How to Determine the Privileged Commands That
a Role Can Run
A role gets access to privileged commands through a rights profile that contains commands with assigned privileges. The most secure way to provide a user with access to privileged commands is to assign a role to them. After assuming the role, the user can execute all the privileged commands that are included in the rights profiles for that role.
Before You Begin
The user or role who authenticates to the Solaris Management Console
must have the solaris.admin.usermgr.read authorization.
The Basic Solaris User rights profile includes this authorization.
-
Determine the roles that you can assume.
$ /usr/sadm/bin/smuser list -- -n username -l Authenticating as user: primadmin … User name: username User ID (UID): 110 Primary group: staff Secondary groups: Comment: Has admin roles Login Shell: /bin/sh … Rights: Assigned Roles: primadmin, admin
-
Locate the line that begins with “Assigned Roles:”.
The “Assigned Roles” line lists the roles that you can assume.
-
Determine the rights profiles that are included in one of your roles.
$ /usr/sadm/bin/smuser list -- -n admin -l Authenticating as user: primadmin … User name: admin User ID (UID): 101 Primary group: sysadmin Secondary groups: Comment: system administrator Login Shell: /bin/pfksh … Rights: System Administrator Assigned Roles:
-
Locate the names of the rights profiles for the role in the “Rights:” line.
-
Find the rights profiles in the prof_attr database.
Because the System Administrator profile is a collection of profiles, you need to list the profiles in the System Administrator profile.
$ cd /etc/security $ grep "System Administrator" prof_attr System Administrator:::Can perform most non-security administrative tasks:profiles=Audit Review,Printer Management,Cron Management, Device Management,File System Management,Mail Management,Maintenance and Repair,Media Backup,Media Restore,Name Service Management,Network Management,Object Access Management,Process Management,Software Installation,User Management,All;help=RtSysAdmin.html
-
For each rights profile, find the rights profiles in the exec_attr database.
For example, the Network Management profile is a supplementary profile of the System Administrator profile. The Network Management profile includes a number of privileged commands.
$ cd /etc/security $ grep "Network Management" exec_attr Network Management:solaris:cmd:::/usr/sbin/ifconfig:privs=sys_net_config Network Management:solaris:cmd:::/usr/sbin/route:privs=sys_net_config …
The commands and their assigned privileges are the final two fields of solaris policy entries. You can run these commands in the profile shell of your role.
Example 11–12 Running the Privileged Commands in Your Role
When a user assumes a role, the shell becomes a profile shell. Therefore, the commands are executed with the privileges that were assigned to the commands. In the following example, the admin role can change the permissions on the useful.script file.
% whoami jdoe % ls -l useful.script -rwxr-xr-- 1 elsee eng 262 Apr 2 10:52 useful.script chgrp admin useful.script chgrp: useful.script: Not owner % su - admin Password: <Type admin password> $ /usr/ucb/whoami admin $ chgrp admin useful.script $ chown admin useful.script $ ls -l useful.script -rwxr-xr-- 1 admin admin 262 Apr 2 10:53 useful.script |
- © 2010, Oracle Corporation and/or its affiliates