With Solaris, and *nix generally, you could try a setuid approach. See man page for "set user ID" or "setuid." Prior poster is correct that sudo is better - see if you can find a port, perhaps from sunfreeware.com.
Joined: Oct 15, 2002
I have reading about SUID and SUDO and have some questions you guys might be abel to answer.
Using SUDO I will be abel to give some users the privilliges to execute commads normaly restrikted to root-account. In my case the abbility to create users. But who do I restrict the use from creating a user with root-privilliges and the mis-use the system as a user with root-premissions?
The same question goes for if I use SUID. How do I restrict the user from creating a new user which have root-premissions or root-privilligies?
I hope someone can help me by directing me to some articels or give some answers on how to get pasted this security risk.
I didn't test it, but I guess, you have to make the script unwritable for the user, who is allowed to execute it as root. And you have to ensure, that none of the called commands inside the script, is writable, and recursively so on for scripts or binaries, which call scripts or binaries.
More importantly, though: if you allow a general user to run a program that creates new accounts, runs as root, and can create accounts with root privileges, then you've given that user the keys to the system.
One thing you might do is to write a simple shell script or wrapper program which in turn runs /usr/sbin/useradd (or whatever is appropriate on your system) and passes along all the options except the -u switch (or whatever switch specifies the UID on your system.) This would prevent the user from creating an account that mimics root's (or anyone else's) UID. They could only create a user with a new, automatically allocated UID.