News, tips, partners, and perspectives for the Oracle Solaris operating system

The "Desktop Configuration" rights profile in Solaris 10

Alan Coopersmith
Senior Principal Software Engineer

Solaris ships with several X configuration utilities which require additional privileges to run. To allow selected users to run these without having to have the root password, an RBAC (Role Based Access Control) rights profile has been created with the name "Desktop Configuration".

Users with the rights granted by this profile can do these things normally requiring root privileges, starting in Solaris 10 (build s10_73 and later):

  • Change the SMF configuration for the X11 & font services (I'll talk more about these in a future blog entry)
  • Have xorgconfig save the configuration output to /etc/X11/xorg.conf
  • Run scanpci to see the PCI devices available on the system.

Additional configuration tools will likely be added to this profile in the future, including possibly those for CDE & JDS desktops like dtlogin & gdm configuration.

For example, if I wanted to allow the user alanc to change the X server configuration without having to have the root password, I would just add this line to /etc/user_attr:

alanc::::profiles=Desktop Configuration

I can then login as alanc and run svccfg to change the X server options or run pfexec /usr/X11/bin/scanpci to see the list of PCI devices in the system. If correctly configured, when the user runs the auths command, they should see the solaris.smf.manage.x11 and solaris.smf.manage.font authorizations listed.

For more information on using RBAC and rights profiles, see the manual Solaris 10 System Administrator Collection > System Administration Guide: Security Services.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.