JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information


Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

Order of Search for Assigned Security Attributes

Contents of Rights Profiles

System Administrator Rights Profile

Operator Rights Profile

Printer Management Rights Profile

Basic Solaris User Rights Profile

Console User Rights Profile

All Rights Profile

Stop Rights Profile

Order of Rights Profiles

Viewing the Contents of Rights Profiles

Authorization Naming and Delegation

Authorization Naming Conventions

Example of Authorization Granularity

Delegation Authority in Authorizations

Databases That Support RBAC

RBAC Database Relationships

RBAC Databases and the Naming Services

user_attr Database

auth_attr Database

prof_attr Database

exec_attr Database

policy.conf File

RBAC Commands

Commands That Manage RBAC

Commands That Require Authorizations

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Oracle Solaris Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Solaris Secure Shell (Tasks)

20.  Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Oracle Solaris Auditing

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Oracle Solaris Auditing (Tasks)

31.  Oracle Solaris Auditing (Reference)



Contents of Rights Profiles

This section describes some typical rights profiles. Rights profiles can include authorizations, commands with security attributes, and supplementary rights profiles. The rights profiles are listed from most to least powerful. For suggestions on how to distribute rights profiles to roles at your site, see How to Plan Your RBAC Implementation.

Each rights profile has an associated help file. The help files are in HTML and are customizable. The files reside in the /usr/lib/help/profiles/locale/C directory.

System Administrator Rights Profile

The System Administrator rights profile is intended for the System Administrator role. This profile is a set of discrete, supplementary administrative rights profiles that do not deal with security. The commands with security attributes from one of the supplementary rights profiles are shown.

Note that the All rights profile is assigned at the end of the list of supplementary rights profiles.

Table 10-1 Contents of System Administrator Rights Profile

To perform most nonsecurity administrative tasks
Supplementary rights profiles: Audit Review, Printer Management, Cron Management, Device Management, File System Management, Mail Management, Maintenance and Repair, Media Backup, Media Restore, Name Service Management, Network Management, Object Access Management, Process Management, Software Installation, Project Management, User Management, All

Help File: RtSysAdmin.html

Commands from one of the supplementary profiles
Object Access Management rights profile: /usr/bin/chgrp:privs=file_chown, /usr/bin/chmod:privs=file_chown, /usr/bin/chown:privs=file_chown, /usr/bin/setfacl:privs=file_chown

/usr/bin/chgrp:euid=0, /usr/bin/chmod:euid=0, /usr/bin/chown:euid=0, /usr/bin/getfacl:euid=0, /usr/bin/setfacl:euid=0

Operator Rights Profile

The Operator rights profile is a less powerful profile that provides the ability to do backups and printer maintenance. The ability to restore files has more security consequences. Therefore, in this profile, the default is to not include the ability to restore files.

Table 10-2 Contents of Operator Rights Profile

To perform simple administrative tasks
Supplementary rights profiles: Printer Management, Media Backup, All

Help File: RtOperator.html

Printer Management Rights Profile

Printer Management is a typical rights profile that is intended for a specific task area. This profile includes authorizations and commands. The following table shows a partial list of commands.

Table 10-3 Contents of Printer Management Rights Profile

To manage printers, daemons, and spooling
Authorizations: solaris.print.*, solaris.label.print, solaris.smf.manage.discovery.printers.*, solaris.smf.value.discovery.printers.*

Commands: /usr/lib/lp/local/lpadmin:uid=lp;gid =lp, /usr/sbin/lpfilter:euid=lp;uid=lp, /usr/sbin/lpforms:euid=lp, /usr/sbin/lpusers:euid=lp, /usr/sbin/ppdmgr:euid=0

Help File: RtPrntMngmnt.html

Basic Solaris User Rights Profile

By default, the Basic Solaris User rights profile is assigned automatically to all users through the policy.conf file. This profile provides basic authorizations that are useful in normal operations. Note that the convenience that is offered by the Basic Solaris User rights profile must be balanced against site security requirements. Sites that need stricter security might prefer to remove this profile from the policy.conf file.

Table 10-4 Contents of Basic Solaris User Rights Profile

To automatically assign rights to all users
Authorizations: solaris.mail.mailq, solaris.device.mount.removable,

Commands: /usr/bin/cdda2wav.bin:privs=file_dac_read,sys_devices, proc_priocntl,net_privaddr, /usr/bin/cdrecord.bin:privs=file_dac_read,sys_devices, proc_lock_memory,proc_priocntl,net_privaddr, /usr/bin/readcd.bin:privs=file_dac_read,sys_devices,net_privaddr

Supplementary rights profiles: All

Help File: RtDefault.html

Console User Rights Profile

The Console User rights profile is intended for the console user, that is, the person who is seated in front of the system. This profile is delivered with a convenient set of authorizations for the console user. You can modify the Console User rights profile to satisfy your site security requirements. To modify a rights profile, see How to Create or Change a Rights Profile.

Table 10-5 Contents of Console User Rights Profile

To manage system as the console user
Authorizations: solaris.system.shutdown

Supplementary rights profiles: Network Wifi Info,Desktop Removable Media User,Suspend To RAM,Suspend To Disk,Brightness,CPU Power Management,Network Autoconf User

Help File: RtConsUser.html

All Rights Profile

The All rights profile uses the wildcard to include all commands. This profile provides a role with access to all commands that are not explicitly assigned in other rights profiles. Without the All rights profile or other rights profiles that use wildcards, a role has access to explicitly assigned commands only. Such a limited a set of commands is not very practical. No authorizations are included in this profile.

If used, the All rights profile, imust be the final rights profile that is assigned. This last position ensures that explicit security attribute assignments in other rights profiles are applied.

Table 10-6 Contents of All Rights Profile

To execute any command as the user or role
Commands: *

Help File: RtAll.html

Stop Rights Profile

The Stop rights profile stops the processing of authorizations and rights profiles. Only authorizations and rights profiles that precede the Stop profile are evaluated. Therefore, no information from the the policy.conf file is processed. The Stop profile enables you to provide role users with a restricted profile shell.

Note - The Stop profile affects privilege assignment indirectly. Rights profiles that are listed after the Stop profile are not evaluated. Therefore, the commands with privileges in those profiles are not in effect. To use this profile, see How to Restrict an Administrator to Explicitly Assigned Rights.

The help file for this profile is RtReservedProfile.html.

Order of Rights Profiles

The commands in rights profiles are interpreted in order. The first occurrence of a command is the only version of the command that is used for that role or user. Different rights profiles can include the same command. Therefore, the order of rights profiles in a list of profiles is important. The rights profile with the most capabilities must be listed first.

Rights profiles are listed in the prof_attr file. In the prof_attr file, the rights profile with the most capabilities must be the first in a list of supplementary profiles. This placement ensures that a command with security attributes is listed before that same command without security attributes.

Viewing the Contents of Rights Profiles

The contents of a rights profile is divided between two files. The prof_attr file contains the name of every rights profile that is defined on the system. The file also includes the authorizations, the privileges, and the supplementary rights profiles for each profile. The exec_attr file contains the names of rights profiles and their commands with security attributes.