Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Assigning Rights to Users

Rights in Oracle Solaris exist on every process. You can add rights to users and roles, and remove rights. Rights include privileges on the user's process, privileges or special IDs on a command that the user runs, and authorizations to perform a particular action. To ease the administrative burden of assigning rights, Oracle Solaris collects rights for services and administrative actions into rights profiles. Rather than assign individual rights to users and roles, you can collect rights in a rights profile. You can then assign the rights profiles to users and roles.

Roles give a name to the administrative task that a user can perform, such as auditadm. To perform an administrative action, the user assumes an assigned role to perform the action. Roles can be required by security policy and they can simply be convenient. You can create roles or you can install the armor package which creates seven roles and their local home directories. For more information about roles, see User and Process Rights Provide an Alternative to the Superuser Model.

You can also assign rights to a system, whereby all users who log in to the system are granted those rights. Typically, administrators remove rights from specialized systems, such as kiosks or systems designed only to administer other systems. The preferred method of changing the rights on a system is to enable the account-policy Service Management Facility (SMF) service and modify the system's security attributes as SMF properties. The legacy method is to edit individual files in the /etc directory.

To modify security attributes in SMF, you use a setprop command rather than editing a local file:

example-11u4 $ pfbash svccfg -s account-policy:default  \
  setprop config/etc_security_policyconf/disabled = boolean: false
example-11u4 $ svccfg -s svc:/system/account-policy:default \
  setprop rbac/default_privileges astring: = "basic,!file_link_any"

The preceding commands replace this legacy method:

example-11u3 $ pfexec vim /etc/security/policy.conf
PRIV_DEFAULT=basic,!file_link_any

Note -  Oracle Solaris does not enable the account-policy:default service by default. However, you should enable it and use SMF to manage system, user, and role security. The editing of security policy files is deprecated.

For more information, see account-policy(8S) and Modifying System-Wide Privileges, Authorizations, and Rights Profiles.