在Solaris 11.4上配置RBAC
大家好,我在 Solaris 11.4 上实现 RBAC 时面临一些问题。我创建了用户和角色并为角色提供了配置文件,但我可以执行该命令。我将 RBAC 配置放在下面。
$useradd -m test
$passwd test
$roleadd -c "User Administrator role,User Management role local" \-m -K profiles="User Security,User Management" sec1
$passwd sec1
$usermode -R +sec1 test
我通过新的测试用户和角色 sec1 成功登录。我可以创建用户、提供密码、删除用户和密码。该角色无法添加新角色。
sec1@:~$ usermod -R +sec1 test
/usr/lib/passmgmt: Permission denied. Cannot set roles to sec1, requires sec1 role.
UX: usermod: ERROR: Permission denied.
UX: usermod: ERROR: Cannot update system - login cannot be modified.
如何为用户使用 usermod 和 rolemod?如果有人可以帮助我吗?哪些 Solaris 配置文件可以访问与用户相关的角色?
Hi everyone I am facing some issues on solaris 11.4 implementing RBAC. I created user and role and giving profiles for the roles, but I can execute the command. I drop my RBAC Configuration below.
$useradd -m test
$passwd test
$roleadd -c "User Administrator role,User Management role local" \-m -K profiles="User Security,User Management" sec1
$passwd sec1
$usermode -R +sec1 test
I login by my new test user and my role sec1 successfully. I can create user, give password, delete user and password. The role can not add new role.
sec1@:~$ usermod -R +sec1 test
/usr/lib/passmgmt: Permission denied. Cannot set roles to sec1, requires sec1 role.
UX: usermod: ERROR: Permission denied.
UX: usermod: ERROR: Cannot update system - login cannot be modified.
How can I use usermod and rolemod for the user? If any one can help me? To which solaris profiles can have access to role related to the user?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
似乎是 usermod 命令在从角色(而不是用户)运行时存在一些错误。我成功地通过用户到用户(无角色)委派此权限
作为 root 用户直接授予测试用户权限:
同时创建另一个用户进行测试
然后以
test身份登录并使用此权限:您也可以添加
-K auth_profiles="User Security,User Management"来要求testuseradm再次输入密码。用户和角色的主要区别 - 角色不能直接登录。因此,您可以创建一些共享用户帐户并将其作为角色引入您的大学作为解决方法。
Seems that it is some bug in usermod command while it is running from role (not user). I was succeed to delegate this privilege via user-to-user (without role)
As root user give privilege to test user directly:
Also create an other user for testing
Then login as
testand use this privilege:Optionally you could add
-K auth_profiles="User Security,User Management"to asktestuseradmto enter his password again.The main difference of user and role - the role could not login directly. So you may create some shared user account and introduce it as role to your colleges as workaround.