How to Make root User Into a Role (System Administration Guide: Security Services)

System Administration Guide: Security Services

How to Make `root` User Into a Role

This procedure shows how to change root from a login user to a role. When you complete this procedure, you can no longer directly log in to the system as root, except in single-user mode. You must be assigned the root role and su to root.

By changing the root user into a role, you prevent anonymous root login. Because a user must log in and then assume the root role, the user's login ID is provided to the auditing service and is in the sulog file.

In this procedure, you create a local user and assign the root role to the user. To prevent users from assuming the role, see Example 9–8.

As a regular user, log in to the target system.

Assume the Primary Administrator role, or become superuser.

The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

Create a local user who can assume the root role.

For safety, at least one local user should be assigned the root role.
$ useradd -c comment -u uid -d homedir username
-c comment

Is the comment that describes the user.

-d homedir

Is the home directory of the user. This directory should be on the local system.

-u uid

Is the user identification number.

username

Is the name of the new local user.
# useradd -c "JDoe's local account" -u 123 -d /export/home1 jdoe-local

Give the user a password.

# passwd -r files jdoe-local
New Password:    <Type password>
Re-enter new Password: <Retype password>
passwd: password successfully changed for jdoe-local
#

Make sure that you are not logged in as root.

# who
jdoe    console      May 24 13:51    (:0)
jdoe    pts/5        May 24 13:51    (:0.0)
jdoe    pts/4        May 24 13:51    (:0.0)
jdoe    pts/10       May 24 13:51    (:0.0)

Change root user into a role.
# usermod -K type=role root

Verify that root is a role.

The root entry in the user_attr file should appear similar to the following:
# grep root /etc/user_attr root::::type=role;auths=solaris.*,solaris.grant;profiles=...

Assign the root role to your local account.
# usermod -R root jdoe-local
Caution –
If you do not assign the root role to a user, no one can become superuser, except in single-user mode. You must type a root password to enter single-user mode.

Configure the name service to return in case of failure.

Open a new terminal window and assume the root role.

% whoami
jdoe
% su - jdoe-local
Enter password:   <Type jdoe-local password>
% roles
root
% su - root
Enter password:   <Type root password>
#

Edit the nsswitch.conf file.

For example, the following entries in the nsswitch.conf file would enable the name service to return.
passwd: files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return] group: files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return]

(Optional) Assign the root role to selected user accounts in the name service.

For the procedure, see How to Change the RBAC Properties of a User.

Example 9–8 Preventing the `root` Role From Being Used to Configure a System

In this example, site security policy requires that several discrete roles configure the system. These discrete roles have been created and tested. To prevent the root account from being used to configure the system, the security administrator changes root into a role, but does not assign the role. The root role retains a password to enter the system in single-user mode.

First, the administrator verifies that root is not an assigned role.

% whoami
jdoe-local
% su - root
Password: a!2@3#4$5%6^7
# grep roles /etc/user_attr
jdoe-local::::type=normal;roles=secadmin
kdoe-local::::type=normal;roles=sysadmin

Still in the root account, the administrator changes root into a role.

# usermod -K type=role root

Then, the administrator verifies the change in the root entry in the user_attr file.

# grep root /etc/user_attr
root::::type=role;auths=solaris.*,solaris.grant;profiles=...

Example 9–9 Changing the `root` Role Back Into the `root` User

In this example, the administrator is decommissioning a system and wants to log in to the desktop as superuser. The system has been removed from the network.

First, the administrator assumes the root role to remove all root role assignments.

% whoami
jdoe-local
% su - root
Password: a!2@3#4$5%6^7
# grep roles /etc/user_attr
jdoe-local::::type=normal;roles=root
kdoe-local::::type=normal;roles=root
# usermod -R "" jdoe-local
# usermod -R "" kdoe-local
# grep roles /etc/user_attr
#

Still in the root role, the administrator changes root into a user.

# rolemod -K type=normal root

Then, the administrator verifies the change in the root entry in the user_attr file.

# grep root /etc/user_attr
root::::type=normal;auths=solaris.*,solaris.grant;profiles=...

Troubleshooting

In a desktop environment, you cannot directly log in as root when root is a role. A diagnostic message indicates that root is a role on your system. If you do not have a local account that can assume the root role, create one. As root, log in to the system in single-user mode, create a local user account, and assign the root role to the new account. Then, log in as the new user and assume the root role.

No one can become superuser if you change the root user into a role and fail to make one of the following assignments:

Assign the root role to a valid user.
Assign a rights profile that is equivalent to root's rights profile to a valid user. The Primary Administrator profile is an equivalent rights profile for root capabilities.
Create a role that has the capabilities of root and assign the role to a valid user. A role that is assigned the Primary Administrator profile is equivalent to the root role.