This example shows the same situation as example one but the profile will be directly attached to the newhire account.


Modify the /etc/security/prof_attr and /etc/security/exec_attr as described for example one.


This time instead of creating a role and adding a profile to it we will create a normal user and just add the profile to the user.


useradd -d /export/home/newhire -m -P useradd newhire


Changes to /etc/passwd:


newhire:x:103:1::/export/home/newhire:/bin/sh


Changes to /etc/user_attr


newhire::::type=normal;profiles=useradd


From this we can see that this is a typical user account with one profile, useradd, added to it.


Test the configuration.


Logon as newhire


$ echo $0
/bin/sh


$ id
uid=103(newhire) gid=1(other)


$ /usr/sbin/useradd
UX: /usr/sbin/useradd: ERROR: Permission denied.


$ pfsh


$ echo $0
pfsh


$ /usr/sbin/useradd
UX: /usr/sbin/useradd: ERROR: invalid syntax.
usage: useradd [-u uid [-o] | -g group | -G group[[,group]...] |-d dir | -b base_dir |


$ exit


$ echo $0
/bin/sh


$ /usr/sbin/useradd
UX: /usr/sbin/useradd: ERROR: Permission denied.


$ pfexec /usr/sbin/useradd
UX: /usr/sbin/useradd: ERROR: invalid syntax.
usage: useradd [-u uid [-o] | -g group | -G group[[,group]...] |-d dir | -b base_dir |


As you can see we can either switch to a profile shell or simply use the pfexec command to run the command. Either way works and there is no passwd prompt because we did not use the su command.


This Web Site Copyright © 1997 - 2008
by Alan Pae - All Rights Reserved