For example, at one customer site there is a Java developer that needs to be able to restart a webserver instance after he updates his application.  Giving him the root password is not an option, that would give way too much administrative control to somebody who is not a Unix admin.  I could install sudo and let him run the svcadm command as root, but I don’t really want to allow him to be able to have control over all the SMF services.  The same is true with RBAC; I could give him the solaris.smf.manage authorization, which would allow him to have a limited amount of svcadm control, but it would still be for all services.

The following procedure creates and grants the RBAC authorization to control just a single service.  This example is for a webserver SMF service named svc:/network/http:https-test-webserver, which corresponds to a Sun Java Enterprise Webserver 7 configuration named test-webserver.

The amount of control this procedure gives a user is still a bit more than I would prefer.  It allows the user to restart, refresh, clear or put a service into maintenance mode.  I would prefer to just allow the user to restart the service, but it’s better than any of my other options.  Certainly much better than handing out the root password.

# svcs http:https-test-webserver
STATE          STIME    FMRI
online         14:21:51 svc:/network/http:https-test-webserver

# svccfg
svc:> select http:https-test-webserver
svc:/network/http:https-test-webserver> setprop \
general/action_authorization=astring:”solaris.smf.manage.https-test-webserver”
svc:/network/http:https-test-webserver> exit

# svcadm refresh http:https-test-webserver

# echo “solaris.smf.manage.https-test-webserver:::Manage Test Webserver::” >> /etc/security/auth_attr

# usermod -A solaris.smf.manage.https-test-webserver user1

Now user1 can log in and perform certain levels of management on this webserver instance.  User1 can’t do everything to this service and has no control over any other services.

$ id
uid=100(user1) gid=10(staff)

$ svcs http:https-test-webserver
STATE          STIME    FMRI
online         14:23:56 svc:/network/http:https-test-webserver

$ svcadm restart http:https-test-webserver

$ svcs http:https-test-webserver
STATE          STIME    FMRI
online         14:27:53 svc:/network/http:https-test-webserver

Notice that the STIME has changed in the outputs of svcs for this service.  This shows that the service has indeed been restarted.

The next two examples illustrate that the user is not able to disable the service and has no control over other SMF services.

$ /usr/sbin/svcadm disable http:https-test-webserver
svcadm: svc:/network/http:https-test-webserver: Permission denied.

$ /usr/sbin/svcadm restart ssh
svcadm: svc:/network/ssh:default: Permission denied.

ABOUT US
Seeds of Genius, Inc. offers a full range of IT solutions including hardware and software products in addition to consulting, installation and support services. For more information, please visit our main web site at http://www.seedsofgenius.com or contact our Technical Sales department at (410) 312-9806.