Viewing and Using RBAC Defaults (Tasks)

Users are assigned rights by default. Rights for all users of a system are assigned in the /etc/security/policy.conf file.

Viewing and Using RBAC Defaults (Task Map)

At Oracle Solaris installation, your system is configured with user rights and process rights. With no further configuration, use the following task map to view and use RBAC.

Task	Description	For Instructions
View the contents of the security attributes databases.	List all the authorizations, rights profiles, and commands with security attributes on the system.	How to View All Defined Security Attributes
View your rights.	Involves listing your rights profiles, authorizations, privileges, and assigned roles.	How to View Your Assigned Rights
Assume the `root` role.	The initial user gains administrative rights.	How to Assume a Role
Become an administrator.	Several methods are available to users who are assigned administrative rights to use those rights.	How to Obtain Administrative Rights

How to View All Defined Security Attributes

Use the following commands to list all authorizations, rights profiles, and commands with security attributes on the system. To list all defined privileges, see How to List the Privileges on the System.

List all authorizations.

% getent auth_attr | more
solaris.:::All Solaris Authorizations::help=AllSolAuthsHeader.html
solaris.account.:::Account Management::help=AccountHeader.html
...
solaris.zone.login:::Zone Login::help=ZoneLogin.html
solaris.zone.manage:::Zone Deployment::help=ZoneManage.html

List all rights profiles.

% getent prof_attr | more
All:::Execute any command as the user or role:help=RtAll.html
Audit Configuration:::Configure Solaris Audit:auths=solaris.smf.value.audit;
help=RtAuditCfg.html
...
Zone Management:::Zones Virtual Application Environment Administration:
help=RtZoneMngmnt.html
Zone Security:::Zones Virtual Application Environment Security:auths=solaris.zone.*,
solaris.auth.delegate;help=RtZoneSecurity.html ...

List all commands with security attributes.

% getent exec_attr | more
All:solaris:cmd:::*:
Audit Configuration:solaris:cmd:::/usr/sbin/auditconfig:privs=sys_audit
...
Zone Security:solaris:cmd:::/usr/sbin/txzonemgr:uid=0
Zone Security:solaris:cmd:::/usr/sbin/zonecfg:uid=0 ...

How to View Your Assigned Rights

Use the following commands to view your RBAC assignments. To view all rights that can be assigned, see How to View All Defined Security Attributes.

List your authorizations.
```
% auths
solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq
```
These authorizations are assigned to all users by default.
List your rights profiles.
```
% profiles
Basic Solaris User
All
```
These rights profiles are assigned to all users by default.
List your assigned roles.
```
% roles
root
```
This role is assigned to the initial user by default. No roles indicates that you are not assigned a role.

List the privileges in your default shell.

% ppriv $$
1234:    /bin/csh
flags = <none>
    E: basic
    I: basic
    P: basic
    L: all

Every user is assigned the basic privilege set by default. The limit set is all privileges.

% ppriv -vl basic
file_link_any
        Allows a process to create hardlinks to files owned by a uid
        different from the process' effective uid.
file_read
        Allows a process to read objects in the filesystem.
file_write
        Allows a process to modify objects in the filesystem.
net_access
        Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.
proc_exec
        Allows a process to call execve().
proc_fork
        Allows a process to call fork1()/forkall()/vfork()
proc_info
        Allows a process to examine the status of processes other
        than those it can send signals to.  Processes which cannot
        be examined cannot be seen in /proc and appear not to exist.
proc_session
        Allows a process to send signals or trace processes outside its session.

List the privileges on commands in your rights profiles.

% profiles -l
  Basic Solaris User
   /usr/bin/cdda2wav.bin   privs=file_dac_read,sys_devices,
     proc_priocntl,net_privaddr
   /usr/bin/cdrecord.bin   privs=file_dac_read,sys_devices,
     proc_lock_memory,proc_priocntl,net_privaddr
   /usr/bin/readcd.bin     privs=file_dac_read,sys_devices,net_privaddr
  All
   *

A user's rights profiles can include commands that run with particular privileges. The Basic Solaris User profile includes commands that enable users to read and write to CD-ROMs.

Example 9-1 Listing a User's Authorizations

% auths username
solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq

Example 9-2 Listing a User or Role's Rights Profiles

The following command lists the rights profiles of a specific user.

% profiles jdoe
jdoe: 
          Basic Solaris User
          All

The following command lists the rights profiles of the cryptomgt role.

% profiles cryptomgt
cryptomgt:
          Crypto Management
          Basic Solaris User
          All

The following command lists the rights profiles of the root role:

% profiles root
root:
          All
          Console User
          Network Wifi Info
          Desktop Removable Media User
          Suspend To RAM
          Suspend To Disk
          Brightness
          CPU Power Management
          Network Autoconf User
          Basic Solaris User

Example 9-3 Listing a User's Assigned Roles

The following command lists the assigned roles of a specific user.

% roles jdoe
root

Example 9-4 Listing a User's Privileges on Specific Commands

The following command lists the privileged commands in a regular user's rights profiles.

% profiles -l jdoe
jdoe: 
  Basic Solaris User
   /usr/bin/cdda2wav.bin   privs=file_dac_read,sys_devices,
     proc_priocntl,net_privaddr
   /usr/bin/cdrecord.bin   privs=file_dac_read,sys_devices,
     proc_lock_memory,proc_priocntl,net_privaddr
   /usr/bin/readcd.bin     privs=file_dac_read,sys_devices,net_privaddr
  All
   *

How to Assume a Role

Before You Begin

The role must already be assigned to you. The naming service must be updated with that information.

In a terminal window, determine which roles you can assume.
```
% roles
Comma-separated list of role names is displayed
```
Use the su command to assume a role.
```
% su - rolename
Password: <Type rolename password>
$
```
The su - rolename command changes the shell to a profile shell for the role. A profile shell recognizes security attributes, such as authorizations, privileges, and set ID bits.
(Optional) Verify that you are now in a role.
```
$ /usr/bin/whoami
rolename
```
You can now perform role tasks in this terminal window.
(Optional) View the capabilities of your role.
For the procedure, see How to View Your Assigned Rights.

Example 9-5 Assuming the root Role

In the following example, the initial user assumes the root role and lists the privileges in the role's shell.

% roles
root
% su - root
Password: <Type root password>
# Prompt changes to root prompt
# ppriv $$
1200:   pfksh
flags = <none>
        E: all
        I: basic
        P: all
        L: all

For information about privileges, see Privileges (Overview).

How to Obtain Administrative Rights

Administrative rights are in effect when you are running a profile shell. By default, a role account is assigned a profile shell. Roles are special accounts that are assigned specific administrative rights, typically to a related set of administrative activities, such as reviewing audit files

In the root role, the initial user has all administrative rights, that is, the initial user is superuser. The root role can create other roles.

Before You Begin

To administer the system, you must have rights that regular users are not assigned. If you are not superuser, you must be assigned a role, an administrative rights profile, or specific privileges or authorizations.

Choose one of the following methods to run administrative commands.
Open a terminal window.
- Become root.
```
% su -
Password: Type the root password
#
```
  Note - This method works whether root is a user or a role. The pound sign (#) prompt indicates that you are now superuser.
- Assume a role that you have been assigned.
  In the following example, you assume a network management role. This role includes the Network Management rights profile.
```
% su - networkadmin
Password: Type the networkadmin password
$
```
  You are now in a profile shell. In this shell, you can run snoop, route, dladm, and other commands. For more about profile shells, see Profile Shells and RBAC.
  
  Tip - Use the steps in How to View Your Assigned Rights to view the capabilities of your role.
- Use the pfbash command to create a shell that runs with administrative rights.
  For example, the following set of commands enables you to examine network packets in the pfbash shell:
```
% pfbash
$ anoop
```
  If you are not assigned the net_observability privilege, the snoop command fails with an error message similar to the following: snoop: cannot open "net0": Permission denied. If you are assigned the privilege directly, or through a rights profile or a role, this command will succeed. Also, you can run additional privileged commands in this shell.
- Use the pfexec command to create a process that runs with administrative rights.
  Run the pfexec command with the name of a privileged command from your rights profile. For example, the following command enables you to examine network packets:
```
% pfexec snoop
```
  The same privilege limitations apply to pfexec as to pfbash. However, to run another privileged command, you must type pfexec again before you type the privileged command.

Example 9-6 Caching Authentication for Ease of Role Use

In this example, the administrator configures a role to manage the network, but provides ease of use by caching the user's authentication. First, the administrator creates and assigns the role.

# roleadd -K roleauth=user -P "Network Management" netmgt
# usermod -R +netmgt jdoe

When jdoe uses the -c option when switching to the role, a password is required before the snoop output is displayed:

% su - netmgt -c snoop options
Password:

snoop output

If authentication is not being cached, and jdoe runs the command again immediately, a password prompt appears.

The administrator configures the pam.conf file to cache authentication, so that a password is initially required, but not thereafter until a certain amount of time has passed. The administrator places all pam.conf customized stacks at the end of the file.

# vi /etc/pam.conf
...
#
## Cache authentication for switched user
#
su      auth required           pam_unix_cred.so.1
su      auth sufficient         pam_tty_tickets.so.1
su      auth requisite          pam_authtok_get.so.1
su      auth required           pam_dhkeys.so.1
su      auth required           pam_unix_auth.so.1

After creating the entries, the administrator checks the entries for typos, omissions, or repetitions.

The entire su stack is required. The pam_tty_tickets.so.1 module provides the cache. For more about PAM, see the pam.conf(4) man page and Chapter 15, Using PAM.

After the su PAM stack is added to the pam.conf file, the netmgt role is prompted only once for a password when running a series of commands.

% su - netmgt -c snoop options
Password:

snoop output
% su - netmgt -c snoop options
snoop output
...

Skip Navigation Links
Exit Print View
	Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library