How to Create Users Who Can Assume Roles in Trusted Extensions

Language:

Where site security policy permits, you can choose to create a user who can assume more than one administrative role.

For secure user creation, the System Administrator role creates the user and assigns the initial password, and the Security Administrator role assigns security-relevant attributes, such as a role.

Before You Begin

You must be in the root role in the global zone. Or, if separation of duty is enforced, users who can assume the distinct roles of Security Administrator and System Administrator must be present to assume their roles and perform the appropriate steps in this procedure.

Create a user.
Either the root role or the System Administrator role performs this step.
Do not place proprietary information in the comment.
```
# useradd -c "Second User" -u 1201 -d /home/jdoe jdoe
```
After creating the user, modify the user's security attributes.
Either the root role or the Security Administrator role performs this step.

Note - For users who can assume roles, turn off account locking, and do not set password expiration dates. Also, audit uses of the pfexec command. Only the root role can set audit flags on a per user basis.
```
# usermod -K lock_after_retries=no -K idletime=5 -K idlecmd=lock \
-K audit_flags=lo,ex:no jdoe
```
Note - The values for idletime and idlecmd continue in effect when the user assumes a role. For more information, see policy.conf File Defaults in Trusted Extensions.
Assign a password of at least eight alphanumeric characters.
```
# passwd jdoe
New Password: xxxxxxxx
Re-enter new Password: xxxxxxxx
```
Note - When the initial setup team chooses a password, the team must select a password that is difficult to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.
Assign a role to the user.
The root role or the Security Administrator role performs this step.
```
# usermod -R oper jdoe
```
Customize the user's environment.
1. Assign convenient authorizations.
  After checking your site security policy, you might want to grant your first users the Convenient Authorizations rights profile. With this profile, users can print without labels, remotely log in, and shut down the system. To create the profile, see How to Create a Rights Profile for Convenient Authorizations.
2. Customize user initialization files.
  See Customizing the User Environment for Security.
3. Create multilevel copy and link files.
  On a multilevel system, users and roles can be set up with files that list user initialization files to be copied or linked to other labels. For more information, see .copy_files and .link_files Files.

Example 8 Using the useradd Command to Create a Local User

In this example, the root role creates a local user who can assume the Security Administrator role. For details, see the useradd(8) and atohexlabel(8) man pages.

This user is going to have a label range that is wider than the default label range. So, the root role determines the hexadecimal format of the user's minimum label and clearance label.

# atohexlabel public
0x0002-08-08
# atohexlabel -c "confidential restricted"
0x0004-08-78

Next, the root role consults Figure 2, Table 2, Trusted Extensions Security Defaults for User Accounts, and then creates the user. The administrator places the user's home directory in /export/home1 rather than the default, /export/home.

# useradd -c "Local user for Security Admin" -d /export/home1/jandoe -K audit_flags=lo,ex:no \
-K  idletime=8 -K idlecmd=lock -K lock_after_retries=no \
-K min_label=0x0002-08-08 -K clearance=0x0004-08-78 jandoe

Then, the root role assigns an initial password.

# passwd -r files jandoe
New Password: xxxxxxxx
Re-enter new Password: xxxxxxxx
passwd: password successfully changed for jandoe
#

Finally, the root role adds the Security Administrator role to the user's definition. The role was created in How to Create the Security Administrator Role in Trusted Extensions.

# usermod -R secadmin jandoe