RBAC Implementaion

vishnu.khandare — Fri, 13 Apr 2012 08:49:58 GMT

Hi Friends,

I m facing n issues while implementing the RBAC, pls find belwo error.

$ privrun /usr/sbin/useradd new_user
privrun: authorization check failed

Is there any permission issue, do we need to provide the rbac dir.

Pls help to resolve

Regards

Vishnu

Re: RBAC Implementaion

Doug_Lamoureux — Thu, 26 Apr 2012 16:29:18 GMT

Does the user you are running the command as have the correct authorization?

1st check what roles the user has:

# roleadm list user=foo
foo:userAdmins

Then check what authorizations those roles have:

# authadm list role=userAdmins
userAdmins: (hpux.user.add, *)

To run the useradd command (via privrun) the user must have the hpux.user.add authorization AND you must uncomment the useradd entry in the /etc/rbac/cmd_priv file:

# grep useradd /etc/rbac/cmd_priv
#/usr/sbin/useradd :dflt :(hpux.user.add,*) :0/0// :dflt :dflt :dflt :

The reason that this is commented out is because if you allow a user to run useradd they can create a user with a uidnumber of 0 and they now have a root account on the system.

In the cmd_priv file:

# The following entries are known to be equivalent to granting
# unconstrained root. Specifically, the commands may be used
# to obtain an account with uid=0.
#
#/usr/sbin/useradd :dflt :(hpux.user.add,*)
:0/0// :dflt :dflt :dflt :

....

Re: RBAC Implementaion

vishnu.khandare — Wed, 16 May 2012 09:07:28 GMT

use correct path thats sbin instead of bin, Problem resolved.

topic Re: RBAC Implementaion in Operating System - HP-UX

RBAC Implementaion

Re: RBAC Implementaion

Re: RBAC Implementaion