Re: RBAC Implementaion (207 Views)
Reply
Respected Contributor
vishnu.khandare
Posts: 194
Registered: ‎09-12-2010
Message 1 of 3 (236 Views)
Accepted Solution

RBAC Implementaion

Hi Friends,

 

I m facing n issues while implementing the RBAC, pls find belwo error.

 

$ privrun /usr/sbin/useradd new_user
privrun: authorization check failed

 

Is there any permission issue, do we need to provide the rbac dir.

 

Pls help to resolve

 

Regards

Vishnu

 

 

You should deserve before U desire!!!!
HP Pro
Doug_Lamoureux
Posts: 11
Registered: ‎11-30-2011
Message 2 of 3 (220 Views)

Re: RBAC Implementaion

Does the user you are running the command as have the correct authorization?

 

1st check what roles the user has:

 

# roleadm list user=foo
foo:userAdmins

 

Then check what authorizations those roles have:

 

# authadm list role=userAdmins
userAdmins: (hpux.user.add, *)

 

To run the useradd command (via privrun) the user must have the hpux.user.add authorization  AND you must uncomment the useradd entry in the /etc/rbac/cmd_priv file:

 

# grep useradd /etc/rbac/cmd_priv
#/usr/sbin/useradd :dflt :(hpux.user.add,*) :0/0// :dflt :dflt :dflt :

 

The reason that this  is commented out is because if you allow a user to run useradd they can create a user with a uidnumber of 0 and they now have a root account on the system.

 

In the cmd_priv file:

 

# The following entries are known to be equivalent to granting
# unconstrained root. Specifically, the commands may be used
# to obtain an account with uid=0.
#
#/usr/sbin/useradd :dflt :(hpux.user.add,*)
:0/0// :dflt :dflt :dflt :

....

 

 

Respected Contributor
vishnu.khandare
Posts: 194
Registered: ‎09-12-2010
Message 3 of 3 (207 Views)

Re: RBAC Implementaion

use correct path thats sbin instead of bin, Problem resolved.

You should deserve before U desire!!!!
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.