With rbac the root user can delegate commands to certain users. In other words, a small part of root power can be given to regular users. On the system i am to setup i want to give the power of shutdown to a non-root user. Once setup, the user can su to the custom role and shut the system down.

First, create the role.

anouk:/ # roleadd -u 1000 -g 10 -d /export/home/pseudo -m pseudo

anouk:/ # passwd pseudo
New Password:
Re-enter new Password:
passwd: password successfully changed for pseudo

anouk:/ # pwconv (syncs /etc/shadow to /etc/passwd)

anouk:/ # cat /etc/passwd | grep pseudo
pseudo:x:1000:10::/export/home/pseudo:/bin/pfsh (pfsh = profile shell - bourne shell)

Create the profile with comments about its ability:

anouk:/ # echo “Shutdown:::Shutdown the system” >> /etc/security/prof_attr

Add the profile to the role:

anouk:/ # rolemod -P “Shutdown” pseudo

The role has to be assigned to an account:

anouk:/ # usermod -R pseudo mglas

Assign commands to the profile:

anouk:/ # echo Shutdown:suser:cmd:::/usr/sbin/shutdown:uid=0 >> /etc/security/exec_attr

anouk:/ # roles mglas
pseudo

anouk:/ # profiles pseudo
Shutdown
Basic Solaris User
All

So now user mglas has been assigned the role ‘pseudo’, so now this user can su - to the role and shut down the system.

anouk:~ $ su - pseudo
Password:

$ /usr/ucb/whoami
pseudo

$ /usr/bin/who am i
mglas      pts/2        Jan 31 16:30    (203.48.45.198)

$ /usr/sbin/shutdown -i 6 -g 0

Shutdown started.    Thu Jan 31 16:31:46 EST 2008

Do you want to continue? (y or n):