In the below example, we create a role that can change the X server settings, such as monitor resolution and depth, using the /usr/sbin/m64config command. As you will notice, this has way too much permissions on a standard installation, so we first remove the SUID bit and the execute permissions for everyone.
Create a role that can execute this task:
roleadd -u 666 -g 10 -m -d /export/home/m64user m64user
This will add a line in /etc/passwd. Role accounts use profile shells. Normal shells are not aware of roles. Set the password for this account.
Create the profile for this account adding a line to /etc/security/prof_attr:
Xadm:::Can change X settings:
Add this profile to the role:
rolemod -P Xadm,All m64user
The All profile is there to make SMC output consistent.
Add or create a user that can access this role:
usermod -R m64user username
useradd -u 777 -g 10 -m -d /export/home/username -s /bin/bash -R m64user username
Set the password for this user if you added a new account.
Give the profile the right to execute m64config, editing /etc/security/exec_attr:
Read man exec_attr for the details.
NOTE: commands you put in exec_attr can not take options or arguments. If a command needs options or arguments, write a script and put that scriptname in exec_attr.
Test the new role: log in as the user who is assigned the role, then try to execute the command m64config. This should now be no longer allowed.
Issue the roles and profiles commands as this user. This should point you to the m64user account.
Log into the m64user account. You should now have the right to execute m64config.