Skip Navigation Links | |
Exit Print View | |
![]() |
Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
Viewing and Using RBAC Defaults (Tasks)
Viewing and Using RBAC Defaults (Task Map)
How to View All Defined Security Attributes
Customizing RBAC for Your Site (Tasks)
Initially Configuring RBAC (Task Map)
How to Plan Your RBAC Implementation
How to Create or Change a Rights Profile
How to Add RBAC Properties to Legacy Applications
How to Troubleshoot RBAC and Privilege Assignment
How to Change the Password of a Role
How to Change the Security Attributes of a Role
How to Change the RBAC Properties of a User
How to Restrict a User to Desktop Applications
How to Restrict an Administrator to Explicitly Assigned Rights
How to Enable a User to Use Own Password to Assume a Role
How to Change the root Role Into a User
Determining Your Privileges (Task Map)
How to List the Privileges on the System
How to Determine the Privileges That You Have Been Directly Assigned
How to Determine the Privileged Commands That You Can Run
Managing Privileges (Task Map)
How to Determine the Privileges on a Process
How to Determine Which Privileges a Program Requires
How to Run a Shell Script With Privileged Commands
10. Security Attributes in Oracle Solaris (Reference)
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Part V Authentication Services and Secure Communication
14. Network Services Authentication (Tasks)
17. Using Secure Shell (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
Users are assigned rights by default. Rights for all users of a system are assigned in the /etc/security/policy.conf file.
At Oracle Solaris installation, your system is configured with user rights and process rights. With no further configuration, use the following task map to view and use RBAC.
|
Use the following commands to list all authorizations, rights profiles, and commands with security attributes on the system. To list all defined privileges, see How to List the Privileges on the System.
% getent auth_attr | more solaris.:::All Solaris Authorizations::help=AllSolAuthsHeader.html solaris.account.:::Account Management::help=AccountHeader.html ... solaris.zone.login:::Zone Login::help=ZoneLogin.html solaris.zone.manage:::Zone Deployment::help=ZoneManage.html
% getent prof_attr | more All:::Execute any command as the user or role:help=RtAll.html Audit Configuration:::Configure Solaris Audit:auths=solaris.smf.value.audit; help=RtAuditCfg.html ... Zone Management:::Zones Virtual Application Environment Administration: help=RtZoneMngmnt.html Zone Security:::Zones Virtual Application Environment Security:auths=solaris.zone.*, solaris.auth.delegate;help=RtZoneSecurity.html ...
% getent exec_attr | more All:solaris:cmd:::*: Audit Configuration:solaris:cmd:::/usr/sbin/auditconfig:privs=sys_audit ... Zone Security:solaris:cmd:::/usr/sbin/txzonemgr:uid=0 Zone Security:solaris:cmd:::/usr/sbin/zonecfg:uid=0 ...
Use the following commands to view your RBAC assignments. To view all rights that can be assigned, see How to View All Defined Security Attributes.
% auths solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq
These authorizations are assigned to all users by default.
% profiles Basic Solaris User All
These rights profiles are assigned to all users by default.
% roles root
This role is assigned to the initial user by default. No roles indicates that you are not assigned a role.
% ppriv $$ 1234: /bin/csh flags = <none> E: basic I: basic P: basic L: all
Every user is assigned the basic privilege set by default. The limit set is all privileges.
% ppriv -vl basic file_link_any Allows a process to create hardlinks to files owned by a uid different from the process' effective uid. file_read Allows a process to read objects in the filesystem. file_write Allows a process to modify objects in the filesystem. net_access Allows a process to open a TCP, UDP, SDP or SCTP network endpoint. proc_exec Allows a process to call execve(). proc_fork Allows a process to call fork1()/forkall()/vfork() proc_info Allows a process to examine the status of processes other than those it can send signals to. Processes which cannot be examined cannot be seen in /proc and appear not to exist. proc_session Allows a process to send signals or trace processes outside its session.
% profiles -l Basic Solaris User /usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices, proc_priocntl,net_privaddr /usr/bin/cdrecord.bin privs=file_dac_read,sys_devices, proc_lock_memory,proc_priocntl,net_privaddr /usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr All *
A user's rights profiles can include commands that run with particular privileges. The Basic Solaris User profile includes commands that enable users to read and write to CD-ROMs.
Example 9-1 Listing a User's Authorizations
% auths username solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq
Example 9-2 Listing a User or Role's Rights Profiles
The following command lists the rights profiles of a specific user.
% profiles jdoe jdoe: Basic Solaris User All
The following command lists the rights profiles of the cryptomgt role.
% profiles cryptomgt cryptomgt: Crypto Management Basic Solaris User All
The following command lists the rights profiles of the root role:
% profiles root root: All Console User Network Wifi Info Desktop Removable Media User Suspend To RAM Suspend To Disk Brightness CPU Power Management Network Autoconf User Basic Solaris User
Example 9-3 Listing a User's Assigned Roles
The following command lists the assigned roles of a specific user.
% roles jdoe root
Example 9-4 Listing a User's Privileges on Specific Commands
The following command lists the privileged commands in a regular user's rights profiles.
% profiles -l jdoe jdoe: Basic Solaris User /usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices, proc_priocntl,net_privaddr /usr/bin/cdrecord.bin privs=file_dac_read,sys_devices, proc_lock_memory,proc_priocntl,net_privaddr /usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr All *
Before You Begin
The role must already be assigned to you. The naming service must be updated with that information.
% roles Comma-separated list of role names is displayed
% su - rolename Password: <Type rolename password> $
The su - rolename command changes the shell to a profile shell for the role. A profile shell recognizes security attributes, such as authorizations, privileges, and set ID bits.
$ /usr/bin/whoami rolename
You can now perform role tasks in this terminal window.
For the procedure, see How to View Your Assigned Rights.
Example 9-5 Assuming the root Role
In the following example, the initial user assumes the root role and lists the privileges in the role's shell.
% roles root % su - root Password: <Type root password> # Prompt changes to root prompt # ppriv $$ 1200: pfksh flags = <none> E: all I: basic P: all L: all
For information about privileges, see Privileges (Overview).
Administrative rights are in effect when you are running a profile shell. By default, a role account is assigned a profile shell. Roles are special accounts that are assigned specific administrative rights, typically to a related set of administrative activities, such as reviewing audit files
In the root role, the initial user has all administrative rights, that is, the initial user is superuser. The root role can create other roles.
Before You Begin
To administer the system, you must have rights that regular users are not assigned. If you are not superuser, you must be assigned a role, an administrative rights profile, or specific privileges or authorizations.
Open a terminal window.
% su - Password: Type the root password #
Note - This method works whether root is a user or a role. The pound sign (#) prompt indicates that you are now superuser.
In the following example, you assume a network management role. This role includes the Network Management rights profile.
% su - networkadmin Password: Type the networkadmin password $
You are now in a profile shell. In this shell, you can run snoop, route, dladm, and other commands. For more about profile shells, see Profile Shells and RBAC.
For example, the following set of commands enables you to examine network packets in the pfbash shell:
% pfbash $ anoop
If you are not assigned the net_observability privilege, the snoop command fails with an error message similar to the following: snoop: cannot open "net0": Permission denied. If you are assigned the privilege directly, or through a rights profile or a role, this command will succeed. Also, you can run additional privileged commands in this shell.
Run the pfexec command with the name of a privileged command from your rights profile. For example, the following command enables you to examine network packets:
% pfexec snoop
The same privilege limitations apply to pfexec as to pfbash. However, to run another privileged command, you must type pfexec again before you type the privileged command.
Example 9-6 Caching Authentication for Ease of Role Use
In this example, the administrator configures a role to manage the network, but provides ease of use by caching the user's authentication. First, the administrator creates and assigns the role.
# roleadd -K roleauth=user -P "Network Management" netmgt # usermod -R +netmgt jdoe
When jdoe uses the -c option when switching to the role, a password is required before the snoop output is displayed:
% su - netmgt -c snoop options Password: snoop output
If authentication is not being cached, and jdoe runs the command again immediately, a password prompt appears.
The administrator configures the pam.conf file to cache authentication, so that a password is initially required, but not thereafter until a certain amount of time has passed. The administrator places all pam.conf customized stacks at the end of the file.
# vi /etc/pam.conf ... # ## Cache authentication for switched user # su auth required pam_unix_cred.so.1 su auth sufficient pam_tty_tickets.so.1 su auth requisite pam_authtok_get.so.1 su auth required pam_dhkeys.so.1 su auth required pam_unix_auth.so.1
After creating the entries, the administrator checks the entries for typos, omissions, or repetitions.
The entire su stack is required. The pam_tty_tickets.so.1 module provides the cache. For more about PAM, see the pam.conf(4) man page and Chapter 15, Using PAM.
After the su PAM stack is added to the pam.conf file, the netmgt role is prompted only once for a password when running a series of commands.
% su - netmgt -c snoop options Password: snoop output % su - netmgt -c snoop options snoop output ...