- Chapter 1: Overview
- Chapter 2: Solaris RBAC Implementation
- Chapter 3: Solaris Management Console Launcher
- Chapter 4: Trusted Solaris RBAC Implementation
- Chapter 5: Appendix 1--RBAC Example Instructions
- Chapter 6: Appendix 2--Comparison of the RBAC Implementation with Sudo
- Chapter 7: Resources
- Copyright Information
Chapter 6: Appendix 2--Comparison of the RBAC Implementation with Sudo
There are some similarities between the sudo freeware package (offered by Todd Miller and Chris Jepeway) and the RBAC implementation.
The RBAC implementation uses roles in similar fashion to the sudo User_alias. The User_alias feature is used like conventional groups. Roles can have rights profiles, including authorizations and commands with security attributes, directly assigned to them. The roles require authentication prior to assumption.
Sudo uses Runas_alias to assign UIDs and GIDs. These assignments include real and effective IDs together. The RBAC implementation uses a finer-grained approach, so that either effective or real IDs can be assigned. Assigning an effective ID rather than a real ID enables the real user to be attributed for auditing purposes.
Sudo uses the Host_alias to provide host-specific controls. The RBAC implementation can provide host-specific controls by storing the RBAC databases on the local host, or an organization can use a name service to distribute the information.
The sudo Cmd_alias is similar to rights profiles in that it is a way to group commands.
In summary, sudo and the RBAC implementation accomplish the same basic objectives. The RBAC implementation has a GUI, a finer granularity, and name service compatibility. Most importantly, sudo is freeware, but RBAC is supported by Sun.