in the role's options check the 'read-only' radio button on the 'agent acl' tab.
then push acls.
they will still map to root, but they won't be able to do anything on the file system.
Should have actually added that, but that was already selected and hence the confusion...
the ACL on this test server is basically:
So I jump on to the test server in question, head to /tmp and there's a file in there:
-rw------- 1 root root 0 Jun 28 16:42 randomfile
simply nexec -e su, in as root, and i'm able to do anything to the file i.e. change it's name and contents, basically modifying it. Should this not be happening if the user and role is mapped as 'ro' to root? Or am I missing something blindingly obvious here? :S
Thanks in advance!
ah - so you may want to apply some of the command authorizations to the role to limit what commands they can run - specifically prevent them from running any nexec commands they don't need to.
Right, didn't know you had to literally copy across ALL the nsh permissions minus the nexec command. Was initially confused since the generic Authorizations such as server.read gave users access to all the nsh commands in the 1st place. Was initially looking for an "exclude" option when transferring across as a selected authorization.
This now works pretty sweet, thanks for the help on this one