|Skip Navigation Links|
|Exit Print View|
|Transitioning From Oracle Solaris 10 to Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library|
The following information describes how roles, rights, privileges, and authorizations work in Oracle Solaris 11:
Assign versus delegate authorizations – Oracle Solaris provides authorizations for delegating specific administrative rights to individual users and roles to implement separation of duty. In Oracle Solaris 10, authorizations ending in .grant are required to delegate an authorization to another user. In Oracle Solaris 11, two new suffixes, .assign and .delegate, are used, for example, solaris.profile.assign and solaris.profile.delegate. The former grants the right to delegate any rights profile to any user or role. The latter is more restrictive, in that only the rights profiles that are already assigned to the current user can be delegated. Since the root role is assigned solaris.*, this role can assign any authorization to any user or role. As a safety measure, no authorizations that end in .assign are included in any profiles by default.
groupadd Command Changes – At group creation, the system now assigns the solaris.group.assign/groupname authorization to the administrator. This authorization gives the administrator complete control over that group, enabling the administrator to modify or delete the groupname, as needed. For more information, see the groupadd(1M) and groupmod(1M) man pages.
Media Restore rights profile – This rights profile and set of authorizations can escalate the privileges of a non root account. The profile exists, but is not part of any other rights profile. Because the Media Restore rights profile provides access to the entire root file system, its use is a possible escalation of privilege. Deliberately altered files or substitute media could be restored. By default, the root role includes this rights profile.
Primary Administrator profile removed – The initial user that is created at installation time is given the following roles and rights:
System Administrator rights profile
Access to the sudo command for all commands that are run as root
Role authentication – You can specify either user or role for the roleauth keyword. See user_attr(4).
root as a Role – root is now a role by default, therefore, not anonymous and cannot remotely log in to a system. For information about changing the root role to a user, see How to Change the root Role Into a User in Oracle Solaris 11.1 Administration: Security Services.
Oracle Solaris basic privileges include the following:
Profile shell versions of regular shells – Every regular shell now has its own profile version. The following profile shells are available:
Rights profiles – The user_attr, prof_attr, and exec_attr databases are now read-only. These local files databases are assembled from fragments that are located in /etc/user_attr.d, /etc/security/prof_attr.d, and /etc/security/exec_attr.d. The fragment files are not merged into a single version of the file, but left as fragments. This change enables packages to deliver complete or partial RBAC profiles. Entries that are added to the local files repository with the useradd and profiles commands are added to the local-entries file in the fragment directory. To add or modify a profile, use the profiles command. See About Rights Profiles.
Stop rights profile – This profile enables administrators to create restricted accounts. See RBAC Rights Profiles in Oracle Solaris 11.1 Administration: Security Services.
pfsh script command – This command now runs the same as the pfsh -c script command. Previously, commands within a script would not be able to take advantage of RBAC, unless the script specified a profile shell as its first line. This rule required you to modify any scripts to use RBAC, which is now unnecessary because the caller of the script (or an ancestor within the session) can specify a profile shell.
pfexec command – This command is now no longer setuid root. The new PF_PFEXEC process attribute is set when the pfexec command or a profile shell is executed. Then, the kernel sets the appropriate privileges on exec. This implementation ensures that sub-shells are empowered or restricted, as appropriate.
When the kernel is processing an exec(2), it treats setuid to root differently. Note that setuid to any other uid or setgid is as it was previously. The kernel now searches for an entry in the Forced Privilege RBAC profile in exec_attr(4) to determine which privileges the program should run with. Instead of having the program start with uid root and all privileges, the program runs with the current uid and only the additional privileges that the Forced Privilege RBAC execution profile have assigned to that path name.
Rights profiles are collections of authorizations and other security attributes, commands with security attributes, and supplementary rights profiles. Oracle Solaris provides many rights profiles. You can modify existing rights profiles, as well as create new ones. Note that rights profiles must be assigned in order, from most to least powerful.
The following are some of the rights profiles that are available:
System Administrator – Is a profile that is able to perform most tasks that are not connected with security. This profile includes several other profiles to create a powerful role. Use the profiles command to display information about this profile. See Example 9-1.
Operator – Is a profile with limited capabilities to manage files and offline media.
Printer Management – Is a profile that provides a limited number of commands and authorizations to handle printing.
Basic Solaris User – Is a profile that enables users to use the system within the bounds of security policy. This profile is listed by default in the policy.conf file.
Console User – Is a profile for the workstation owner. This profile provides access to authorizations, commands, and actions for the person who is seated at the computer.
Other rights profiles that are available in this release include the All rights profile and the Stop rights profile. For more information, see Chapter 10, Security Attributes in Oracle Solaris (Reference), in Oracle Solaris 11.1 Administration: Security Services.
Example 9-1 Displaying Information About the System Administrator Rights Profile
Use the profiles command to display information about a specific rights profile. In the following example, information about the System Administrator rights profile is displayed:
$ profiles -p "System Administrator" info name=System Administrator desc=Can perform most non-security administrative tasks profiles=Install Service Management,Audit Review,Extended Accounting Flow Management,Extended Accounting Net Management,Extended Accounting Process Management, Extended Accounting Task Management,Printer Management,Cron Management,Device Management, File System Management,Log Management,Mail Management,Maintenance and Repair, Media Backup,Media Catalog,Media Restore,Name Service Management,Network Management Object Access Management,Process Management,Project Management,RAD Management, Service Operator,Shadow Migration Monitor,Software Installation,System Configuration,User Management,ZFS Storage Management help=RtSysAdmin.html
When a user is directly assigned privileges, in effect, the privileges are in every shell. When a user is not directly assigned privileges, then the user must open a profile shell. For example, when commands with assigned privileges are in a rights profile that is in the user's list of rights profiles, then the user must execute the command in a profile shell.
To view privileges online, see privileges(5). The privilege format that is displayed is used by developers.
$ man privileges Standards, Environments, and Macros privileges(5) NAME privileges - process privilege model ... The defined privileges are: PRIV_CONTRACT_EVENT Allow a process to request reliable delivery of events to an event endpoint. Allow a process to include events in the critical event set term of a template which could be generated in volume by the user. ...
Example 9-2 Viewing Directly-Assigned Privileges
If you have been directly assigned privileges, then your basic set contains more than the default basic set. In the following example, the user always has access to the proc_clock_highres privilege.
$ /usr/bin/whoami jdoe $ ppriv -v $$ 1800: pfksh flags = <none> E: file_link_any,…,proc_clock_highres,proc_session I: file_link_any,…,proc_clock_highres,proc_session P: file_link_any,…,proc_clock_highres,proc_session L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time $ ppriv -vl proc_clock_highres Allows a process to use high resolution timers.
To view authorizations, use the auths command:
$ auths list
The output of this command produces a more readable summary (one per line) of the authorizations that are assigned to a user. Starting with Oracle Solaris 11.1, several new options have been added to the auths command. For example, the check option is useful for scripting. Other new options provide the ability to add, modify, and remove authorizations to and from files or LDAP. See auths(1).