RBAC and su in script

[aego]

Hi,

I am trying to write a script for some operators at our office which they can use to stop/start the helpdesk application during the night, as they are the only ones using this application, Remedy.

The idea is to use RBAC for this. The underlying init-script however su's to the user the application it is run under, and then requests a password for the remedy user.
______________
Underlying init script
______________
REMEDY_HOME=/opt/remedy/product/5.1.2
SERVLET_HOME=/opt/remedy/product/4.1.1/servletexec
export REMEDY_HOME SERVLET_HOME

case "$1" in
start)
echo "starting remedy"
su - remedy -c "$REMEDY_HOME/server/bin/arsystem start"
$SERVLET_HOME/ServletExecAS/<servername>/StartServletExec
;;
stop)
echo "stopping remedy"
$SERVLET_HOME/ServletExecAS/<servername>/StopServletExec
su - remedy -c "$REMEDY_HOME/server/bin/arsystem stop"
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac

exit 0
______________
This is not something i like.

I would like to see the script not needing a password, just the user executing a script which calls the /etc/init.d/remedy script.

___________
I'm in yer face, even when you don't want me to be
___________

 

[bfitzmai]

You can try setting the sticky-bit. If you script has the privileges 744, run chmod 4744 remedy.script. This way all users can start/stop the application.

 

[daFranze]

a good solution from bfitzmai, but the Name of the bit is NOT the "sticky bit" it is the "setuid bit" -> man -s 2 chmod

Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years

 

[SBSaikia]

Another way is to use "sudo" package. You can download from sunfreeware.com.
-
sbs

 

[aego]

So there is no way i can achieve this using RBAC ?

___________
I'm in yer face, even when you don't want me to be
___________

 

[bfitzmai]

Yes, you can use RBAC. But, RBAC would require the user to su to the RBAC user to gain the command access. Sudo root works great but again the user must authenticate with the user's password (first time only) and must use the command sudo with every command. Setting the setuid bit is the quickest, easiest way for users to gain command access. But, every user would have that command access.

 

[aego]

bfitzmai,

I was thinking about this for quite some time now, but your answer convinced me there is indeed something missing in RBAC ....

___________
I'm in yer face, even when you don't want me to be
___________

 

[bfitzmai]

I agree... When solaris 8 came out and first read about RBAC, I thought is sounded like something great. But, since the user has to authenticate, it is really no different than sudo for command privileges. RBAC would be good if you had folders/files that you wanted certain users to have access to. But, then again that is what groups are for.