You can create or change a rights profile when the provided rights profiles do not contain the collection of rights that you need. You might create a rights profile for users with limited rights, for a new application, or various other reasons.
The rights profiles that Oracle Solaris provides are read-only. You can clone a provided rights profile for modification if its collection of rights is insufficient. For example, you might want to add the solaris.admin.edit/path-to-system-file authorization to a provided rights profile. For background, see More About Rights Profiles.
You can create an authorization when the provided authorizations do not include the authorizations that are coded in your privileged applications. You cannot change an existing authorization. For background, see More About User Authorizations.
Before You Begin
To create a rights profile, you must become an administrator who is assigned the File Security rights profile. For more information, see Using Your Assigned Administrative Rights.
# profiles -p [-S repository] profile-name
You are prompted for a description.
Use the set subcommand for profile properties that have a single value, such as set desc. Use the add subcommand for properties that can can have more than one value, such as add cmd.
The following command creates the custom PAM rights profile in How to Assign a Modified PAM Policy in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 . The name is shortened for display purposes.
# profiles -p -S LDAP "Site PAM LDAP" profiles:Site PAM LDAP> set desc="Profile which sets pam_policy=ldap" ...LDAP> set pam_policy=ldap ...LDAP> commit ...LDAP> end ...LDAP> exit
In this example, the administrator creates a rights profile for Sun Ray users in the LDAP repository. The administrator has already created a Sun Ray version of the Basic Solaris User rights profile, and has removed all rights profiles from the policy.conf file on the Sun Ray server.
# profiles -p -S LDAP "Sun Ray Users" profiles:Sun Ray Users> set desc="For all users of Sun Rays" ... Ray Users> add profiles="Sun Ray Basic User" ... Ray Users> set defaultpriv="basic,!proc_info" ... Ray Users> set limitpriv="basic,!proc_info" ... Ray Users> end ... Ray Users> exit
The administrator verifies the contents.
# profiles -p "Sun Ray Users" info Found profile in LDAP repository. name=Sun Ray Users desc=For all users of Sun Rays defaultpriv=basic,!proc_info, limitpriv=basic,!proc_info, profiles=Sun Ray Basic UserExample 5-7 Creating a Rights Profile That Includes Privileged Commands
In this example, the security administrator adds privileges to an application in a rights profile that the administrator creates. The application is privilege-aware.
# profiles -p SiteApp profiles:SiteApp> set desc="Site application" profiles:SiteApp> add cmd="/opt/site-app/bin/site-cmd" profiles:SiteApp:site-cmd> add privs="proc_fork,proc_taskid" profiles:SiteApp:site-cmd> end profiles:SiteApp> exit
To verify, the administrator selects the site-cmd.
# profiles -p SiteApp "select cmd=/opt/site-app/bin/site-cmd; info;end" Found profile in files repository. id=/opt/site-app/bin/site-cmd privs=proc_fork,proc_taskid
Next Steps
Assign the rights profile to a trusted user or role. For examples, see Example 3–10 and Example 3–19.
See also
To troubleshoot rights assignment, see How to Troubleshoot Rights Assignments. For background, see Order of Search for Assigned Rights.
Before You Begin
To create or change a rights profile, you must become an administrator who is assigned the File Security rights profile. For more information, see Using Your Assigned Administrative Rights.
# profiles -p [-S repository] existing-profile-name
Add the existing rights profile as a supplementary rights profile to the new profile, then add the enhancements. See Example 5–8.
See Example 5–9.
In this example, the administrator adds a solaris.admin.edit authorization to a site IPsec Management rights profile so that the root role is not required. This rights profile will be assigned only to users who are trusted to modify the /etc/hosts file.
The administrator verifies that the Network IPsec Management rights profile cannot be modified.
# profiles -p "Network IPsec Management" profiles:Network IPsec Management> add auths="solaris.admin.edit/etc/hosts" Cannot add. Profile cannot be modified
The administrator creates a rights profile that includes the Network IPsec Management profile.
# profiles -p "Total IPsec Mgt" ... IPsec Mgt> set desc="Network IPsec Mgt plus /etc/hosts" ... IPsec Mgt> add profiles="Network IPsec Management" ... IPsec Mgt> add auths="solaris.admin.edit/etc/hosts" ... IPsec Mgt> end ... IPsec Mgt> exit
The administrator verifies the contents.
# profiles -p "Total IPsec Mgt" info name=Total IPsec Mgt desc=Network IPsec Mgt plus /etc/hosts auths=solaris.admin.edit/etc/hosts profiles=Network IPsec Management
In this example, the administrator separates managing the properties of the VSCAN service from the ability to enable and disable the service.
First, the administrator lists the contents of the rights profile that Oracle Solaris provides.
# profiles -p "VSCAN Management" info name=VSCAN Management desc=Manage the VSCAN service auths=solaris.smf.manage.vscan,solaris.smf.value.vscan, solaris.smf.modify.application help=RtVscanMngmnt.html
Then, the administrator creates a rights profile that can enable and disable the service.
# profiles -p "VSCAN Management" profiles:VSCAN Management> set name="VSCAN Control" profiles:VSCAN Control> set desc="Start and stop the VSCAN service" ... VSCAN Control> remove auths="solaris.smf.value.vscan" ... VSCAN Control> remove auths="solaris.smf.modify.application" ... VSCAN Control> end ... VSCAN Control> exit
Then, the administrator creates a rights profile that can change the properties of the service.
# profiles -p "VSCAN Management" profiles:VSCAN Management> set name="VSCAN Properties" profiles:VSCAN Properties> set desc="Modify VSCAN service properties" ... VSCAN Properties> remove auths="solaris.smf.manage.vscan" ... VSCAN Properties> end ... VSCAN Properties> exit
The administrator verifies the contents of the new rights profiles.
# profiles -p "VSCAN Control" info name=VSCAN Control desc=Start and stop the VSCAN service auths=solaris.smf.manage.vscan # profiles -p "VSCAN Properties" info name=VSCAN Properties desc=Modify VSCAN service properties auths=solaris.smf.value.vscan,solaris.smf.modify.application
Next Steps
Assign the rights profile to a trusted user or role. For examples, see Example 3–10 and Example 3–19.
See also
To troubleshoot rights assignment, see How to Troubleshoot Rights Assignments. For background, see Order of Search for Assigned Rights.
Before You Begin
Developers have defined and used the authorization in the applications that you are installing. For instructions, see Developer’s Guide to Oracle Solaris 11 Security and About Authorizations in Developer’s Guide to Oracle Solaris 11 Security .
For example, create the help file for an authorization to enable the user to modify the data in an application.
# pfedit /docs/helps/NewcoSiteAppModData.html <HTML> -- Copyright 2013 Newco. All rights reserved. -- NewcoSiteAppModData.html --> <HEAD> <TITLE>NewCo Modify SiteApp Data Authorization</TITLE> </HEAD> <BODY> The com.newco.siteapp.data.modify authorization authorizes you to modify existing data in the application. <p> Only authorized accounts are permitted to modify data. Use this authorization with care. <p> </BODY> </HTML>
For example, the following command creates the com.newco.siteapp.data.modify authorization on the local system.
# auths add -t "SiteApp Data Modify Authorized" \ -h /docs/helps/NewcoSiteAppModData.html com.newco.siteapp.data.modify
You can now test the authorization, then add it to a rights profile and assign the profile to a role or user.
In this example, the administrator tests the com.newco.siteapp.data.modify authorization with the SiteApp rights profile from Example 5–7.
# usermod -A com.newco.siteapp.data.modify -P SiteApp tester1
When the test succeeds, the administrator removes the authorization.
# rolemod -A-=com.newco.siteapp.data.modify siteapptester
For ease of maintenance, the administrator adds the authorization to the SiteApp rights profile in Example 5–11.
Example 5-11 Adding Authorizations to a Rights ProfileAfter testing that the authorization works correctly, the security administrator adds the com.newco.siteapp.data.modify authorization to an existing rights profile. Example 5–7 shows how the administrator created the profile.
# profiles -p "SiteApp" profiles:SiteApp> add auths="com.newco.siteapp.data.modify" profiles:SiteApp> end profiles:SiteApp> exit
To verify, the administrator lists the contents of the profile.
# profiles -p SiteApp Found profile in files repository. id=/opt/site-app/bin/site-cmd auths=com.newco.siteapp.data.modify
Next Steps
Assign the rights profile to a trusted user or role. For examples, see Example 3–10 and Example 3–19.
See also
To troubleshoot rights assignment, see How to Troubleshoot Rights Assignments. For background, see Order of Search for Assigned Rights.