RBAC: An Alternative to the Superuser Model
In conventional UNIX systems, the root user, also referred to as superuser, is all-powerful. Programs that run as root, or setuid programs, are all-powerful. The root user has the ability to read and write to any file, run all programs, and send kill signals to any process. Effectively, anyone who can become superuser can modify a site's firewall, alter the audit trail, read confidential records, and shut down the entire network. A setuid program that is hijacked can do anything on the system.
Role-based access control (RBAC) provides a more secure alternative to the all-or-nothing superuser model. With RBAC, you can enforce security policy at a more fine-grained level. RBAC uses the security principle of least privilege. Least privilege means that a user has precisely the amount of privilege that is necessary to perform a job. Ordinary users have enough privilege to use their applications, check the status of their jobs, print files, create new files, and so on. Capabilities beyond ordinary user capabilities are grouped into rights profiles. Users who are expected to do jobs that require some of the capabilities of superuser assume a role that includes the appropriate rights profile.
RBAC collects superuser capabilities into rights profiles. These rights profiles are assigned to special user accounts that are called roles. A user can then assume a role to do a job that requires some of superuser's capabilities. Predefined rights profiles are supplied with Solaris software. You create the roles and assign the profiles.
Rights profiles can provide broad capabilities. For example, the Primary Administrator rights profile is equivalent to superuser. Rights profiles can also be narrowly defined. For example, the Cron Management rights profile manages at and cron jobs. When you create roles, you can decide to create roles with broad capabilities, or roles with narrow capabilities, or both.
In the RBAC model, superuser creates one or more roles. The roles are based on rights profiles. Superuser then assigns the roles to users who are trusted to perform the tasks of the role. Users log in with their user name. After login, users assume roles that can run restricted administrative commands and graphical user interface (GUI) tools.
The flexibility in setting up roles enables a variety of security policies. Although no roles are shipped with the Solaris Operating System (Solaris OS), three recommended roles can easily be configured. The roles are based on rights profiles of the same name:
-
Primary Administrator – A powerful role that is equivalent to the root user, or superuser.
-
System Administrator – A less powerful role for administration that is not related to security. This role can manage file systems, mail, and software installation. However, this role cannot set passwords.
-
Operator – A junior administrator role for operations such as backups and printer management.
These three roles do not have to be implemented. Roles are a function of an organization's security needs. Roles can be set up for special-purpose administrators in areas such as security, networking, or firewall administration. Another strategy is to create a single powerful administrator role along with an advanced user role. The advanced user role would be for users who are permitted to fix portions of their own systems.
The superuser model and the RBAC model can co-exist. The following table summarizes the gradations from superuser to restricted ordinary user that are possible in the RBAC model. The table includes the administrative actions that can be tracked in both models. For a summary of the effect of privileges alone on a system, see Table 8–2.
Table 8–1 Superuser Model Versus RBAC With Privileges Model|
User Capabilities on a System |
Superuser Model |
RBAC Model |
|---|---|---|
|
Can become superuser with full superuser capability |
Yes |
Yes |
|
Can log in as a user with full user capabilities |
Yes |
Yes |
|
Can become superuser with limited capabilities |
No |
Yes |
|
Can log in as a user, and have superuser capabilities, sporadically |
Yes, with setuid programs only |
Yes, with setuid programs and with RBAC |
|
Can log in as a user with administrative capabilities, but without full superuser capability |
No |
Yes, with RBAC and with directly-assigned privileges and authorizations |
|
Can log in as a user with fewer capabilities than an ordinary user |
No |
Yes, with RBAC and with removed privileges |
|
Can track superuser actions |
Yes, by auditing the su command |
Yes, by auditing profile shell commands Also, if root user is disabled, the name of the user who has assumed the root role is in the audit trail |
- © 2010, Oracle Corporation and/or its affiliates