Chapter 2 Using Trusted Solaris Procedures

This chapter describes how to do Trusted Solaris procedures that are common in setting up a Sun Enterprise 10000 to run Trusted Solaris software. These procedures modify or add to Solaris procedures.

• Using the Solaris Management Console

• Setting up a CD-ROM

• Deallocating the CD-ROM

• Editing the Trusted Network Databases

Using the Solaris Management Console

The Solaris Management Console administers users, computers, and networks in the Trusted Solaris environment. See “To Initialize the SMC Server” in Trusted Solaris Installation and Configuration for the details of using the SMC and its administration tools.

The Solaris Management Console can be modified to enable users to assume roles from untrusted machines, as described in the following procedure.

To Enable Users to Assume Roles from Untrusted Clients

By default, the Trusted Solaris environment does not permit role assumption outside of the Trusted Path, but the policy can be changed by editing the startup script for the Trusted Solaris SMC server. The -u option allows untrusted clients to assume a role via the SMC login dialog.

Prerequisite: The task “To Edit Name Service Toolbox Definitions” in Trusted Solaris Installation and Configuration has been completed on the untrusted client.

1. Log in as a user who can assume the role secadmin and assume the role.

2. Edit the file /usr/sadm/lib/smc/bin/smcwbemserver in the Admin Editor.

3. Add the -u option to the line com.sun.management.viperimpl.server.ViperWbemServer "$@" |&:

   com.sun.management.viperimpl.server.ViperWbemServer -u "$@" |&

4. Write the file and quit the editor.

5. Restart the SMC server.

   $ /etc/init.d/init.wbem stop $ /etc/init.d/init.wbem start

   This procedure only applies to untrusted SMC clients connecting to Trusted Solaris servers and assuming a role. If the -u option is specified, the user, once authenticated, is presented with a list of authorized roles which are available on the server. The user may choose a role, enter the password, and select the Login as Role button. Without the -u option, the list of roles will not be displayed, so only a normal login is allowed.

Setting up a CD-ROM

To install from a CD-ROM, you need to have assumed an administrative role, given all allowed privileges to the CD-ROM device, allocated it, and changed the permissions on the parent of the mount point.

Give Mounted Media All Allowed Privileges

1. Log in as a user who can assume the admin role and assume it.

2. Open the Admin Editor from the System_Admin folder.

3. Assign all allowed privileges to mounted removable media in the /etc/rmmount.conf file, as in:

   mount * hsfs udfs ufs -o nosuid allowed=all

4. Write the file with :wq! and exit the editor.

Allocate and Mount the CD-ROM

In the admin role, at label admin_low, use the Device Allocation Manager to allocate and mount the CD-ROM drive.

1. Click the triangle above the Style Manager on the Front Panel to display the Tools subpanel. Click Device Allocation.

2. Double-click the CD-ROM device to move it to the Allocated Devices list.

3. Insert the CD into the CD-ROM drive and press the Return key.

4. Click Yes to the mount question.

   A File Manager pops up showing the mount point of the CD-ROM. (If it does not pop up, open a File Manager from the Front Panel, navigate to /, and double-click cdrom.)

   • When mounting the Trusted Solaris 8 installation CD, its pathname should be one of: /cdrom/admin-cdrom_0/trusted_sol_8_sparc or /cdrom/admin-cdrom_0/trusted_sol_8_ia

   • When mounting the Trusted Solaris 8 Supplement CD to install a package, its pathname should be something like: /cdrom/admin-cdrom_0/trusted_sol_8_sup1.

Modify Permissions of Mount Point Parent

This procedure is required for the system administrator (admin role) to install software packages.

1. In the File Manager, highlight /cdrom/admin-cdrom_0, the parent of the mount point.

2. From the Selected menu, choose Properties.

   Note that the directory, named CD-ROM_FOLDER, has mode 700, so it is not searchable. The following steps will fix that.

3. Click the Show Access Control List button, then Add …

4. Highlight the Mask entry and click Change.

5. Change the Mask to Read and Execute, and click Change.

6. Click Add…, and enter root in the User field, giving it Read and Execute.

7. Click Add, then click OK to exit the dialog.

8. Leave the File Manager up, available for the installation commands.

Deallocating the CD-ROM

The administrator who allocated a CD-ROM at a particular label deallocates it using the Device Allocation Manager. Typically, the Device Allocation is still running in the workspace where it was invoked.

To Deallocate a CD-ROM

1. In the role that allocated the CD-ROM, return to the workspace that is running the Device Allocation Manager.

2. Double-click the name of the CD-ROM device in the Allocated Devices list and move it to the Available Devices list.

3. Remove the CD-ROM, and click OK in the CD-ROM Deallocation dialog.

4. To close the Device Allocation window, click the top left button and select Close.

Editing the Trusted Network Databases

The trusted network databases, tnrhdb(4) and tnrhtp(4), are edited from the Solaris Management Console.

To Edit the Tnrhtp

1. Launch the Solaris Management Console in the role secadmin at label admin_low.

   If you are unfamiliar with the procedure, see “To Initialize the SMC Server” in Trusted Solaris Installation and Configuration.

2. Choose the Trusted Solaris Management Console of the appropriate scope in the Navigation pane, click Computers and Networks, then double-click Security Families.

3. Select Add Template from the Action menu, and follow the online help.

To Edit the Tnrhdb

1. Launch the Solaris Management Console in the role secadmin at label admin_low.

   If you are unfamiliar with the procedure, see “To Initialize the SMC Server” in Trusted Solaris Installation and Configuration.

2. Under Trusted Solaris Management Console of the appropriate scope in the Navigation pane, click Computers and Networks, then double-click Security Families, then double-click ALL.

3. Right-click a host IP address in the View pane.

   • To add a host — Choose Add Host(s) to create one or more new remote host entries.

   • To change a host's template — Choose Properties to modify the selected host's assigned template.

4. Follow the online help in the dialog box for assistance.