Wednesday, April 28, 2010

Large RBAC putback

Today OpenSolaris had a large putback for RBAC, Role Based Access Control.

Previously you had where more restricted i your choice of shells able to utilize RBAC roles and profiles fully, only pfsh, pfksh and pfsh where available. A frequent change request for years have been to add support the GNU shell bash. This update add among other things a support for both pfbash and pfzsh thanks to a new in kernel implementation of the pfexec command.

This also add two new privileges FILE_READ, FILE_WRITE which can be used to implement different processes that can only write respectively read from files.

For those unfamiliar with RBAC it's the Role Based Access Control used in Solaris, it provides, unlike tools like sudo, the ability to delegate specific privileges to users or roles instead of just allowing certain commands to be executed as root. Privileges are fine grained and contains right to execute, fork, link, bind to a privileged port, use DTrace and many more.

No comments: