Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Creating Rights Profiles and Authorizations

You can create or change a rights profile when the provided rights profiles do not contain the collection of rights that you need. You might create a rights profile for users with limited rights, for a new application, or various other reasons.

The rights profiles that Oracle Solaris provides are read-only. You can clone a provided rights profile for modification if its collection of rights is insufficient. For example, you might want to add the solaris.admin.edit/path-to-system-file authorization to a provided rights profile. For background, see More About Rights Profiles.

You can create an authorization when the provided authorizations do not include the authorizations that are coded in your privileged applications. You cannot change an existing authorization. For background, see More About User Authorizations.

For examples of limiting privileges in a rights profile, see Example 29, Creating a Remote Users Rights Profile and Example 30, Removing Basic Privileges From a Rights Profile.

How to Create a Rights Profile

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights.

  1. Create a rights profile.
    # profiles -p [-S repository] profile-name

    You are prompted for a description.

  2. Add contents to the rights profile.

    Use the set subcommand for profile properties that have a single value, such as set desc. Use the add subcommand for properties that can have more than one value, such as add cmd.

    The following command creates the custom PAM rights profile in How to Assign a Modified PAM Policy in Managing Authentication in Oracle Solaris 11.4. The name is shortened for display purposes.

    # profiles -p -S LDAP "Site PAM LDAP"
    profiles:Site PAM LDAP> set desc="Profile which sets pam_policy=ldap"
    ...LDAP> set pam_policy=ldap
    ...LDAP> commit
    ...LDAP> end
    ...LDAP> exit
Example 49  Creating a Rights Profile That Includes Privileged Commands

In this example, the security administrator adds privileges to an application in a rights profile that the administrator creates. The application is privilege-aware.

# profiles -p SiteApp
profiles:SiteApp> set desc="Site application"
profiles:SiteApp> add cmd="/opt/site-app/bin/site-cmd"
profiles:SiteApp:site-cmd> add privs="proc_fork,proc_taskid"
profiles:SiteApp:site-cmd> end
profiles:SiteApp> exit

To verify, the administrator selects the site-cmd.

# profiles -p SiteApp "select cmd=/opt/site-app/bin/site-cmd; info;end"
Found profile in files repository.
  id=/opt/site-app/bin/site-cmd
  privs=proc_fork,proc_taskid

Next Steps

Assign the rights profile to a trusted user or role. For examples, see Example 12, Creating a Trusted User to Administer DHCP and Example 22, Enabling a Trusted User to Read Extended Accounting Files.

See Also

To troubleshoot rights assignment, see How to Troubleshoot Rights Assignments. For background, see Order of Search for Assigned Rights.

How to Clone and Modify a System Rights Profile

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights.

  1. Create a new rights profile from an existing profile.
    # profiles -p [-S repository] existing-profile-name
  2. Modify the new rights profile by adding or removing supplementary rights profiles, authorizations, and other rights.
Example 50  Cloning and Enhancing the Network IPsec Management Rights Profile

In this example, the administrator adds a solaris.admin.edit authorization to a site IPsec Management rights profile so that the root role is not required. This rights profile will be assigned only to users who are trusted to modify the /etc/hosts file.

  1. The administrator verifies that the Network IPsec Management rights profile cannot be modified.

    # profiles -p "Network IPsec Management"
    profiles:Network IPsec Management> add auths="solaris.admin.edit/etc/hosts"
    Cannot add. Profile cannot be modified
  2. The administrator creates a rights profile that includes the Network IPsec Management profile.

    # profiles -p "Total IPsec Mgt"
    ... IPsec Mgt> set desc="Network IPsec Mgt plus /etc/hosts"
    ... IPsec Mgt> add profiles="Network IPsec Management"
    ... IPsec Mgt> add auths="solaris.admin.edit/etc/hosts"
    ... IPsec Mgt> end
    ... IPsec Mgt> exit
  3. The administrator verifies the contents.

    # profiles -p "Total IPsec Mgt" info
            name=Total IPsec Mgt
            desc=Network IPsec Mgt plus /etc/hosts
            auths=solaris.admin.edit/etc/hosts
            profiles=Network IPsec Management
Example 51  Cloning and Removing Selected Rights From a Rights Profile

In this example, the administrator separates managing the properties of the VSCAN service from the ability to enable and disable the service.

First, the administrator lists the contents of the rights profile that Oracle Solaris provides.

# profiles -p "VSCAN Management" info
        name=VSCAN Management
        desc=Manage the VSCAN service
        auths=solaris.smf.manage.vscan,solaris.smf.value.vscan,
              solaris.smf.modify.application

Then, the administrator creates a rights profile that can enable and disable the service.

# profiles -p "VSCAN Management"
profiles:VSCAN Management> set name="VSCAN Control"
profiles:VSCAN Control> set desc="Start and stop the VSCAN service"
... VSCAN Control> remove auths="solaris.smf.value.vscan"
... VSCAN Control> remove auths="solaris.smf.modify.application"
... VSCAN Control> end
... VSCAN Control> exit

Then, the administrator creates a rights profile that can change the properties of the service.

# profiles -p "VSCAN Management"
profiles:VSCAN Management> set name="VSCAN Properties"
profiles:VSCAN Properties> set desc="Modify VSCAN service properties"
... VSCAN Properties> remove auths="solaris.smf.manage.vscan"
... VSCAN Properties> end
... VSCAN Properties> exit

The administrator verifies the contents of the new rights profiles.

# profiles -p "VSCAN Control" info
        name=VSCAN Control
        desc=Start and stop the VSCAN service
        auths=solaris.smf.manage.vscan
# profiles -p "VSCAN Properties" info
        name=VSCAN Properties
        desc=Modify VSCAN service properties
        auths=solaris.smf.value.vscan,solaris.smf.modify.application

Next Steps

Assign the rights profile to a trusted user or role. For examples, see Example 12, Creating a Trusted User to Administer DHCP and Example 22, Enabling a Trusted User to Read Extended Accounting Files.

See Also

To troubleshoot rights assignment, see How to Troubleshoot Rights Assignments. For background, see Order of Search for Assigned Rights.

How to Create an Authorization

Before You Begin

Developers have defined and used the authorization in the applications that you are installing. For instructions, see About Authorizations in Developer’s Guide to Oracle Solaris 11.4 Security.

  • Create the authorization by using the auths add command.

    For example, the following command creates the com.newco.siteapp.data.modify authorization on the local system.

    # auths add -t "SiteApp Data Modify Authorized" com.newco.siteapp.data.modify

    You can now test the authorization, then add it to a rights profile and assign the profile to a role or user.

Example 52  Testing Then Removing an Assigned Authorization

In this example, the administrator tests the com.newco.siteapp.data.modify authorization with the SiteApp rights profile from Example 49, Creating a Rights Profile That Includes Privileged Commands.

# usermod -A com.newco.siteapp.data.modify -P SiteApp tester1

When the test succeeds, the administrator removes the authorization.

# rolemod -A-=com.newco.siteapp.data.modify siteapptester

For ease of maintenance, the administrator adds the authorization to the SiteApp rights profile in Example 53, Adding Authorizations to a Rights Profile.

Example 53  Adding Authorizations to a Rights Profile

After testing that the authorization works correctly, the security administrator adds the com.newco.siteapp.data.modify authorization to an existing rights profile. Example 49, Creating a Rights Profile That Includes Privileged Commands shows how the administrator created the profile.

# profiles -p "SiteApp"
profiles:SiteApp> add auths="com.newco.siteapp.data.modify"
profiles:SiteApp> end
profiles:SiteApp> exit

To verify, the administrator lists the contents of the profile.

# profiles -p SiteApp
Found profile in files repository.
  id=/opt/site-app/bin/site-cmd
  auths=com.newco.siteapp.data.modify

Next Steps

Assign the rights profile to a trusted user or role. For examples, see Example 12, Creating a Trusted User to Administer DHCP and Example 22, Enabling a Trusted User to Read Extended Accounting Files.

See Also

To troubleshoot rights assignment, see How to Troubleshoot Rights Assignments. For background, see Order of Search for Assigned Rights.