|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library|
Users are assigned rights by default. Rights for all users of a system are assigned in the /etc/security/policy.conf file.
At Oracle Solaris installation, your system is configured with user rights and process rights. With no further configuration, use the following task map to view and use RBAC.
Use the following commands to list all authorizations, rights profiles, and commands with security attributes on the system. To list all defined privileges, see How to List the Privileges on the System.
% getent auth_attr | more solaris.:::All Solaris Authorizations::help=AllSolAuthsHeader.html solaris.account.:::Account Management::help=AccountHeader.html ... solaris.zone.login:::Zone Login::help=ZoneLogin.html solaris.zone.manage:::Zone Deployment::help=ZoneManage.html
% getent prof_attr | more All:::Execute any command as the user or role:help=RtAll.html Audit Configuration:::Configure Solaris Audit:auths=solaris.smf.value.audit; help=RtAuditCfg.html ... Zone Management:::Zones Virtual Application Environment Administration: help=RtZoneMngmnt.html Zone Security:::Zones Virtual Application Environment Security:auths=solaris.zone.*, solaris.auth.delegate;help=RtZoneSecurity.html ...
% getent exec_attr | more All:solaris:cmd:::*: Audit Configuration:solaris:cmd:::/usr/sbin/auditconfig:privs=sys_audit ... Zone Security:solaris:cmd:::/usr/sbin/txzonemgr:uid=0 Zone Security:solaris:cmd:::/usr/sbin/zonecfg:uid=0 ...
Use the following commands to view your RBAC assignments. To view all rights that can be assigned, see How to View All Defined Security Attributes.
% auths solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq
These authorizations are assigned to all users by default.
% profiles Basic Solaris User All
These rights profiles are assigned to all users by default.
% roles root
This role is assigned to the initial user by default. No roles indicates that you are not assigned a role.
% ppriv $$ 1234: /bin/csh flags = <none> E: basic I: basic P: basic L: all
Every user is assigned the basic privilege set by default. The limit set is all privileges.
% ppriv -vl basic file_link_any Allows a process to create hardlinks to files owned by a uid different from the process' effective uid. file_read Allows a process to read objects in the filesystem. file_write Allows a process to modify objects in the filesystem. net_access Allows a process to open a TCP, UDP, SDP or SCTP network endpoint. proc_exec Allows a process to call execve(). proc_fork Allows a process to call fork1()/forkall()/vfork() proc_info Allows a process to examine the status of processes other than those it can send signals to. Processes which cannot be examined cannot be seen in /proc and appear not to exist. proc_session Allows a process to send signals or trace processes outside its session.
% profiles -l Basic Solaris User /usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices, proc_priocntl,net_privaddr /usr/bin/cdrecord.bin privs=file_dac_read,sys_devices, proc_lock_memory,proc_priocntl,net_privaddr /usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr All *
A user's rights profiles can include commands that run with particular privileges. The Basic Solaris User profile includes commands that enable users to read and write to CD-ROMs.
Example 9-1 Listing a User's Authorizations
% auths username solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq
Example 9-2 Listing a User or Role's Rights Profiles
The following command lists the rights profiles of a specific user.
% profiles jdoe jdoe: Basic Solaris User All
The following command lists the rights profiles of the cryptomgt role.
% profiles cryptomgt cryptomgt: Crypto Management Basic Solaris User All
The following command lists the rights profiles of the root role:
% profiles root root: All Console User Network Wifi Info Desktop Removable Media User Suspend To RAM Suspend To Disk Brightness CPU Power Management Network Autoconf User Basic Solaris User
Example 9-3 Listing a User's Assigned Roles
The following command lists the assigned roles of a specific user.
% roles jdoe root
Example 9-4 Listing a User's Privileges on Specific Commands
The following command lists the privileged commands in a regular user's rights profiles.
% profiles -l jdoe jdoe: Basic Solaris User /usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices, proc_priocntl,net_privaddr /usr/bin/cdrecord.bin privs=file_dac_read,sys_devices, proc_lock_memory,proc_priocntl,net_privaddr /usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr All *
Before You Begin
The role must already be assigned to you. The naming service must be updated with that information.
% roles Comma-separated list of role names is displayed
% su - rolename Password: <Type rolename password> $
The su - rolename command changes the shell to a profile shell for the role. A profile shell recognizes security attributes, such as authorizations, privileges, and set ID bits.
$ /usr/bin/whoami rolename
You can now perform role tasks in this terminal window.
For the procedure, see How to View Your Assigned Rights.
Example 9-5 Assuming the root Role
In the following example, the initial user assumes the root role and lists the privileges in the role's shell.
% roles root % su - root Password: <Type root password> # Prompt changes to root prompt # ppriv $$ 1200: pfksh flags = <none> E: all I: basic P: all L: all
For information about privileges, see Privileges (Overview).
Administrative rights are in effect when you are running a profile shell. By default, a role account is assigned a profile shell. Roles are special accounts that are assigned specific administrative rights, typically to a related set of administrative activities, such as reviewing audit files
In the root role, the initial user has all administrative rights, that is, the initial user is superuser. The root role can create other roles.
Before You Begin
To administer the system, you must have rights that regular users are not assigned. If you are not superuser, you must be assigned a role, an administrative rights profile, or specific privileges or authorizations.
Open a terminal window.
% su - Password: Type the root password #
Note - This method works whether root is a user or a role. The pound sign (#) prompt indicates that you are now superuser.
In the following example, you assume a network management role. This role includes the Network Management rights profile.
% su - networkadmin Password: Type the networkadmin password $
You are now in a profile shell. In this shell, you can run snoop, route, dladm, and other commands. For more about profile shells, see Profile Shells and RBAC.
Tip - Use the steps in How to View Your Assigned Rights to view the capabilities of your role.
For example, the following set of commands enables you to examine network packets in the pfbash shell:
% pfbash $ anoop
If you are not assigned the net_observability privilege, the snoop command fails with an error message similar to the following: snoop: cannot open "net0": Permission denied. If you are assigned the privilege directly, or through a rights profile or a role, this command will succeed. Also, you can run additional privileged commands in this shell.
Run the pfexec command with the name of a privileged command from your rights profile. For example, the following command enables you to examine network packets:
% pfexec snoop
The same privilege limitations apply to pfexec as to pfbash. However, to run another privileged command, you must type pfexec again before you type the privileged command.
Example 9-6 Caching Authentication for Ease of Role Use
# roleadd -K roleauth=user -P "Network Management" netmgt # usermod -R +netmgt jdoe
When jdoe uses the -c option when switching to the role, a password is required before the snoop output is displayed:
% su - netmgt -c snoop options Password: snoop output
If authentication is not being cached, and jdoe runs the command again immediately, a password prompt appears.
The administrator configures the pam.conf file to cache authentication, so that a password is initially required, but not thereafter until a certain amount of time has passed. The administrator places all pam.conf customized stacks at the end of the file.
# vi /etc/pam.conf ... # ## Cache authentication for switched user # su auth required pam_unix_cred.so.1 su auth sufficient pam_tty_tickets.so.1 su auth requisite pam_authtok_get.so.1 su auth required pam_dhkeys.so.1 su auth required pam_unix_auth.so.1
After creating the entries, the administrator checks the entries for typos, omissions, or repetitions.
After the su PAM stack is added to the pam.conf file, the netmgt role is prompted only once for a password when running a series of commands.
% su - netmgt -c snoop options Password: snoop output % su - netmgt -c snoop options snoop output ...