This section describes some typical rights profiles.
The All rights profile provides role access to commands without security attributes.
The Primary Administrator rights profile is designed specifically for the Primary Administrator role. The Primary Administrator rights profile allows the use of wildcards.
The System Administrator rights profile is designed specifically for the System Administrator role. The System Administrator rights profile uses discrete supplementary profiles to create a powerful role.
The Operator rights profile is designed specifically for the Operator role. The Operator rights profile uses a few discrete supplementary profiles to create a simple role.
The Basic Solaris User rights profile shows how the policy.conf file can be used to assign tasks to users that are not related to security.
The Printer Management rights profile exemplifies a profile that is dedicated to a single area of administration.
The tables in the following sections show the purpose and the contents of these rights profiles, including the commands, authorizations, supplementary rights, rights profiles, and associated help files.
Help files are in HTML and can be readily customized, if required. These files reside in the /usr/lib/help/auths/locale/C directory.
The Solaris Management Console Rights tool provides another way of inspecting the contents of the rights profiles.
The All rights profile uses the wildcard to include all commands, except for those commands without security attributes. This rights profile provides a role with access to all commands that are not explicitly assigned in other rights profiles. Without the All rights profile or some other rights profiles that use wildcards, a role has access to explicitly assigned commands only, which is not very practical.
Because commands in rights profiles are interpreted in the order in which they occur, any wildcard settings should be positioned last so that explicit attribute assignments are not inadvertently overridden. The All rights profile, if used, should be the final rights profile that is assigned.
Table 19–1 Contents of All Rights Profile
Purpose |
Contents |
---|---|
To execute any command as the user or role |
Commands: * Help File: RtAll.html |
The Primary Administrator rights profile is assigned the most powerful role on the system, effectively providing that role with superuser capabilities.
The solaris.* authorization effectively assigns all of the authorizations that are provided by the Solaris software.
The solaris.grant authorization lets a role assign any authorization to any rights profile, role, or user.
The command assignment *:uid=0;gid=0 provides the ability to run any command with UID=0 and GID=0.
The help file RtPriAdmin.html is identified so that a site can modify it if necessary. Help files are stored in the /usr/lib/help/auths/locale/C directory.
Note also that if the Primary Administrator rights profile is not consistent with a site's security policy, it can be modified or not assigned at all. However, the security capabilities in the Primary Administrator rights profile would need to be handled in one or more other rights profiles.
Table 19–2 Contents of Primary Administrator Rights Profile
Purpose |
Contents |
---|---|
To perform all administrative tasks |
Commands: * Authorizations: solaris.*, solaris.grant Help File: RtPriAdmin.html |
The System Administrator rights profile is intended for the System Administrator role. Because the System Administrator does not have the broad powers of the Primary Administrator, no wildcards are used. Instead, discrete administrative rights profiles that do not deal with security are assigned. The commands that are assigned to the supplementary rights profiles are not shown in the following table.
Notice that the All rights profile is assigned at the end of the list of supplementary rights profiles.
Table 19–3 Contents of System Administrator Rights Profile
Purpose |
Contents |
---|---|
To perform most nonsecurity administrative tasks |
Supplementary rights profiles: Audit Review, Printer Management, Cron Management, Device Management, File System Management, Mail Management, Maintenance and Repair, Media Backup, Media Restore, Name Service Management, Network Management, Object Access Management, Process Management, Software Installation, User Management, All Help File: RtSysAdmin.html |
The Operator rights profile is a less powerful administrative rights profile that provides the ability to do backups and printer maintenance. The ability to restore files has more security consequences, and the default is not to assign it to this rights profile.
Table 19–4 Contents of Operator Rights Profile
Purpose |
Contents |
---|---|
To perform simple administrative tasks |
Supplementary rights profiles: Printer Management, Media Backup, All Help File: RtOperator.html |
By default, the Basic Solaris User rights profile is assigned automatically to all users through the policy.conf file. This rights profile provides basic authorizations that are useful in normal operations. Note that the convenience that is offered by the Basic Solaris User rights profile must be balanced against site security requirements. Those sites that need stricter security might prefer to remove this rights profile from the policy.conf file.
Table 19–5 Contents of Basic Solaris User Rights Profile
Purpose |
Contents |
---|---|
To automatically assign rights to all users |
Authorizations: solaris.profmgr.read, solaris.admin.usermgr.read, solaris.admin.logsvc.read, solaris.admin.fsmgr.read, solaris.admin.serialmgr.read, solaris.admin.diskmgr.read, solaris.admin.procmgr.user, solaris.compsys.read, solaris.admin.printer.read, solaris.admin.prodreg.read, solaris.admin.dcmgr.read Supplementary rights profiles: All Help File: RtDefault.html |
Printer Management is a typical rights profile that is intended for a specific task area. Both authorizations and commands are assigned to the Printer Management rights profile. The following table shows a partial list of commands.
Table 19–6 Contents of Printer Management Rights Profile
Purpose |
Contents |
---|---|
To manage printers, daemons, and spooling |
Authorizations: solaris.admin.printer.delete, solaris.admin.printer.modify, solaris.admin.printer.read Commands: /usr/sbin/accept:euid=lp, /usr/ucb/lpq:euid=0, /etc/init.d/lp:euid=0, /usr/bin/lpstat:euid=0, /usr/lib/lp/lpsched:uid=0, /usr/sbin/lpfilter:euid=lp Help File: RtPrntMngmnt.html |