This procedure shows how to change root from a login user to a role. When you complete this procedure, you can no longer directly log in to the system as root, except in single-user mode. You must be assigned the root role and su to root.
By changing the root user into a role, you prevent anonymous root login. Because a user must log in and then assume the root role, the user's login ID is provided to the auditing service and is in the sulog file.
In this procedure, you create a local user and assign the root role to the user. To prevent users from assuming the role, see Example 9–8.
As a regular user, log in to the target system.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.
Create a local user who can assume the root role.
For safety, at least one local user should be assigned the root role.
$ useradd -c comment -u uid -d homedir username |
Is the comment that describes the user.
Is the home directory of the user. This directory should be on the local system.
Is the user identification number.
Is the name of the new local user.
# useradd -c "JDoe's local account" -u 123 -d /export/home1 jdoe-local |
Give the user a password.
# passwd -r files jdoe-local New Password: <Type password> Re-enter new Password: <Retype password> passwd: password successfully changed for jdoe-local # |
Make sure that you are not logged in as root.
# who jdoe console May 24 13:51 (:0) jdoe pts/5 May 24 13:51 (:0.0) jdoe pts/4 May 24 13:51 (:0.0) jdoe pts/10 May 24 13:51 (:0.0) |
Change root user into a role.
# usermod -K type=role root |
Verify that root is a role.
The root entry in the user_attr file should appear similar to the following:
# grep root /etc/user_attr root::::type=role;auths=solaris.*,solaris.grant;profiles=... |
Assign the root role to your local account.
# usermod -R root jdoe-local |
If you do not assign the root role to a user, no one can become superuser, except in single-user mode. You must type a root password to enter single-user mode.
Configure the name service to return in case of failure.
Open a new terminal window and assume the root role.
% whoami jdoe % su - jdoe-local Enter password: <Type jdoe-local password> % roles root % su - root Enter password: <Type root password> # |
Edit the nsswitch.conf file.
For example, the following entries in the nsswitch.conf file would enable the name service to return.
passwd: files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return] group: files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return] |
(Optional) Assign the root role to selected user accounts in the name service.
For the procedure, see How to Change the RBAC Properties of a User.
In this example, site security policy requires that several discrete roles configure the system. These discrete roles have been created and tested. To prevent the root account from being used to configure the system, the security administrator changes root into a role, but does not assign the role. The root role retains a password to enter the system in single-user mode.
First, the administrator verifies that root is not an assigned role.
% whoami jdoe-local % su - root Password: a!2@3#4$5%6^7 # grep roles /etc/user_attr jdoe-local::::type=normal;roles=secadmin kdoe-local::::type=normal;roles=sysadmin |
Still in the root account, the administrator changes root into a role.
# usermod -K type=role root |
Then, the administrator verifies the change in the root entry in the user_attr file.
# grep root /etc/user_attr root::::type=role;auths=solaris.*,solaris.grant;profiles=... |
In this example, the administrator is decommissioning a system and wants to log in to the desktop as superuser. The system has been removed from the network.
First, the administrator assumes the root role to remove all root role assignments.
% whoami jdoe-local % su - root Password: a!2@3#4$5%6^7 # grep roles /etc/user_attr jdoe-local::::type=normal;roles=root kdoe-local::::type=normal;roles=root # usermod -R "" jdoe-local # usermod -R "" kdoe-local # grep roles /etc/user_attr # |
Still in the root role, the administrator changes root into a user.
# rolemod -K type=normal root |
Then, the administrator verifies the change in the root entry in the user_attr file.
# grep root /etc/user_attr root::::type=normal;auths=solaris.*,solaris.grant;profiles=... |
In a desktop environment, you cannot directly log in as root when root is a role. A diagnostic message indicates that root is a role on your system. If you do not have a local account that can assume the root role, create one. As root, log in to the system in single-user mode, create a local user account, and assign the root role to the new account. Then, log in as the new user and assume the root role.
No one can become superuser if you change the root user into a role and fail to make one of the following assignments:
Assign the root role to a valid user.
Assign a rights profile that is equivalent to root's rights profile to a valid user. The Primary Administrator profile is an equivalent rights profile for root capabilities.
Create a role that has the capabilities of root and assign the role to a valid user. A role that is assigned the Primary Administrator profile is equivalent to the root role.