/touch.suid
Why should I by using su? I don't really want to create a file
owned by right by using touch. That was just a test (suggested
by you, Wolfgang).
Michael Schmarck
i thought that a exec of a suid file maybe sets the euid and uid other
than su ... just a idea.

I did:

--($:~)-- su - root -c "touch /tmp/touch.su"
Passwort:

--($:~)-- echo '#!/bin/sh
--- su - root -c "touch /tmp/touch.su.scrip­t"
--- ' > touch.script.sh
--($:~)-- chmod +x touch.script.sh

--($:~)-- ./touch.script.sh
Passwort:

--($:~)-- ls -la /tmp/touch.su*
-rw-r--r-- 1 root root 0 Apr 6 20:31 /tmp/touch.su
-rw-r--r-- 1 root root 0 Apr 6 20:32 /tmp/touch.su.scrip­t

Just like expected, isn't it?

Michael Schmarck
--
The only difference between a rut and a grave is their dimensions.

Add comment
 

Add new comment

As:
Login:  Password:  
 
 
  
 
Пожалуйста, относитесь к собеседникам уважительно, не используйте нецензурные слова, не злоупотребляйте заглавными буквами, не публикуйте рекламу и объявления о купле/продаже, а также материалы нарушающие сетевой этикет или УК РФ.

RYXI > Solaris > Allowing a group of users to manage a service 6 April 2008 22:34:32
see also:
Who is Adrian Daly?
I heard Sam Sloan had died
пройди тесты:
see also:
converting mp3 file to midi file
Pencil and pastel portraits by this...
  Copyright © 2001—2008 RYXI
Idea: Miсhael Monashev
Помощь и задать вопросы можно в сообществе support.ryxi.com.
Сообщения об ошибках оставляем в сообществе bugs.ryxi.com.
Предложения и комментарии пишем в сообществе suggest.ryxi.com.
Информация для родителей.
Write us at:
If you would like to report an abuse of our service, such as a spam message, please .