Re: Solaris 9 sftp-server

From: Norman Lyon <yourdog(at)hypermall.net>
Date: Tue Apr 08 2003 - 18:31:00 EDT

Quoting BAUMLER Julie L <julie.x.baumler@co.multnomah.or.us>:

> We're using Sun's ssh sftp server on Solaris 9 for some (internal) customer

You can use RBAC to help with this. They can still login, but they won't be able to do anything other than logoff :). My example below is for an account called mirror, with a profile called Mirror.

First, you need to diasble the default behavior of RBAC to allow standard Unix priveleges. Do this by commenting out the following lines in /etc/security/policy.conf:

#AUTHS_GRANTED=solaris.device.cdrw
#PROFS_GRANTED=Basic Solaris User

Next, add some information to /etc/security/prof_attr to define the profile: Mirror:::Mirror:help=Mirror.html

Next, set up the commands that the profile can run by adding the following to /etc/security/exec_attr:
Mirror:suser:cmd:::/usr/bin/scp:uid=103 Mirror:suser:cmd:::/usr/lib/ssh/sftp-server:uid=103

Next, add the following to associate the mirror account with the Mirror profile to /etc/user_attr:
mirror::::type=normal;profiles=Mirror

Do you need help?

Finally, set up the mirror account in the /etc/passwd, /etc/shadow, /etc/group, etc, but make sure that the default shell is one of the profile shells (/usr/bin/pfsh, /usr/bin/pfcsh, or /usr/bin/pfksh).

Yes, this does effect the default priveleges for an RBAC setup, but it's not that difficult to add the "uninherited" priveleged to another profile.

Norman Received on Tue Apr 8 23:50:20 2003

This message: [ Message body ]
Next message: Wilfred Spiegelenburg: "RE: Solaris 9 sftp-server"
In reply to BAUMLER Julie L: "Solaris 9 sftp-server"
Reply: Wilfred Spiegelenburg: "RE: Solaris 9 sftp-server"
Reply: Daniel Bergman: "Unable to su on firewall"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:37 EDT