test

System Administration Guide: Security Services

ProcedureHow to Determine the Privileged Commands That You Can Run

When a user is not directly assigned privileges, then the user gets access to privileged commands through a rights profile. Commands in a rights profile must be executed in a profile shell.

Before You Begin

The user or role who authenticates to the Solaris Management Console must have the solaris.admin.usermgr.read authorization. The Basic Solaris User rights profile includes this authorization.

  1. Determine the rights profiles that you have been assigned.


    $ /usr/sadm/bin/smuser list -- -n username -l


    Authenticating as user: admin
… Please enter a string value for: password :: 
…
User name:      username
User ID (UID):  130
Primary group:  staff
Secondary groups: 
Comment: object mgt jobs
Login Shell: /bin/sh
Home dir server: system
Home directory: /export/home/username
AutoHome setup: True
Mail server: system
Rights: Object Access Management
Assigned Roles:

  2. Locate the line that begins with “Rights:”.

    The “Rights” line lists the names of the rights profiles that have been directly assigned to you.

  3. Find the names of the rights profiles in the exec_attr database.


    $ cd /etc/security
$ grep "Object Access Management" exec_attr 
Object Access Management:solaris:cmd:::/usr/bin/chgrp:privs=file_chown
Object Access Management:solaris:cmd:::/usr/bin/chown:privs=file_chown
Object Access Management:suser:cmd:::/usr/bin/chgrp:euid=0
Object Access Management:suser:cmd:::/usr/bin/chmod:euid=0
…

    The commands with added privileges are listed at the end of solaris policy entries.

  4. Type the commands that require privileges in a profile shell.

    When the commands are typed in a regular shell, the commands do not run with privilege, and do not succeed.


    % pfsh
$
Example 11–11 Running Privileged Commands in a Profile Shell

In the following example, the user jdoe cannot change the group permissions on a file from his regular shell. However, jdoe can change the permissions when typing the command in a profile shell.


% whoami
jdoe
% ls -l useful.script
-rwxr-xr-- 1 nodoe eng 262 Apr 2 10:52 useful.script
chgrp staff useful.script
chgrp: useful.script: Not owner
% pfksh
$ /usr/ucb/whoami
jdoe
$ chgrp staff useful.script
$ chown jdoe useful.script
$ ls -l useful.script
-rwxr-xr-- 1 jdoe staff 262 Apr 2 10:53 useful.script