test

System Administration Guide: Security Services

Contents of Rights Profiles

This section describes some typical rights profiles.

The tables in the following sections show the purpose and the contents of these rights profiles, including the commands, authorizations, supplementary rights, rights profiles, and associated help files.

Help files are in HTML and can be readily customized, if required. These files reside in the /usr/lib/help/auths/locale/C directory.

The Solaris Management Console Rights tool provides another way of inspecting the contents of the rights profiles.

All Rights Profile

The All rights profile uses the wildcard to include all commands, except for those commands without security attributes. This rights profile provides a role with access to all commands that are not explicitly assigned in other rights profiles. Without the All rights profile or some other rights profiles that use wildcards, a role has access to explicitly assigned commands only, which is not very practical.

Because commands in rights profiles are interpreted in the order in which they occur, any wildcard settings should be positioned last so that explicit attribute assignments are not inadvertently overridden. The All rights profile, if used, should be the final rights profile that is assigned.

Table 19–1 Contents of All Rights Profile

Purpose 

Contents 

To execute any command as the user or role 

Commands: *

Help File: RtAll.html

Primary Administrator Rights Profile

The Primary Administrator rights profile is assigned the most powerful role on the system, effectively providing that role with superuser capabilities.

The help file RtPriAdmin.html is identified so that a site can modify it if necessary. Help files are stored in the /usr/lib/help/auths/locale/C directory.

Note also that if the Primary Administrator rights profile is not consistent with a site's security policy, it can be modified or not assigned at all. However, the security capabilities in the Primary Administrator rights profile would need to be handled in one or more other rights profiles.

Table 19–2 Contents of Primary Administrator Rights Profile

Purpose 

Contents 

To perform all administrative tasks  

Commands: *

Authorizations: solaris.*, solaris.grant

Help File: RtPriAdmin.html

System Administrator Rights Profile

The System Administrator rights profile is intended for the System Administrator role. Because the System Administrator does not have the broad powers of the Primary Administrator, no wildcards are used. Instead, discrete administrative rights profiles that do not deal with security are assigned. The commands that are assigned to the supplementary rights profiles are not shown in the following table.

Notice that the All rights profile is assigned at the end of the list of supplementary rights profiles.

Table 19–3 Contents of System Administrator Rights Profile

Purpose 

Contents 

To perform most nonsecurity administrative tasks  

Supplementary rights profiles: Audit Review, Printer Management, Cron Management, Device Management, File System Management, Mail Management, Maintenance and Repair, Media Backup, Media Restore, Name Service Management, Network Management, Object Access Management, Process Management, Software Installation, User Management, All

Help File: RtSysAdmin.html

Operator Rights Profile

The Operator rights profile is a less powerful administrative rights profile that provides the ability to do backups and printer maintenance. The ability to restore files has more security consequences, and the default is not to assign it to this rights profile.

Table 19–4 Contents of Operator Rights Profile

Purpose 

Contents 

To perform simple administrative tasks 

Supplementary rights profiles: Printer Management, Media Backup, All

Help File: RtOperator.html

Basic Solaris User Rights Profile for User

By default, the Basic Solaris User rights profile is assigned automatically to all users through the policy.conf file. This rights profile provides basic authorizations that are useful in normal operations. Note that the convenience that is offered by the Basic Solaris User rights profile must be balanced against site security requirements. Those sites that need stricter security might prefer to remove this rights profile from the policy.conf file.

Table 19–5 Contents of Basic Solaris User Rights Profile

Purpose 

Contents 

To automatically assign rights to all users  

Authorizations: solaris.profmgr.read, solaris.admin.usermgr.read, solaris.admin.logsvc.read, solaris.admin.fsmgr.read, solaris.admin.serialmgr.read, solaris.admin.diskmgr.read, solaris.admin.procmgr.user, solaris.compsys.read, solaris.admin.printer.read, solaris.admin.prodreg.read, solaris.admin.dcmgr.read

Supplementary rights profiles: All

Help File: RtDefault.html

Printer Management Rights Profile

Printer Management is a typical rights profile that is intended for a specific task area. Both authorizations and commands are assigned to the Printer Management rights profile. The following table shows a partial list of commands.

Table 19–6 Contents of Printer Management Rights Profile

Purpose 

Contents 

To manage printers, daemons, and spooling 

Authorizations: solaris.admin.printer.delete, solaris.admin.printer.modify, solaris.admin.printer.read

Commands: /usr/sbin/accept:euid=lp, /usr/ucb/lpq:euid=0, /etc/init.d/lp:euid=0, /usr/bin/lpstat:euid=0, /usr/lib/lp/lpsched:uid=0, /usr/sbin/lpfilter:euid=lp

Help File: RtPrntMngmnt.html