Managing Users and Rights (Task Map)

In Trusted Extensions, you assume the Security Administrator role to administer users, authorizations, rights, and roles. The following task map describes common tasks that you perform for users who operate in a labeled environment.

How to Modify a User's Label Range

You might want to extend a user's label range to give the user read access to an administrative application. For example, a user who can log in to the global zone could then view a list of the systems that run at a particular label. The user could view, but not not change the contents.

Alternatively, you might want to restrict the user's label range. For example, a guest user might be limited to one label.

Before You Begin

You must be in the Security Administrator role in the global zone.

• Do one of the following:
  • To extend the user's label range, assign a higher clearance.

    # usermod -K min_label=INTERNAL -K clearance=ADMIN_HIGH jdoe

    You can also lower the minimum label.

    # usermod -K min_label=PUBLIC -K clearance=INTERNAL jdoe

    For more information, see the usermod(1M) and user_attr(4) man pages.

  • To restrict the label range to one label, make the clearance equal to the minimum label.

    # usermod -K min_label=INTERNAL -K clearance=INTERNAL jdoe

How to Create a Rights Profile for Convenient Authorizations

Where site security policy permits, you might want to create a rights profile that contains authorizations for users who can perform tasks that require authorization. To enable every user of a particular system to be authorized, see How to Modify policy.conf Defaults.

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Create a rights profile that contains one or more of the following authorizations.

   For the step-by-step procedure, see How to Create or Change a Rights Profile in System Administration Guide: Security Services.

   The following authorizations that might be convenient for users:

   • solaris.device.allocate – Authorizes a user to allocate a peripheral device, such as a microphone.

     By default, Oracle Solaris users can read and write to a CD-ROM. However, in Trusted Extensions, only users who can allocate a device can access the CD-ROM drive. To allocate the drive for use requires authorization. Therefore, to read and write to a CD-ROM in Trusted Extensions, a user needs the Allocate Device authorization.

   • solaris.label.file.downgrade – Authorizes a user to lower the security level of a file

   • solaris.label.file.upgrade – Authorizes a user to heighten the security level of a file.

   • solaris.label.win.downgrade – Authorizes a user to select information from a higher-level file and place that information in a lower-level file.

   • solaris.label.win.noview – Authorizes a user to move information without viewing the information that is being moved.

   • solaris.label.win.upgrade – Authorizes a user to select information from a lower-level file and place that information in a higher-level file.

   • solaris.login.remote – Authorizes a user to remotely log in.

   • solaris.print.ps – Authorizes a user to print PostScript files.

   • solaris.print.nobanner - Authorizes a user to print hard copy without a banner page.

   • solaris.print.unlabeled – Authorizes a user to print hard copy that does not display labels.

   • solaris.system.shutdown – Authorizes a user to shut down the system and to shut down a zone.

2. Assign the rights profile to a user or a role.

   For the step-by-step procedure, see How to Change the RBAC Properties of a User in System Administration Guide: Security Services.

How to Restrict a User's Set of Privileges

Site security might require that users be permitted fewer privileges than users are assigned by default. For example, at a site that uses Trusted Extensions on Sun Ray systems, you might want to prevent users from viewing other users' processes on the Sun Ray server.

Before You Begin

You must be in the Security Administrator role in the global zone.

• Remove one or more of the privileges in the basic set.

  ---

  Caution - Do not remove the proc_fork or the proc_exec privilege. Without these privileges, the user would not be able to use the system.

  ---

  # usermod -K defaultpriv=basic,!proc_session,!file_link_any

  By removing the proc_session privilege, you prevent the user from examining any processes outside the user's current session. By removing the file_link_any privilege, you prevent the user from making hard links to files that are not owned by the user.

How to Prevent Account Locking for Users

Turn off account locking for users who can assume a role.

Before You Begin

You must be in the Security Administrator role in the global zone.

• Turn off account locking for a user.

  # usermod -K lock_after_retries=no jdoe

How to Enable a User to Change the Security Level of Data

A regular user or a role can be authorized to change the security level, or labels, of files and directories. The user or role, in addition to having the authorization, must be configured to work at more than one label. And, the labeled zones must be configured to permit relabeling. For the procedure, see How to Enable Files to be Relabeled From a Labeled Zone.

---

Caution - Changing the security level of data is a privileged operation. This task is for trustworthy users only.

---

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Follow the procedure How to Create a Rights Profile for Convenient Authorizations to create a rights profile.

   The following authorizations enable a user to relabel a file:

   • Downgrade File Label

   • Upgrade File Label

   The following authorizations enable a user to relabel information within a file:

   • Downgrade DragNDrop or CutPaste Info

   • DragNDrop or CutPaste Info Without Viewing

   • Upgrade DragNDrop or CutPaste Info

2. Assign the profile to the appropriate users and roles.

   For a step-by-step procedure, see How to Change the RBAC Properties of a User in System Administration Guide: Security Services.

How to Delete a User Account From a Trusted Extensions System

When a user is removed from the system, you must ensure that the user's home directory and any objects that the user owns are also deleted. As an alternative to deleting objects that are owned by the user, you might change the ownership of these objects to a valid user.

You must also ensure that all batch jobs that are associated with the user are also deleted. No objects or processes belonging to a removed user can remain on the system.

Before You Begin

You must be in the System Administrator role.

1. Archive the user's home directory at every label.
2. Archive the user's mail files at every label.
3. Delete the user account.

   # userdel -r jdoe

4. In every labeled zone, manually delete the user's directories and mail files.

   ---

   Note - You are responsible for finding and deleting the user's temporary files at all labels, such as files in /tmp directories.

   ---