((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
Darren J Moffat
Darren.Moffat at Sun.COM
Fri Feb 21 09:03:09 EST 2003
On Wed, 19 Feb 2003, Corinna Vinschen wrote:
> AFAIK there isn't only Cygwin. Newer Solaris supports a similar
> concept, isn't it?
I'm not very familiar with how the groups of admins concept works in NT.
Solaris 8 (and Trusted Solaris all versions) have the concept of roles
[described in rbac(5) for those with access to Solaris or those that care
to look on http://docs.sun.com].
A role is an account that can not be logged into directly and may have
elevated priveleges or restricted priveleges (including limiting it to
a fixed set of programs that it can exec).
Roles are assigned to Real users. You can not use sshd to get access
to a role (the call to pam_acct_mgmt() enforces this during the processing
of pam_roles.so)), you must use su(1) to "become" the role.
It is possible to make the root account a role, this means that only users
who have the password and have been assigned the role can use su(1) to
become root. It also ensures that root can not login directly.
Additional priveleges and authorisations can also be given directly to
individulal users.
However non of this changes the uid == 0 being all powerful in the kernel
for Solaris 8 or 9. Trusted Solaris has fine grained privelge instead of
uid == 0 checks in the kernel.
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list