This content has been marked as final. Show 3 replies
The reason was the "Primary Administrator" profile, copied from Solaris 11 Express, and realized in
/etc/security/prof_attr as follows:
"Primary Administrator:RO::Can perform all administrative tasks:auths=solaris.*,solaris.grant;help=RtPriAdmin.html" and in /etc/security/exec_attr as follows:
which seems obviously correct, was never a problem in Solaris 11 Express and Solaris 11, and worked.
Since some S11 Expr. build, the "Primary Administrator" profile was kept on my host as a relict, BUT WAS NOT ASSIGNED TO ANY USER, ROLE, OR OTHER PROFILE, i.e. IT WAS COMPLETELY UNUSED!!
(The reason is, that it grants far too many rights (imagine a browser session).)
The entry in /etc/security/prof_attr does no harm.
The entry in /etc/security/exec_attr causes the described problem, THOUGH NOT USED ANYWISE.
Solution: Discard the "Primary Administrator" entry in /etc/security/exec_attr (or better: both entries).
Bug or feature?
The Primary Administrator profile is no longer delivered. It's unsurprising that it wasn't fully automatically removed, since as you said, it was manually copied over.
From any files where it was previously delivered by the packaging system, it should have been automatically removed (and is from the multiple systems I've checked).
The Primary Administrator profile (and its descendants) is not longer contained in the RBAC files since these got a better formatting, an adapted manual, a new directory structure with links to local files, and a new way this structure is scanned.
This was starting with Solaris 11. Since then, RBAC is easy to understand and easily maintainable.
Thanks to Oracle!
Any defined profile (and descendants) should not lead to any effect if it is syntactically and semantically correct, as long as it is completely unused, as it was in my case. Or do I think wrong?
I think, there is a problem in the binaries, handling the security problems coming up with this profile.
- just the name "Primary Administrator" causes the effect?
- solaris:cmd:RO::*:euid=0;egid=0 is not longer allowed?
I did not perform further investigation.