RBAC bug-fix in Solaris 8 & 9

Ever wondered why an RBAC role account for printing services could not run the command
/etc/init.d/lp { start | stop} to restart the print scheduler?

Here is why and how to fix it:

The file /etc/security/exec_attr contains lists of super-user commands associated with RBAC
profiles. It also describes under which UID these programs are going to run when executed by a
role that has access to the profile.

Binary programs can run with the EUID (effective UID) of root. Shell scripts,
such as /etc/init.d/lp , need to run under the UID of root.
Since /etc/init.d/lp is a Bourne Shell script, it requires the UID to be switched to 0 when
running the command.

Change the entry for the lp script in the exec_attr file to uid=0 and your command will work
like a charm.
# vi /etc/init.d/exec_attr

Printer Management:suser:cmd:::/usr/init.d/lp: uid=0

If you are unsure if you are dealing with a binary file or a shell script, run the file command to verify.

# file /etc/init.d/lp
/etc/init.d/lp: executable Bourne-Shell script