Applications and scripts execute one command or a series of commands. To assign rights, you set the security attributes, such as set IDs or privileges, for each command in a rights profile. Applications can check for authorizations, if appropriate.
Run a script that needs rights – How to Run a Shell Script With Privileged Commands
Enable privilege-aware applications to be run by non-root users – Example 4–1
Enable root-owned applications to be run by non-root users – Example 4–2
Check for authorizations in a script – Example 4–3
To run a privileged shell script, you add privileges to the script and to the commands in the script. Then, the appropriate rights profile must contain the commands with privileges assigned to them.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights.
#!/bin/pfsh # Copyright (c) 2013 by Oracle
By running the script with no privileges, the debug option to the ppriv command lists the missing privileges.
% ppriv -eD script-full-path
For more information, see How to Determine Which Privileges a Program Requires.
Add the shell script, and the commands in the shell script, with their required security attributes to the rights profile. See How to Create a Rights Profile.
For examples, see Assigning Rights to Users.
% pfexec script-full-path
% su - rolename Password: xxxxxxxx # script-full-path
Because a legacy application is not privilege-aware, the administrator assigns the euid=0 security attribute to the application executable in a rights profile. Then, the administrator assigns it to a trusted user.
# profiles -p LegacyApp profiles:LegacyApp> set desc="Legacy application" profiles:LegacyApp> add cmd=/opt/legacy-app/bin/legacy-cmd profiles:LegacyApp:legacy-cmd> set euid=0 profiles:LegacyApp:legacy-cmd> end profiles:LegacyApp> exit # profiles -p LegacyApp 'select cmd=/opt/legacy-app/bin/legacy-cmd;info;end' id=/opt/legacy-app/bin/legacy-cmd euid=0
# usermod -K profiles+="Legacy application" jdoeExample 4-2 Running an Application With Assigned Rights
In this example, the administrator assigns the rights profile from Example 5–7 to a trusted user.The user must provide a password when executing the script.
# usermod -K auth_profiles+="Site application" jdoeExample 4-3 Checking for Authorizations in a Script or Program
To check for authorizations, write a test that is based on the auths command. For detailed information about this command, see the auths (1) man page.
For example, the following line tests whether the user has the authorization that is supplied as the $1 argument:
if [ `/usr/bin/auths|/usr/xpg4/bin/grep $1` ]; then echo Auth granted else echo Auth denied fi
A more complete test includes logic that checks for the use of wildcards. For example, to test whether the user has the solaris.system.date authorization, you would need to check for the following strings:
solaris.system.date
solaris.system.*
solaris.*
If you are writing a program, use the function getauthattr() to test for the authorization.