Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Deciding Which Rights Model to Use for Administration

Rights in Oracle Solaris include rights profiles, authorizations, and privileges. Oracle Solaris offers several ways to configure administrative rights on a system.

    The following list is ordered from most secure to the less secure traditional superuser model.

  1. Divide administrative tasks among several trusted users, each of whom has limited rights. This approach is the Oracle Solaris rights model.

    For information about how to follow this approach, see Following Your Chosen Rights Model.

    For a discussion of the benefits of this approach, see About Using Rights to Control Users and Processes.

  2. Use the default rights configuration. This approach uses the rights model but does not customize it to your site.

    By default, the initial user has some administrative rights and can assume the root role. Optionally, the root role could assign the root role to another trusted user. For greater security, the root role would enable the auditing of administrative commands.

    Tasks that are useful to administrators who use this model are the following:

  3. Use the sudo command.

    Administrators who are familiar with the sudo command can configure sudo and use it. Optionally, they can configure the /etc/sudoers file to enable sudo users to run administrative commands without reauthentication for a set period of time.

    Tasks that are useful to sudo users are the following:

    The sudo command is the Linux equivalent of the Oracle Solaris RBAC commands. Unlike the RBAC commands, sudo cannot reference rights profiles. It runs as root with all privileges so that it can grant the rights that are specified for each program in the /etc/sudoers file for the current user. For more information, see the sudo(8) and sudoers(4) man pages.

  4. Use the superuser model by changing the root role into a user.

    Administrators who use the traditional UNIX model must complete How to Change the root Role Into a User. Optionally, the root user can configure auditing.