Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Removing Rights System-Wide

Example 28  Modifying the policy.conf File to Limit the Rights Available to System Users

In this example, the administrator creates a system that is useful only to administer the network. The administrator removes the Basic Solaris User rights profile and any authorizations from the /etc/security/policy.conf file. The Console User rights profile is not removed. The affected lines in the resulting policy.conf file are the following:

...
##AUTHS_GRANTED=
##AUTH_PROFS_GRANTED=
##PROFS_GRANTED=Basic Solaris User
CONSOLE_USER=Console User
...

Only a user who has been explicitly assigned authorizations, commands, or rights profiles is able to use this system. After login, the authorized user can perform administrative duties. If the authorized user is sitting at the system console, the user has the rights of the Console User.

Example 29  Creating a Remote Users Rights Profile

In this example, the administrator creates a rights profile in the LDAP repository for users who log in remotely.

# profiles -p -S LDAP "Remote Users"
profiles:Remote Users> set desc="For all logins from remote systems"
... Remote Users> set defaultpriv="basic,!proc_info"
... Remote Users> set limitpriv="basic,!proc_info"
... Remote Users> end
... Remote Users> exit

The administrator verifies the contents.

# profiles -p "Remote Users" info
Found profile in LDAP repository.
        name=Remote Users
        desc=For all logins from remote systems
        defaultpriv=basic,!proc_info,
        limitpriv=basic,!proc_info
Example 30  Removing Basic Privileges From a Rights Profile

In the following example, after thorough testing, the security administrator removes another basic privilege from the Remote Users rights profile created in Example 29, Creating a Remote Users Rights Profile. Users who are assigned this profile cannot examine any processes outside their current session, and they cannot add another session.

# profiles -p "Remote Users"
profiles:Remote Users> set defaultpriv="basic,!proc_info,!proc_session"
profiles:Remote Users> end
profiles:Remote Users> exit
Example 31  Restricting an Administrator to Explicitly Assigned Rights

    You can restrict a role or user to a limited number of administrative actions in two ways.

  • Assign the Stop rights profile as the last profile in the user's list of profiles.

    The Stop rights profile is the simplest way to create a restricted shell. The authorizations and rights profiles in the policy.conf file are not assigned to the user or role.

  • Modify the policy.conf file on a system, and require the role or user to use that system for administrative tasks. See Example 28, Modifying the policy.conf File to Limit the Rights Available to System Users.

The following command limits the auditrev role to performing only audit reviews.

# rolemod -K profiles="Audit Review,Stop" auditrev

Because the auditrev role does not have the Console User rights profile, the auditor cannot shut down the system. Because this role does not have the solaris.device.cdrw authorization, the auditor cannot read from or write to the CD-ROM drive. Because this role does not have the Basic Solaris User rights profile, no commands from that profile can be run in this role. Because the All rights profile is not assigned, the ls command will not run. The role uses the File Browser to select the audit files for review.

For more information, see Order of Search for Assigned Rights and Rights Profiles Reference.

Example 32  Preventing Selected Applications From Spawning New Processes

In this example, the administrator creates a rights profile for applications that do not require subprocesses for correct operation. For convenience, the administrator creates a directory to hold these executables. When new applications are added that do not require subprocesses, the executables can be added to this directory. Or, if the executable is required to be in a specific directory, the administrator can link to it from /opt/local/noex/app-executable.

# profiles -p "Prevent App Subprocess"
profiles:Prevent App Subprocess> set desc="Keep apps from execing processes"
profiles:Prevent App Subprocess> add cmd=/opt/local/noex/mkmod
... Subprocess:mkmod> set limitprivs=all,!proc_exec
... Subprocess:mkmod> end
... Subprocess> add cmd=/opt/local/noex/gomap
... Subprocess:gomap> set limitprivs=all,!proc_exec
... Subprocess:gomap> end
... Subprocess> commit
... Subprocess> exit