Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 10 1/13 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Managing and Using Privileges (Task Map)
Managing Privileges (Task Map)
How to Determine the Privileges on a Process
How to Determine Which Privileges a Program Requires
How to Add Privileges to a Command
How to Assign Privileges to a User or Role
How to Limit a User's or Role's Privileges
How to Run a Shell Script With Privileged Commands
Determining Your Privileges (Task Map)
Determining Your Assigned Privileges
How to Determine the Privileges That You Have Been Directly Assigned
How to Determine the Privileged Commands That You Can Run
How to Determine the Privileged Commands That a Role Can Run
Part IV Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Secure Shell (Tasks)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Auditing in Oracle Solaris
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
When a user is directly assigned privileges, the privileges are in effect in every shell. When a user is not directly assigned privileges, then the user must open a profile shell. For example, when commands with assigned privileges are in a rights profile that is in the user's list of rights profiles, then the user must execute the command in a profile shell.
The following procedure shows how to determine if you have been directly assigned privileges.
Caution - Inappropriate use of directly assigned privileges can result in unintentional breaches of security. For a discussion, see Security Considerations When Directly Assigning Security Attributes. |
See How to Determine the Privileges on a Process for the procedure.
The privileges that are listed in the effective set are in effect throughout your session. If you have been directly assigned privileges in addition to the basic set, the privileges are listed in the effective set.
Example 11-9 Determining Your Directly-Assigned Privileges
If you have been directly assigned privileges, then your basic set contains more than the default basic set. In this example, the user always has access to the proc_clock_highres privilege.
% /usr/ucb/whoami jdoe % ppriv -v $$ 1800: pfksh flags = <none> E: file_link_any,…,proc_clock_highres,proc_session I: file_link_any,…,proc_clock_highres,proc_session P: file_link_any,…,proc_clock_highres,proc_session L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time % ppriv -vl proc_clock_highres Allows a process to use high resolution timers.
Example 11-10 Determining a Role's Directly-Assigned Privileges
Roles use an administrative shell, or profile shell. Users who assume a role can use the role's shell to list the privileges that have been directly assigned to the role. In the following example, the role realtime has been directly assigned privileges to handle date and time programs.
% su - realtime Password: <Type realtime password> $ /usr/ucb/whoami realtime $ ppriv -v $$ 1600: pfksh flags = <none> E: file_link_any,…,proc_clock_highres,proc_session,sys_time I: file_link_any,…,proc_clock_highres,proc_session,sys_time P: file_link_any,…,proc_clock_highres,proc_session,sys_time L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time
When a user is not directly assigned privileges, then the user gets access to privileged commands through a rights profile. Commands in a rights profile must be executed in a profile shell.
Before You Begin
The user or role who authenticates to the Solaris Management Console must have the solaris.admin.usermgr.read authorization. The Basic Solaris User rights profile includes this authorization.
$ /usr/sadm/bin/smuser list -- -n username -l
Authenticating as user: admin … Please enter a string value for: password :: … User name: username User ID (UID): 130 Primary group: staff Secondary groups: Comment: object mgt jobs Login Shell: /bin/sh Home dir server: system Home directory: /export/home/username AutoHome setup: True Mail server: system Rights: Object Access Management Assigned Roles:
The “Rights” line lists the names of the rights profiles that have been directly assigned to you.
$ cd /etc/security $ grep "Object Access Management" exec_attr Object Access Management:solaris:cmd:::/usr/bin/chgrp:privs=file_chown Object Access Management:solaris:cmd:::/usr/bin/chown:privs=file_chown Object Access Management:suser:cmd:::/usr/bin/chgrp:euid=0 Object Access Management:suser:cmd:::/usr/bin/chmod:euid=0 …
The commands with added privileges are listed at the end of solaris policy entries.
When the commands are typed in a regular shell, the commands do not run with privilege, and do not succeed.
% pfsh $
Example 11-11 Running Privileged Commands in a Profile Shell
In the following example, the user jdoe cannot change the group permissions on a file from his regular shell. However, jdoe can change the permissions when typing the command in a profile shell.
% whoami jdoe % ls -l useful.script -rwxr-xr-- 1 nodoe eng 262 Apr 2 10:52 useful.script chgrp staff useful.script chgrp: useful.script: Not owner % pfksh $ /usr/ucb/whoami jdoe $ chgrp staff useful.script $ chown jdoe useful.script $ ls -l useful.script -rwxr-xr-- 1 jdoe staff 262 Apr 2 10:53 useful.script
A role gets access to privileged commands through a rights profile that contains commands with assigned privileges. The most secure way to provide a user with access to privileged commands is to assign a role to them. After assuming the role, the user can execute all the privileged commands that are included in the rights profiles for that role.
Before You Begin
The user or role who authenticates to the Solaris Management Console must have the solaris.admin.usermgr.read authorization. The Basic Solaris User rights profile includes this authorization.
$ /usr/sadm/bin/smuser list -- -n username -l Authenticating as user: primadmin … User name: username User ID (UID): 110 Primary group: staff Secondary groups: Comment: Has admin roles Login Shell: /bin/sh … Rights: Assigned Roles: primadmin, admin
The “Assigned Roles” line lists the roles that you can assume.
% su - devadmin Enter password: Type devadmin password $ whoami devadmin $ profiles Device Security
$ /usr/sadm/bin/smuser list -- -n admin -l Authenticating as user: primadmin … User name: admin User ID (UID): 101 Primary group: sysadmin Secondary groups: Comment: system administrator Login Shell: /bin/pfksh … Rights: System Administrator Assigned Roles:
Because the System Administrator profile is a collection of profiles, you need to list the profiles in the System Administrator profile.
$ cd /etc/security $ grep "System Administrator" prof_attr System Administrator:::Can perform most non-security administrative tasks:profiles=Audit Review,Printer Management,Cron Management, Device Management,File System Management,Mail Management,Maintenance and Repair,Media Backup,Media Restore,Name Service Management,Network Management,Object Access Management,Process Management,Software Installation,User Management,All;help=RtSysAdmin.html
For example, the Network Management profile is a supplementary profile of the System Administrator profile. The Network Management profile includes a number of privileged commands.
$ cd /etc/security $ grep "Network Management" exec_attr Network Management:solaris:cmd:::/usr/sbin/ifconfig:privs=sys_net_config Network Management:solaris:cmd:::/usr/sbin/route:privs=sys_net_config …
The commands and their assigned privileges are the final two fields of solaris policy entries. You can run these commands in the profile shell of your role.
Example 11-12 Running the Privileged Commands in Your Role
When a user assumes a role, the shell becomes a profile shell. Therefore, the commands are executed with the privileges that were assigned to the commands. In the following example, the admin role can change the permissions on the useful.script file.
% whoami jdoe % ls -l useful.script -rwxr-xr-- 1 elsee eng 262 Apr 2 10:52 useful.script chgrp admin useful.script chgrp: useful.script: Not owner % su - admin Password: <Type admin password> $ /usr/ucb/whoami admin $ chgrp admin useful.script $ chown admin useful.script $ ls -l useful.script -rwxr-xr-- 1 admin admin 262 Apr 2 10:53 useful.script