One of the nice features of Sun Java Enterprise Webserver 7 is that you can have it create an SMF service for each webserver configuration. Using this in conjunction with RBAC authorizations means you can give individual users the right to perform a restart of just the webserver instances you want them to.
For example, at one customer site there is a Java developer that needs to be able to restart a webserver instance after he updates his application. Giving him the root password is not an option, that would give way too much administrative control to somebody who is not a Unix admin. I could install sudo and let him run the svcadm command as root, but I don’t really want to allow him to be able to have control over all the SMF services. The same is true with RBAC; I could give him the solaris.smf.manage authorization, which would allow him to have a limited amount of svcadm control, but it would still be for all services.
The following procedure creates and grants the RBAC authorization to control just a single service. This example is for a webserver SMF service named svc:/network/http:https-test-webserver, which corresponds to a Sun Java Enterprise Webserver 7 configuration named test-webserver.
The amount of control this procedure gives a user is still a bit more than I would prefer. It allows the user to restart, refresh, clear or put a service into maintenance mode. I would prefer to just allow the user to restart the service, but it’s better than any of my other options. Certainly much better than handing out the root password.
# svcs http:https-test-webserver
STATE STIME FMRI
online 14:21:51 svc:/network/http:https-test-webserver
# svccfg
svc:> select http:https-test-webserver
svc:/network/http:https-test-webserver> setprop \
general/action_authorization=astring:”solaris.smf.manage.https-test-webserver”
svc:/network/http:https-test-webserver> exit
# svcadm refresh http:https-test-webserver
# echo “solaris.smf.manage.https-test-webserver:::Manage Test Webserver::” >> /etc/security/auth_attr
# usermod -A solaris.smf.manage.https-test-webserver user1
Now user1 can log in and perform certain levels of management on this webserver instance. User1 can’t do everything to this service and has no control over any other services.
$ id
uid=100(user1) gid=10(staff)
$ svcs http:https-test-webserver
STATE STIME FMRI
online 14:23:56 svc:/network/http:https-test-webserver
$ svcadm restart http:https-test-webserver
$ svcs http:https-test-webserver
STATE STIME FMRI
online 14:27:53 svc:/network/http:https-test-webserver
Notice that the STIME has changed in the outputs of svcs for this service. This shows that the service has indeed been restarted.
The next two examples illustrate that the user is not able to disable the service and has no control over other SMF services.
$ /usr/sbin/svcadm disable http:https-test-webserver
svcadm: svc:/network/http:https-test-webserver: Permission denied.
$ /usr/sbin/svcadm restart ssh
svcadm: svc:/network/ssh:default: Permission denied.