BladeSystem Forums have moved here
To make BladeSystem information easier to find, we have moved the BladeSystem forums here, to Servers and Operating Systems.
Showing results for 
Search instead for 
Do you mean 

RBAC Implementaion

SOLVED
Go to Solution
Respected Contributor

RBAC Implementaion

Hi Friends,

 

I m facing n issues while implementing the RBAC, pls find belwo error.

 

$ privrun /usr/sbin/useradd new_user
privrun: authorization check failed

 

Is there any permission issue, do we need to provide the rbac dir.

 

Pls help to resolve

 

Regards

Vishnu

 

 

You should deserve before U desire!!!!
2 REPLIES

Re: RBAC Implementaion

Does the user you are running the command as have the correct authorization?

 

1st check what roles the user has:

 

# roleadm list user=foo
foo:userAdmins

 

Then check what authorizations those roles have:

 

# authadm list role=userAdmins
userAdmins: (hpux.user.add, *)

 

To run the useradd command (via privrun) the user must have the hpux.user.add authorization  AND you must uncomment the useradd entry in the /etc/rbac/cmd_priv file:

 

# grep useradd /etc/rbac/cmd_priv
#/usr/sbin/useradd :dflt :(hpux.user.add,*) :0/0// :dflt :dflt :dflt :

 

The reason that this  is commented out is because if you allow a user to run useradd they can create a user with a uidnumber of 0 and they now have a root account on the system.

 

In the cmd_priv file:

 

# The following entries are known to be equivalent to granting
# unconstrained root. Specifically, the commands may be used
# to obtain an account with uid=0.
#
#/usr/sbin/useradd :dflt :(hpux.user.add,*)
:0/0// :dflt :dflt :dflt :

....

 

 

Respected Contributor

Re: RBAC Implementaion

use correct path thats sbin instead of bin, Problem resolved.

You should deserve before U desire!!!!