04-13-2012 01:49 AM
I m facing n issues while implementing the RBAC, pls find belwo error.
$ privrun /usr/sbin/useradd new_user
privrun: authorization check failed
Is there any permission issue, do we need to provide the rbac dir.
Pls help to resolve
Solved! Go to Solution.
04-26-2012 09:29 AM
Does the user you are running the command as have the correct authorization?
1st check what roles the user has:
# roleadm list user=foo
Then check what authorizations those roles have:
# authadm list role=userAdmins
userAdmins: (hpux.user.add, *)
To run the useradd command (via privrun) the user must have the hpux.user.add authorization AND you must uncomment the useradd entry in the /etc/rbac/cmd_priv file:
# grep useradd /etc/rbac/cmd_priv
#/usr/sbin/useradd :dflt :(hpux.user.add,*) :0/0// :dflt :dflt :dflt :
The reason that this is commented out is because if you allow a user to run useradd they can create a user with a uidnumber of 0 and they now have a root account on the system.
In the cmd_priv file:
# The following entries are known to be equivalent to granting
# unconstrained root. Specifically, the commands may be used
# to obtain an account with uid=0.
#/usr/sbin/useradd :dflt :(hpux.user.add,*)
:0/0// :dflt :dflt :dflt :