|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library|
Users are assigned rights by default. Rights for all users of a system are assigned in the /etc/security/policy.conf file.
At Oracle Solaris installation, your system is configured with user rights and process rights. With no further configuration, use the following task map to view and use RBAC.
Use the following commands to list all authorizations, rights profiles, and commands with security attributes on the system. To list all defined privileges, see How to List the Privileges on the System.
% auths info solaris.account.activate solaris.account.setpolicy solaris.admin.edit ... solaris.zone.login solaris.zone.manage
% getent auth_attr | more solaris.:::All Solaris Authorizations::help=AllSolAuthsHeader.html solaris.account.:::Account Management::help=AccountHeader.html ... solaris.zone.login:::Zone Login::help=ZoneLogin.html solaris.zone.manage:::Zone Deployment::help=ZoneManage.html
% profiles -a Console User CUPS Administration Desktop Removable Media User ... VSCAN Management WUSB Management
% getent prof_attr | more All:::Execute any command as the user or role:help=RtAll.html Audit Configuration:::Configure Solaris Audit:auths=solaris.smf.value.audit; help=RtAuditCfg.html ... Zone Management:::Zones Virtual Application Environment Administration: help=RtZoneMngmnt.html Zone Security:::Zones Virtual Application Environment Security:auths=solaris.zone.*, solaris.auth.delegate;help=RtZoneSecurity.html ...
% getent exec_attr | more All:solaris:cmd:::*: Audit Configuration:solaris:cmd:::/usr/sbin/auditconfig:privs=sys_audit ... Zone Security:solaris:cmd:::/usr/sbin/txzonemgr:uid=0 Zone Security:solaris:cmd:::/usr/sbin/zonecfg:uid=0 ...
Use the following commands to view your RBAC assignments. To view all rights that can be assigned, see How to View All Defined Security Attributes.
% profiles Basic Solaris User All
The preceding rights profiles are assigned to all users by default. If you are the initial user, you have a longer list.
% profiles Initial user System Administrator Audit Review ... CPU Power Management Basic Solaris User All
% auths solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq solaris.network.autoconf.read,solaris.admin.wusb.read solaris.smf.manage.vbiosd,solaris.smf.value.vbiosd
These authorizations are included in the rights profiles that are assigned to all users by default.
% roles root
This role is assigned to the initial user by default. No roles indicates that you are not assigned a role.
% ppriv $$ 1234: /bin/csh flags = <none> E: basic I: basic P: basic L: all
Every user is assigned the basic privilege set by default. The default limit set is all privileges.
% ppriv -vl basic file_link_any Allows a process to create hardlinks to files owned by a uid different from the process' effective uid. file_read Allows a process to read objects in the filesystem. file_write Allows a process to modify objects in the filesystem. net_access Allows a process to open a TCP, UDP, SDP or SCTP network endpoint. proc_exec Allows a process to call execve(). proc_fork Allows a process to call fork1()/forkall()/vfork() proc_info Allows a process to examine the status of processes other than those it can send signals to. Processes which cannot be examined cannot be seen in /proc and appear not to exist. proc_session Allows a process to send signals or trace processes outside its session.
% profiles -l Basic Solaris User ... /usr/bin/cdrecord.bin privs=file_dac_read,sys_devices, proc_lock_memory,proc_priocntl,net_privaddr /usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr /usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices, proc_priocntl,net_privaddr All *
A user's rights profiles can include commands that run with particular privileges. The Basic Solaris User profile includes commands that enable users to read and write to CD-ROMs.
Example 9-1 Listing a User's Authorizations
% auths username solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq
Example 9-2 Listing a User or Role's Rights Profiles
The following command lists the rights profiles of a specific user.
% profiles jdoe jdoe: Basic Solaris User All
The following command lists the rights profiles of a the cryptomgt role.
% profiles cryptomgt cryptomgt: Crypto Management Basic Solaris User All
The following command lists the rights profiles of the root role:
% profiles root root: All Console User Network Wifi Info Desktop Removable Media User Suspend To RAM Suspend To Disk Brightness CPU Power Management Network Autoconf User Basic Solaris User
Example 9-3 Listing a User's Assigned Roles
The following command lists the assigned roles of a specific user.
% roles jdoe root
Example 9-4 Listing a User's Privileges on Specific Commands
The following command lists the privileged commands in a regular user's rights profiles.
% profiles -l jdoe jdoe: Basic Solaris User ... /usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices, proc_priocntl,net_privaddr /usr/bin/cdrecord.bin privs=file_dac_read,sys_devices, proc_lock_memory,proc_priocntl,net_privaddr /usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr ...
Before You Begin
The role must already be assigned to you. By default, only the root role exists.
% roles Comma-separated list of role names is displayed
% su - rolename Password: <Type rolename password> $
The su - rolename command changes the shell to a profile shell for the role. A profile shell recognizes security attributes, such as authorizations, privileges, and set ID bits.
$ /usr/bin/whoami rolename
You can now perform role tasks in this terminal window.
For sample output, see How to View Your Assigned Rights.
$ profiles -l verbose rights profiles output $ auths authorizations output
Example 9-5 Assuming the root Role
In the following example, the initial user assumes the root role and lists the privileges in the role's shell.
% roles root % su - root Password: <Type root password> # Prompt changes to root prompt # ppriv $$ 1200: pfksh flags = <none> E: all I: basic P: all L: all
For information about privileges, see Privileges (Overview).
User properties include login shell, rights profiles, and roles. The most secure method of giving a user administrative capabilities is to assign a role to the user. For a discussion, see Security Considerations When Directly Assigning Security Attributes.
Before You Begin
In the default configuration, you must assume the root role to modify a user's security attributes.
After configuring RBAC for your site, you have other options. To change most security attributes of a user, including the password, you must become an administrator who is assigned the User Security rights profile. To assign audit flags or change a role's password, you must assume the root role. To change other user attributes, you must become an administrator who is assigned the User Management rights profile. For more information, see How to Use Your Assigned Administrative Rights.
This command modifies the attributes of a user that is defined in the local naming service or the LDAP naming service. The RBAC arguments to this command are similar to the arguments to the useradd and rolemod commands, as described on the user_attr(4) man page, and shown in Step 1 in How to Change the Security Attributes of a User.
The RBAC arguments to the command are the following:
# usermod [-e expire] [-f inactive] [-s shell] [-m] [-A authorization-list] \ [-P profile] [-R role] [-K key=value] [-S repository] login
Is the date that a user login expires. Use this option to create temporary users.
Is the maximum number of days that is allowed between user logins. When the inactive value is exceeded, the user cannot log in. The default value is 0, no expiration date.
Creates a home directory for rolename at the default location.
Is the login shell for rolename. This shell must be a profile shell, such as pfbash. For a list of profile shells, see the pfexec(1) man page.
Tip - You can also list the profile shells from the /usr/bin directory on your system, as in ls /usr/bin/pf*sh.
Is one or more authorizations separated by commas. For the list of available authorizations, see How to View All Defined Security Attributes.
Is one or more rights profiles separated by commas. For the list of rights profiles, see How to View All Defined Security Attributes.
Is one or more roles separated by commas. To create roles, see How to Create a Role.
Is a key=value pair. This option can be repeated. The following keys are available: audit_flags, auths, profiles, project, defaultpriv, limitpriv, lock_after_retries, pam_policy, and roleauth. For information about the keys, their values, and the authorizations that are required to set the values, see the user_attr(4) man page.
Is one of files or ldap. The default is local files.
Is the user name.
To assign authorizations to a user, see Example 9-7.
To assign a rights profile to a user, see Example 9-6.
To assign an existing role to a user, see How to Assign a Role. In the default configuration, you can assign the root role to an existing user.
Example 9-6 Creating a User Who Can Manage DHCP
In this example, the security administrator creates a user in LDAP. At login, the jdoe-dhcp user is able to manage DHCP.
# useradd -P "DHCP Management" -s /usr/bin/pfbash -S ldap jdoe-dhcp
Because the user is assigned pfbash as the login shell, the security attributes in the DHCP Management rights profile are available to the user in the user's default shell.
Example 9-7 Assigning Authorizations Directly to a User
In this example, the security administrator creates a local user who can control screen brightness.
# useradd -c "Screened JDoe, local" -s /usr/bin/pfbash \ -A solaris.system.power.brightness jdoe-scr
This authorization is added to the user's existing authorization assignments.
Example 9-8 Removing Privileges From a User's Limit Set
In the following example, all sessions that originate from jdoe's initial login are prevented from using the sys_linkdir privilege. That is, the user cannot make hard links to directories, nor can the user unlink directories, even after the user runs the su command.
$ usermod -K 'limitpriv=all,!sys_linkdir' jdoe $ userattr limitpriv jdoe all,!sys_linkdir
Example 9-9 Assigning Privileges Directly to a User
In this example, the security administrator trusts the user jdoe with a very specific privilege that affects system time.
$ usermod -K defaultpriv='basic,proc_clock_highres' jdoe
The values for the defaultpriv keyword replace the existing values. Therefore, for the user to retain the basic privileges, the value basic is specified. In the default configuration, all users have basic privileges. For the list of basic privileges, see Step 4.
In the root role, the initial user has all administrative rights.
Before You Begin
You have been assigned rights that regular users are not assigned. If you are not root, you must be assigned a role, an administrative rights profile, or specific privileges or authorizations.
Open a terminal window.
% su - Password: Type the root password #
Note - This method works whether root is a user or a role. The pound sign (#) prompt indicates that you are now root.
In the following example, you assume an audit configuration role. This role includes the Audit Configuration rights profile.
% su - audadmin Password: Type the audadmin password $
The shell in which you typed this command is now in a profile shell. In this shell, you can run the auditconfig command. For more about profile shells, see Profile Shells and RBAC.
Tip - Use the steps in How to View Your Assigned Rights to view the capabilities of your role.
For example, the following set of commands enables you to view audit preselection values and audit policy in the pfbash shell:
% pfbash $ auditconfig -getflags active user default audit flags = ua,ap,lo(0x45000,0x45000) configured user default audit flags = ua,ap,lo(0x45000,0x45000) $ auditconfig -getpolicy configured audit policies = cnt active audit policies = cnt
Run the pfexec command with the name of a privileged command from your rights profile. For example, the following command enables you to view the user's preselected audit flags:
% pfexec auditconfig -getflags active user default audit flags = ua,ap,lo(0x45000,0x45000) configured user default audit flags = ua,ap,lo(0x45000,0x45000)
The same privilege limitations apply to pfexec as to pfbash. However, to run another privileged command, you must type pfexec again before you type the privileged command.
% pfexec auditconfig -getpolicy configured audit policies = cnt active audit policies = cnt
Run the sudo command with the name of an administrative command that you are assigned in the sudoers file. For more information, see the sudo(1M) and sudoers(4) man pages.
If you are not root with the UID of 0, by default you cannot edit system files. However, if you are assigned the solaris.admin.edit/path-to-system-file authorization, you can edit system-file. For example, if you are assigned the solaris.admin.edit/etc/security/audit_warn authorization, you can edit the audit_warn file.
$ pfedit /etc/security/audit_warn
The command uses the value of $EDITOR to determine the text editor. For more information, see the pfedit(1M) man page. The pfedit command is usefully run by the root role, if auditing is configured to audit AUE_PFEXEC events.
Example 9-10 Caching Authentication for Ease of Role Use
In this example, the administrator configures a role to manage audit configuration, but provides ease of use by caching the user's authentication. First, the administrator creates and assigns the role.
# roleadd -K roleauth=user -P "Audit Configuration" audadmin # usermod -R +audadmin jdoe
When jdoe uses the -c option when switching to the role, a password is required before the auditconfig output is displayed:
% su - audadmin -c auditconfig option Password: auditconfig output
If authentication is not being cached, and jdoe runs the command again immediately, a password prompt appears.
The administrator creates a file in the pam.d directory to hold an su stack that enables the caching of authentication, so that a password is initially required, but not thereafter until a certain amount of time has passed.
# pfedit /etc/pam.d/su ## Cache authentication for switched user # auth required pam_unix_cred.so.1 auth sufficient pam_tty_tickets.so.1 auth requisite pam_authtok_get.so.1 auth required pam_dhkeys.so.1 auth required pam_unix_auth.so.1
After creating the file, the administrator checks the entries for typos, omissions, or repetitions.
The administrator must provide the entire preceding su stack. The pam_tty_tickets.so.1 module implements the cache. For more about PAM, see the pam.conf(4) man page and Chapter 14, Using Pluggable Authentication Modules.
After the administrator adds the su PAM file and reboots the system, all roles including the audadmin role are prompted only once for a password when running a series of commands.
% su - audadmin -c auditconfig option Password: auditconfig output % su - audadmin -c auditconfig option auditconfig output ...