-
제목
Is it possible to use RBAC rather than Sudo on a Solaris server? -
설명
Is it possible to use RBAC (Role-based access control) rather than Sudo delegation on Solaris servers for the PPM functional account? -
해결 방안
1. Ensure that /etc/pam.conf has a defined passwd stanza to ensure it does not use the other stanza
$ cat /etc/pam.conf | grep passwd
# passwd command (explicit because of a different authentication module)
passwd auth required pam_passwd_auth.so.12. Modify the functional account
- Assign the "User Security" role so the functional account can reset other users password
- Assigned the file_dac_read priviledge so the functional account can access the /etc/shadow file to check passwords
- Change the users default shell to /usr/bin/pfshBelow is an example (where funacact is the local functional account)
# usermod -P "User Security" -s /usr/bin/pfsh -K defaultpriv=basic,file_dac_read funcacctAs the users shell is set to the profile shell (/usr/bin/pfsh) no delegation prefix will be required to be set in TPAM. If you wish to use a standard shell instead, you can set the delegation prefix of pfexec in TPAM.