This chapter covers tasks for distributing the capabilities of superuser by using discrete roles. The mechanisms that roles can use include rights profiles, authorizations, and privileges. The following is a list of the task maps in this chapter.
For an overview of RBAC, see Role-Based Access Control (Overview). For reference information, see Chapter 10, Role-Based Access Control (Reference). To use privileges with RBAC or without RBAC, see Chapter 11, Privileges (Tasks).
To use RBAC requires planning, configuring RBAC, and knowing how to assume a role. Once roles become familiar, you might further customize RBAC to handle new operations. The following task map points to these major tasks.
Task |
Description |
For Instructions |
---|---|---|
Plan and configure RBAC |
Configure RBAC at your site. | |
Use roles |
Assume roles from the command line and in the Solaris Management Console GUI. | |
Customize RBAC |
Customize RBAC for your site. |
To use RBAC effectively requires planning. Use the following task map to plan and initially implement RBAC at your site.
Task |
Description |
For Instructions |
---|---|---|
1. Plan for RBAC |
Involves examining your site's security needs, and deciding how to use RBAC at your site. | |
2. Learn to use the Solaris Management Console |
Involves becoming familiar with the Solaris Management Console. | |
3. Configure the first user and role |
Uses the RBAC configuration tools in the Solaris Management Console to create a user and a role, and to assign the role to the user. | |
4. (Optional) Create other users who can assume roles |
Ensures that users who can assume an administrative role exist. | |
5. (Recommended) Create other roles and assign them to users |
Uses the RBAC tools to create roles for particular administrative areas, and to assign the roles to users. | |
Uses the command line to create roles, and to assign the roles to users | ||
6. (Recommended) Audit role actions |
Preselect an audit class that includes the audit event that records role actions. | |
7. (Optional) Make root user a role |
Prevents anonymous root login, which is a security hole. |
RBAC can be configured with the following utilities:
Solaris Management Console GUI – The preferred method for performing RBAC-related tasks is through the GUI. The console tools for managing the RBAC elements are contained in the Users Tool collection.
Solaris Management Console commands – With the Solaris Management Console command-line interfaces, such as smrole, you can operate on any name service. The Solaris Management Console commands require authentication to connect to the server. As a result, these commands are not practical for use in scripts.
Local commands – With the user* and role* set of command-line interfaces, such as useradd, you can operate on local files only. The commands that operate on local files must be run by superuser or by a role with the appropriate privileges.
RBAC can be an integral part of how an organization manages its information resources. Planning requires a thorough knowledge of the RBAC capabilities as well as the security requirements of your organization.
Learn the basic RBAC concepts.
Read Role-Based Access Control (Overview). Using RBAC to administer a system is very different from using conventional UNIX administrative practices. You should be familiar with the RBAC concepts before you start your implementation. For greater detail, see Chapter 10, Role-Based Access Control (Reference).
Examine your security policy.
Your organization's security policy should detail the potential threats to your system, measure the risk of each threat, and have a strategy to counter these threats. Isolating the security-relevant tasks through RBAC can be a part of the strategy. Although you can install the recommended roles and their configurations as is, you might need to customize your RBAC configuration to adhere to your security policy.
Decide how much RBAC your organization needs.
Depending on your security needs, you can use varying degrees of RBAC, as follows:
No RBAC – You can perform all tasks as root user. In this configuration, you log in as yourself. Then, you type root as the user when you select a Solaris Management Console tool.
Single Role Only – This method adds one role. The one role is assigned the Primary Administrator rights profile. This method is similar to the superuser model, in that the role has superuser capabilities. However, this method enables you to track the user who has assumed the role.
Recommended Roles – This method creates three roles that are based on the following rights profiles: Primary Administrator, System Administrator, and Operator. The roles are suitable for organizations with administrators at different levels of responsibility.
Custom Roles – You can create your own roles to meet the security requirements of your organization. The new roles can be based on existing or customized rights profiles. To customize rights profiles that enforce separation of duty, see Creating Roles and Users in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide..
Root User as a Role – This method prevents any user from logging in as root. Instead, users must log in as ordinary users prior to assuming the root role. For details, see How to Make root User Into a Role.
Decide which recommended roles are appropriate for your organization.
Review the capabilities of the recommended roles and default rights profiles. Default rights profiles enable administrators to configure a recommended role by using a single profile.
Three default rights profiles are available for configuring the recommended roles:
Primary Administrator rights profile – For configuring a role that can perform all administrative tasks, can grant rights to others, and can edit rights that are associated with administrative roles. A user in this role can assign this role to other users, and can grant rights to other users.
System Administrator rights profile – For configuring a role that can perform most administrative tasks that are not related to security. For example, the System Administrator can add new user accounts, but cannot set passwords or grant rights to other users.
Operator rights profile – For configuring a role that can perform simple administrative tasks, such as media backup and printer maintenance.
To further examine rights profiles, read one of the following:
In the /etc/security directory, read the contents of the prof_attr database and the exec_attr database.
In the Solaris Management Console, use the Rights tool to display the contents of a rights profile.
In this book, refer to Contents of Rights Profiles for summaries of some typical rights profiles.
Decide if any additional roles or rights profiles are appropriate for your organization.
Look for other applications or families of applications at your site that might benefit from restricted access. Applications that affect security, that can cause denial-of-service problems, or that require special administrator training are good candidates for RBAC. You can customize roles and rights profiles to handle the security requirements of your organization.
Determine which commands are needed for the new task.
Decide which rights profile is appropriate for this task.
Check if an existing rights profile can handle this task or if a separate rights profile needs to be created.
Determine which role is appropriate for this rights profile.
Decide if the rights profile for this task should be assigned to an existing role or if a new role should be created. If you use an existing role, check that the other rights profiles are appropriate for users who are assigned to this role.
Decide which users should be assigned to the available roles.
According to the principle of least privilege, you should assign users to roles that are appropriate to their level of trust. When you prevent users from access to tasks that the users do not need to perform, you reduce potential problems.
To create a new role, you can be superuser, or you can use the Primary Administrator role. In this procedure, the creator of the new role has assumed the role of Primary Administrator.
You have already created users who can assume a role at your site. If the users are not yet created, create them by following the instructions in Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.
You have been assigned the Primary Administrator role by following the procedures in Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.
Start the Solaris Management Console.
# /usr/sbin/smc & |
For login instructions, see How to Assume a Role in the Solaris Management Console.
Click the Administrative Roles icon.
Select Add Administrative Role from the Action menu.
Create a new role by filling in the fields in the series of dialog boxes.
For possible roles, see Example 9–1 to Example 9–4.
All tools in the Solaris Management Console display information in the bottom section of the page or at the left side of a wizard panel. Choose Help at any time to find additional information about performing tasks in this interface.
After filling in the properties of the role, the last dialog box prompts you for a user for the role.
In a terminal window, restart the name service cache daemon.
# svcadm restart system/name-service-cache |
For more information, see the svcadm(1M) and nscd(1M) man pages.
In this example, the new role can do system administration tasks that are not connected to security. The role is created by performing the preceding procedure with the following parameters:
Role name: sysadmin
Role full name: System Administrator
Role description: Performs non-security admin tasks
Rights profile: System Administrator
This rights profile is at the top of the list of profiles that are included in the role.
The Operator rights profile can manage printers and back up the system to offline media. You might want to assign the role to one user on each shift. To do so, you would select the role mailing list option in the Step 1: Enter a Role Name dialog box. The role is created by performing the preceding procedure with the following parameters:
Role name: operadm
Role full name: Operator
Role description: Backup operator
Rights profile: Operator
This rights profile must be at the top of the list of profiles that are included in the role.
By default, the only rights profile that contains security-related commands and rights is the Primary Administrator profile. If you want to create a role that is not as powerful as Primary Administrator, but can handle some security-related tasks, you must create the role.
In the following example, the role protects devices. The role is created by performing the preceding procedure with the following parameters:
Role full name: Device Security
Role description: Configures Devices
Rights profile: Device Security
In the following example, the role secures systems and hosts on the network. The role is created by performing the preceding procedure with the following parameters:
Role full name: Network Security
Role description: Handles IPsec, IKE, and SSH
Rights profile: Network Security
A number of rights profiles are of limited scope. In this example, the sole task of the role is to manage DHCP. The role is created by performing the preceding procedure with the following parameters:
Role name: dhcpmgt
Role full name: DHCP Management
Role description: Manages Dynamic Host Config Protocol
Rights profile: DHCP Management
In this example, a role is added to an existing user. The user's role assignment is modified by clicking the User Accounts icon in the Users tool in the Solaris Management Console, double-clicking the user, and following the online help to add a role to the user's capabilities.
Check the following if the role does not have the capabilities that it should:
Are the role's rights profiles listed in the GUI from most to least powerful?
For example, if the All rights profile is at the top of the list, then no commands are run with security attributes. A profile that contains commands with security attributes must precede the All rights profile in the list.
Do the commands in the role's rights profiles have the appropriate security attributes?
For example, when the policy is suser, some commands require uid=0 rather than euid=0.
Is the rights profile defined in the appropriate name service scope? Is the role operating in the name service scope where the rights profile is defined?
Has the name service cache, svc:/system/name-service-cache, been restarted?
The nscd daemon can have a lengthy time-to-live interval. By restarting the daemon, you update the name service with current data.
The Solaris Management Console GUI is the preferred method for managing RBAC. To use the GUI, see How to Create and Assign a Role by Using the GUI. You can also use the command-line interfaces, as described in this procedure.
Do not attempt to administer RBAC with the command line and the graphical user interface at the same time. Conflicting changes could be made to the configuration, and the behavior would be unpredictable. You can use both tools to administer RBAC, but you cannot use both concurrently.
To create a role, you must either assume a role that includes the Primary Administrator rights profile, or switch to the user root.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Choose one of the following commands to create a role on the command line.
For roles in the local name service scope, use the roleadd command.
The roleadd command is more limited than the Solaris Management Console GUI or command-line interfaces. After running the roleadd command, you must run the usermod command to assign the role to a user. And, the user then must set the password for the role, as shown in How to Assign a Role to a Local User.
# roleadd -c comment \ -g group -m homedir -u UID -s shell \ -P profile rolename |
Is a comment that describes rolename.
Is the group assignment for rolename.
Is the path to the home directory for rolename.
Is the UID for rolename.
Is the login shell for rolename. This shell must be a profile shell.
Is one or more rights profiles for rolename.
Is the name of the new local role.
Use the smrole add command.
This command creates a role in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.
$ /usr/sadm/bin/smrole -D domain-name \ -r admin-role -l <Type admin-role password> \ add -- -n rolename -a rolename -d directory\ -F full-description -p profile |
Is the name of the domain that you want to manage.
Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.
Is the prompt for the password of admin-role.
Is the required separator between authentication options and subcommand options.
Is the name of the new role.
Is the comment that describes the capabilities of the role.
Is the name of the user who can assume rolename.
Is the home directory for rolename.
Is the full description for rolename. This description is displayed in the Solaris Management Console GUI.
Is a rights profile that is included in the capabilities of rolename. This option gives commands with administrative capabilities to the role. You can specify multiple -p profile options.
To put the changes into effect, see How to Assign a Role to a Local User.
The smrole command specifies a new role and its attributes in a name service. In the following example, the Primary Administrator creates a new version of the Operator role. The role includes the standard Operator rights profile as well as the Media Restore rights profile. Note that the command prompts you for a password for the new role.
% su - primaryadm Password: <Type primaryadm password> $ /usr/sadm/bin/smrole add -H myHost -- -c "Backup and Restore Operator" \ -n operadm2 -a janedoe -d /export/home/operadm \ -F "Backup/Restore Operator" -p "Operator" -p "Media Restore" Authenticating as user: primaryadm Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: <Type primaryadm password> Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost Login to myHost as user primaryadm was successful. Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful. Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password ::<Type operadm2 password> $ svcadm restart system/name-service-cache |
The smrole command with the list subcommand is used to display the new role:
$ /usr/sadm/bin/smrole list -- Authenticating as user: primaryadm Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: <Type primaryadm password> Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost Login to myHost as user primaryadm was successful. Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful. root 0 Superuser primaryadm 100 Most powerful role sysadmin 101 Performs non-security admin tasks operadm 102 Backup Operator operadm2 103 Backup/Restore Operator |
This procedure assigns a local role to a local user, restarts the name cache daemon, and then shows how the user can assume the role.
To assign a role to a user in a distributed name service, see How to Create a Role From the Command Line and How to Change the Properties of a Role.
You have added a local role, as described in How to Create a Role From the Command Line. You must either assume a role that includes the Primary Administrator rights profile, or switch to thh user root.
Assign the role to a local user.
If you added a local role with the roleadd command, this step is required. This step is optional when you use the smrole command and the Solaris Management Console to create a role.
# usermod -u UID -R rolename login-name |
Is the UID of the user.
Is the role that is being assigned to the user.
Is the user's login name.
To put the changes into effect, restart the name service cache daemon.
# svcadm restart system/name-service-cache |
If you added a role with a Solaris Management Console interface, go to Using Roles (Task Map). Otherwise, continue with the next step.
(Optional) To unlock the role account, the user must create a password.
If you added a local role with the roleadd command, this step is required.
% su - rolename Password: <Type rolename password> Confirm Password: <Retype rolename password> $ |
In this example, a role is created to administer the Solaris Cryptographic Framework. The Crypto Management rights profile contains the cryptoadm command for administering hardware and software cryptographic services on a local system.
# roleadd -c "Cryptographic Services manager" \ -g 14 -m /export/home/cryptoadm -u 104 -s pfksh \ -P "Crypto Management" cryptomgt # usermod -u 1111 -R cryptomgt # svcadm restart system/name-service-cache % su - cryptomgt Password: <Type cryptomgt password> Confirm Password: <Retype cryptomgt password> $ /usr/ucb/whoami cryptomgt $ |
For information about the Solaris Cryptographic Framework, see Chapter 13, Solaris Cryptographic Framework (Overview). To administer the framework, see Administering the Cryptographic Framework (Task Map).
The actions that a role performs can be audited. Included in the audit record is the login name of the user who assumed the role, the role name, and the action that the role performed. The 6180:AUE_prof_cmd:profile command:ua,as audit event collects the information. By preselecting the as class or the ua class, you can audit role actions.
Plan for auditing and edit the audit configuration files.
For more information, see Solaris Auditing (Task Map).
Include the ua class or the as class in the flags line of the audit_control file.
## audit_control file flags:lo,as naflags:lo plugin:name=audit_binfile.so; p_dir=/var/audit |
The ua class and the as class include other audit events. To see the audit events that are included in a class, read the audit_event file. You can also use the bsmrecord command, as shown in Example 30–27.
Finish configuring the auditing service, then enable auditing.
For more information, see Configuring and Enabling the Audit Service (Tasks).
This procedure shows how to change root from a login user to a role. When you complete this procedure, you can no longer directly log in to the system as root, except in single-user mode. You must be assigned the root role and su to root.
By changing the root user into a role, you prevent anonymous root login. Because a user must log in and then assume the root role, the user's login ID is provided to the auditing service and is in the sulog file.
In this procedure, you create a local user and assign the root role to the user. To prevent users from assuming the role, see Example 9–8.
You cannot perform this procedure when you are directly logged in as root. You must log in as yourself, then su to root.
As a regular user, log in to the target system.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.
Create a local user who can assume the root role.
For safety, at least one local user should be assigned the root role.
$ useradd -c comment -u uid -d homedir username |
Is the comment that describes the user.
Is the home directory of the user. This directory should be on the local system.
Is the user identification number.
Is the name of the new local user.
# useradd -c "JDoe's local account" -u 123 -d /export/home1 jdoe-local |
Give the user a password.
# passwd -r files jdoe-local New Password: <Type password> Re-enter new Password: <Retype password> passwd: password successfully changed for jdoe-local # |
Make sure that you are not logged in as root.
# who jdoe console May 24 13:51 (:0) jdoe pts/5 May 24 13:51 (:0.0) jdoe pts/4 May 24 13:51 (:0.0) jdoe pts/10 May 24 13:51 (:0.0) |
Change root user into a role.
# usermod -K type=role root |
Verify that root is a role.
The root entry in the user_attr file should appear similar to the following:
# grep root /etc/user_attr root::::type=role;auths=solaris.*,solaris.grant;profiles=... |
Assign the root role to your local account.
# usermod -R root jdoe-local |
If you do not assign the root role to a user, no one can become superuser, except in single-user mode. You must type a root password to enter single-user mode.
Configure the name service to return in case of failure.
Open a new terminal window and assume the root role.
% whoami jdoe % su - jdoe-local Enter password: <Type jdoe-local password> % roles root % su - root Enter password: <Type root password> # |
Edit the nsswitch.conf file.
For example, the following entries in the nsswitch.conf file would enable the name service to return.
passwd: files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return] group: files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return] |
(Optional) Assign the root role to selected user accounts in the name service.
For the procedure, see How to Change the RBAC Properties of a User.
In this example, site security policy requires that several discrete roles configure the system. These discrete roles have been created and tested. To prevent the root account from being used to configure the system, the security administrator changes root into a role, but does not assign the role. The root role retains a password to enter the system in single-user mode.
First, the administrator verifies that root is not an assigned role.
% whoami jdoe-local % su - root Password: a!2@3#4$5%6^7 # grep roles /etc/user_attr jdoe-local::::type=normal;roles=secadmin kdoe-local::::type=normal;roles=sysadmin |
Still in the root account, the administrator changes root into a role.
# usermod -K type=role root |
Then, the administrator verifies the change in the root entry in the user_attr file.
# grep root /etc/user_attr root::::type=role;auths=solaris.*,solaris.grant;profiles=... |
In this example, the administrator is decommissioning a system and wants to log in to the desktop as superuser. The system has been removed from the network.
First, the administrator assumes the root role to remove all root role assignments.
% whoami jdoe-local % su - root Password: a!2@3#4$5%6^7 # grep roles /etc/user_attr jdoe-local::::type=normal;roles=root kdoe-local::::type=normal;roles=root # usermod -R "" jdoe-local # usermod -R "" kdoe-local # grep roles /etc/user_attr # |
Still in the root role, the administrator changes root into a user.
# rolemod -K type=normal root |
Then, the administrator verifies the change in the root entry in the user_attr file.
# grep root /etc/user_attr root::::type=normal;auths=solaris.*,solaris.grant;profiles=... |
In a desktop environment, you cannot directly log in as root when root is a role. A diagnostic message indicates that root is a role on your system. If you do not have a local account that can assume the root role, create one. As root, log in to the system in single-user mode, create a local user account, and assign the root role to the new account. Then, log in as the new user and assume the root role.
No one can become superuser if you change the root user into a role and fail to make one of the following assignments:
Assign the root role to a valid user.
Assign a rights profile that is equivalent to root's rights profile to a valid user. The Primary Administrator profile is an equivalent rights profile for root capabilities.
Create a role that has the capabilities of root and assign the role to a valid user. A role that is assigned the Primary Administrator profile is equivalent to the root role.
The following task map points to procedures for using your role after roles have been assigned.
Task |
Description |
For Instructions |
---|---|---|
Use the Solaris Management Console |
Authenticate yourself as a role to perform administrative tasks in the Solaris Management Console. | |
Assume a role in a terminal window |
Perform command-line administrative tasks in a profile shell. |
After you have set up roles with default Solaris rights profiles, and assigned the roles to users, the roles can be used. A role can be assumed on the command line. In the Solaris Management Console, a role can also be used for administering the system locally and over the network.
The role must already be assigned to you. The name service must be updated with that information.
In a terminal window, determine which roles you can assume.
% roles Comma-separated list of role names is displayed |
Use the su command to assume a role.
% su - rolename Password: <Type rolename password> $ |
The su - rolename command changes the shell to a profile shell for the role. A profile shell recognizes security attributes (authorizations, privileges, and set ID bits).
Verify that you are now in a role.
$ /usr/ucb/whoami rolename |
You can now perform role tasks in this terminal window.
(Optional) View the capabilities of your role.
For the procedure, see How to Determine the Privileged Commands That a Role Can Run.
In the following example, the user assumes the role of Primary Administrator. In the default configuration, this role is equivalent to superuser. The role then checks to see which privileges are available to any command that is typed in the profile shell for the role.
% roles sysadmin,oper,primaryadm % su - primaryadm Password: <Type primaryadm password> $ /usr/ucb/whoami Prompt has changed to role prompt primaryadm $ ppriv $$ 1200: pfksh flags = <none> E (Effective): all I (Inheritable): basic P (Permitted): all L (Limit): all |
For information about privileges, see Privileges (Overview).
In the following example, the user assumes the root role. The role was created in How to Make root User Into a Role
% roles root % su - root Password: <Type root password> # /usr/ucb/whoami Prompt has changed to role prompt root $ ppriv $$ 1200: pfksh flags = <none> E: all I: basic P: all L: all |
For information about privileges, see Privileges (Overview).
In the following example, the user assumes the role of System Administrator. In contrast to the Primary Administrator role, the System Administrator has the basic set of privileges in its effective set.
% roles sysadmin,oper,primaryadm % su - sysadmin Password: <Type sysadmin password> $ /usr/ucb/whoami Prompt has changed to role prompt sysadmin $ ppriv $$ 1200: pfksh flags = <none> E: basic I: basic P: basic L: all |
For information about privileges, see Privileges (Overview). For a short description of the capabilities of the role, see System Administrator Rights Profile.
To change information in the Solaris Management Console GUI requires
administrative capabilities. A role gives you administrative capabilities.
If you want to view information, you must have the solaris.admin.usermgr.read
authorization. The Basic Solaris User rights profile includes
this authorization.
An administrative role that can change the properties of users or roles must have already been assigned to you. For example, the Primary Administrator role can change the properties of users or roles.
Start the Solaris Management Console.
% /usr/sbin/smc & |
For detailed instructions, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.
Select the toolbox for your task.
Navigate to the toolbox that contains the tool or collection in the appropriate name service scope and click the icon. The scopes are files (local), NIS, NIS+, and LDAP. If the appropriate toolbox is not displayed in the navigation pane, choose Open Toolbox from the Console menu and load the relevant toolbox.
Select the tool that you want to use.
Navigate to the tool or collection and click the icon. The tools for managing the RBAC elements are in the Users tool, as shown in the following figure.
Type your user name and password in the Login: User Name dialog box.
Authenticate yourself in the Login: Role dialog box.
The Role option menu in the dialog box displays the roles that are assigned to you. Choose a role and type the role password.
The following task map points to procedures for customizing role-based access control (RBAC) after RBAC has been initially implemented.
Task |
Description |
For Instructions |
---|---|---|
Change the role password |
An authorized user or role changes the password of another role. | |
Modify the properties of a role |
Modifies the capabilities (privileges, privileged commands, profiles, or authorizations) of a role. | |
Create or change rights profiles |
Creates a rights profile. Or modifies the authorizations, privileged commands, or supplementary rights profiles in a rights profile. | |
Change a user's administrative capabilities |
Adds a role, a rights profile, an authorization, or privileges to an ordinary user. | |
Secure legacy applications |
Turns on the set ID permissions for legacy applications. Scripts can contain commands with set IDs. Legacy applications can check for authorizations, if appropriate. |
These procedures manage the elements that are used in RBAC. For user management procedures, refer to Chapter 5, Managing User Accounts and Groups (Tasks), in System Administration Guide: Basic Administration.
The Solaris Management Console GUI is the preferred method for managing RBAC.
Do not attempt to administer RBAC with the command line and the graphical user interface at the same time. Conflicting changes could be made to the configuration, and the behavior would be unpredictable. Both tools can administer RBAC, but you cannot use both tools concurrently.
You must have assumed a role that includes the User Security profile or have switched to superuser. You cannot be in the role whose password you want to change. A role cannot change its own password.
Use one of the following methods to change a role's password.
As superuser or in a role that includes the User Security rights profile, run the passwd command.
$ passwd -r naming-service target-rolename |
Applies the password change to one of the following repositories files, nis, nisplus, or ldap. If a repository is not specified, the password is changed in files.
Is the name of an existing role that you want to modify.
For more command options, see the passwd(1) man page.
Change the password in the Solaris Management Console.
To start the console, see How to Assume a Role in the Solaris Management Console.
Log in to the console as superuser or in a role that includes the User Security rights profile.
The login role cannot be the target role.
Choose the appropriate scope.
The Files scope modifies the role password on the local system. The LDAP scope modifies the role password in the LDAP naming service.
Navigate to Administrative Roles and follow the instructions in the left-hand pane.
For more extensive information, see the online help.
As superuser or in a role that includes the User Security rights profile, run the smrole command with the modify subcommand.
This command runs as a client of the Solaris Management Console server.
$ /usr/sadm/bin/smrole -D domain-name -r admin-role -l <Type admin-role password> \ modify -- -n target-rolename -P password |
Is the name of the domain that you want to manage.
Is the name of the administrative role that can modify the target role. The administrative role must have the solaris.admin.usermgr.pswd authorization. The administrative role and the target role cannot be the same role.
Is the prompt for the password of admin-role.
Is the required separator between authentication options and subcommand options.
Is the name of the target role.
Is the new password for target-rolename.
For the full list of command options, see the smrole(1M) man page.
In this example, superuser changes the password of the local operadm role.
# passwd -r files operadm New password: Type new password Re-enter new password: Retype new password |
In this example, the Primary Administrator role changes the password of the operadm role in the LDAP directory service.
$ passwd -r ldap operadm New password: Type new password Re-enter new password: Retype new password |
In this example, the administrator contacts the Solaris Management Console server to change the operadm password in the NIS domain. When the administrator does not provide the password before pressing the Return key, the New Password: prompt appears.
$ /usr/sadm/bin/smrole -D nis:/examplehost/example.domain \ -r primaryadm -l <Type primaryadm password> \ modify -- -n operadm -P Press the Return key New Password: a!2@3#4$5%6*7 $ |
You must either assume a role that includes the Primary Administrator rights profile, or switch to the user root to change the properties of a role. Role properties include password, rights profiles, and authorizations.
To change a role's password property, see How to Change the Password of a Role.
Use one of the following methods to change the properties of a role.
Use the Users tool in the Solaris Management Console.
To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to modify a role in Administrative Roles. For more extensive information, see the online help.
Use the rolemod command.
This command modifies the attributes of a role that is defined in the local name service.
$ rolemod -c comment -P profile-list rolename |
Is the new comment that describes the capabilities of the role.
Is the list of the profiles that are included in the role. This list replaces the current list of profiles.
Is the name of an existing, local role that you want to modify.
For more command options, see the rolemod(1M) man page.
Use the smrole command with the modify subcommand.
This command modifies the attributes of a role in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.
$ /usr/sadm/bin/smrole -D domain-name \ -r admin-role -l <Type admin-role password> \ modify -- -n rolename -r username -u username |
Is the name of the domain that you want to manage.
Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.
Is the prompt for the password of admin-role.
Is the required separator between authentication options and subcommand options.
Is the name of the new role.
Is the name of the user who can no longer assume rolename.
Is the name of the user who can now assume rolename.
For more command options, see the smrole(1M) man page.
In this example, the operadm role is modified to include the Media Restore rights profile.
$ rolemod -c "Handles printers, backup, AND restore" \ -P "Printer Management,Media Backup,Media Restore,All" operadm |
These rights profiles are added to the profiles that are granted through the policy.conf file.
In the following example, the operadm role is modified to add the Media Restore rights profile.
$ /usr/sadm/bin/smrole -r primaryadm -l <Type primaryadm password> \ modify -- -n operadm -c "Handles printers, backup, AND restore" \ -p "Media Restore" |
In the following example, the clockmgr role is changed. The NIS user whose ID is 108 can no longer assume the role. The NIS user whose ID is 110 can assume the role clockmgr.
$ /usr/sadm/bin/smrole -D nis:/examplehost/example.domain \ -r primaryadm -l <Type primaryadm password> \ modify -- -n clockmgr -r 108 -u 110 |
A rights profile is a property of a role. You should create or change a rights profile when the prof_attr database does not contain a rights profile that fulfills your needs. To learn more about rights profiles, see RBAC Rights Profiles.
To create or change a rights profile, you must have assumed the role of Primary Administrator or have switched to superuser.
Use one of the following methods to create or change a rights profile.
Use the Users tool in the Solaris Management Console.
To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to create or change a rights profile in Rights. For more extensive information, see the online help.
This command enables you to add, modify, list, or delete a rights profile. The command works on files, and in a distributed name service, such as NIS, NIS+, or LDAP. The smprofile command runs as a client of the Solaris Management Console server.
$ /usr/sadm/bin/smprofile -D domain-name \ -r admin-role -l <Type admin-role password> \ add | modify -- -n profile-name \ -d description -m help-file -p supplementary-profile |
Is the name of the domain that you want to manage.
Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.
Is the prompt for the password of admin-role.
Is the required separator between authentication options and subcommand options.
Is the name of the new profile.
Is a short description of the profile.
Is the name of the HTML help file that you have created and placed in the /usr/lib/help/profiles/locale/C directory.
Is the name of an existing rights profile that is included in this rights profile. You can specify multiple -p supplementary-profile options.
For more command options, see the smprofile(1M) man page.
In the following example, the Network Management rights profile is made a supplementary profile of the Network Security rights profile. The role that contains the Network Security profile can now configure the network and hosts, as well has run security-relevant commands.
$ /usr/sadm/bin/smprofile -D nisplus:/example.host/example.domain \ -r primaryadm -l <Type primaryadm password> \ modify -- -n "Network Security" \ -d "Manage network and host configuration and security" \ -m RtNetConfSec.html -p "Network Management" |
The administrator created a new help file, RtNetConfSec.html, and placed it in the /usr/lib/help/profiles/locale/C directory, before running this command.
The following table shows sample data for a hypothetical rights profile that is called “Build Administrator”. This rights profile includes the commands in the subdirectory /usr/local/swctrl/bin. These commands have an effective UID of 0. The Build Administrator rights profile would be useful for administrators who manage the builds and versioning for software development.
Tab |
Field |
Example |
---|---|---|
General |
Name |
Build Administrator |
|
Description |
For managing software builds and versioning. |
|
Help File Name |
BuildAdmin.html |
Commands |
Add Directory |
Click Add Directory, type /usr/local/swctrl/bin in the dialog box, and click OK. |
|
Commands Denied / Commands Permitted |
Move /usr/local/swctrl/bin to the Commands Permitted column. |
|
Set Security Attributes |
Select /usr/local/swctrl/bin, click Set Security Attributes, and set Effective UID = root. |
Authorizations |
Authorizations Excluded / Authorizations Included |
No authorizations. |
Supplementary Rights |
Rights Excluded / Rights Included |
No supplementary rights profiles. |
Check the following if the rights profile does not provide the role with the capabilities that you expect:
Are the rights profiles for the role listed in the GUI from most to least powerful?
For example, if the All rights profile is at the top of the list, then no commands are run with security attributes. A profile that contains commands with security attributes must precede the All rights profile in the list.
Is a command listed more than once in the role's rights profiles? If so, does the first instance of the command have all the security attributes that are required?
For example, a command can require privileges for particular options to the command. For the options that require privileges to succeed, the first instance of the command in the highest rights profile in the list must have the assigned privileges.
Do the commands in the role's rights profiles have the appropriate security attributes?
For example, when the policy is suser, some commands require uid=0 rather than euid=0 to succeed.
Has the name service cache, svc:/system/name-service-cache, been restarted?
The nscd daemon can have a lengthy time-to-live interval. By restarting the daemon, you update the name service with current data.
User properties include password, rights profiles, roles, and authorizations. The most secure method of giving a user administrative capabilities is to assign a role to the user. For a discussion, see Security Considerations When Directly Assigning Security Attributes.
You must either assume a role that includes the Primary Administrator rights profile, or switch to the user root.
Use one of the following methods to change the RBAC properties of a user.
Use the Users tool in the Solaris Management Console.
To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to modify a user in User Accounts. For more extensive information, see the online help.
It is not good practice to assign authorizations, privileges, or rights profiles directly to users. The preferred approach is to assign a role to users. Users then assume a role to perform privileged operations.
This command modifies the attributes of a user that is defined in the local name service.
$ usermod -R rolename username |
Is the name of an existing local role.
Is the name of an existing, local user that you want to modify.
For more command options, see the usermod(1M) man page.
Use the smuser command with the modify subcommand.
This command modifies the attributes of a user in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.
$ /usr/sadm/bin/smuser -D domain-name \ -r admin-role -l <Type admin-role password> \ modify -- -n username -a rolename |
Is the name of the domain that you want to manage.
Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.
Is the prompt for the password of admin-role.
Is the required separator between authentication options and subcommand options.
Is the name of the user who is being assigned rolename.
Is the name of the role that you are assigning to username. You can specify multiple -a rolenameoptions.
For more command options, see the smuser(1M) man page.
In this example, the user jdoe can now assume the role of System Administrator.
$ usermod -R sysadmin jdoe |
This role is added the roles that the user can assume.
In this example, the user jdoe is assigned two roles, System Administrator and Operator. Because the user and the roles are defined locally, the -D option is not necessary.
$ /usr/sadm/bin/smuser -r primaryadm -l <Type primaryadm password> \ modify -- -n jdoe -a sysadmin -a operadm |
In the following example, the user is defined in the NIS name service. Therefore, the -D option is required. Two roles are defined in the name service. One role, root, is defined locally.
$ /usr/sadm/bin/smuser -D nis:/examplehost/example.domain \ -r primaryadm -l <Type primaryadm password> \ modify -- -n jdoe -a sysadmin -a operadm -a root |
A legacy application is a command or set of commands. The security attributes are set for each command in a rights profile. The rights profile is then included in a role. A user who assumes the role can run the legacy application with the security attributes.
To add legacy applications to the Solaris Management Console, see Adding Tools to the Solaris Management Console in System Administration Guide: Basic Administration.
You must have assumed the role of Primary Administrator or have switched to superuser to change the security attributes of a command in a rights profile.
Use the Users tool in the Solaris Management Console.
To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to modify a rights profile in Rights. For more extensive information, see the online help.
Add security attributes to the commands that implement the legacy application.
You add security attributes to a legacy application in the same way that you would for any command. You must add the command with security attributes to a rights profile. For a legacy command, give the command euid=0 or uid=0 security attributes. For details of the procedure, see How to Create or Change a Rights Profile.
After adding the legacy application to a rights profile, include the rights profile in a role's list of profiles.
To add a rights profile to a role, see How to Change the Properties of a Role.
If a command in a script needs to have the setuid bit or setgid bit set to succeed, the script executable and the command must have the security attributes added in a rights profile. Then, the rights profile is included in a role, and the role is assigned to a user. When the user assumes the role and executes the script, the command runs with the security attributes.
To add security attributes to a command or shell script, see How to Create or Change a Rights Profile.
To have a script for authorizations, you need to add a test that is based on the auths command. For detailed information about this command, see the auths(1) man page.
For example, the following line tests if the user has the authorization that is supplied as the $1 argument:
if [ `/usr/bin/auths|/usr/xpg4/bin/grep $1` ]; then echo Auth granted else echo Auth denied fi |
To be more complete, the test should include logic that checks for other authorizations that use wildcards. For example, to test if the user has the solaris.admin.usermgr.write authorization, you would need to check for the following strings:
solaris.admin.usermgr.write
solaris.admin.usermgr.*
solaris.admin.*
solaris.*
If you are writing a program, use the function getauthattr() to test for the authorization.