Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Determining Which Rights to Assign to Administrators

Administrators require rights to run privileged commands, and often require authorization to run the commands. Rights profiles supply privileged commands, authorizations, and sometimes supplementary rights profiles in a convenient bundle.

You have several ways to determine which rights profile is best to assign. The names of rights profiles indicate their function, so you can list and search the profile names for functional areas. You can also start with a command name, and determine which rights profiles include that command.

When you know the name of the rights profile that contains the commands you are interested in, and you review the rights in that rights profile, then you can determine whether to assign that particular profile to an administrator. You should not assign individual privileges or authorizations to administrators. For more information, see Considerations When Assigning Rights.

After you assign administrative rights, ask your administrators to review Using Your Assigned Administrative Rights before they run administrative commands.

How to Determine Which Rights to Assign

You can search for which rights to assign by starting with rights profiles or with command names. This procedure shows how to search by rights profile. Example 1, Determining Which Rights a Command Requires shows how to search by command.

  1. List the available rights profiles.
    $ profiles -a | more
    ...
    Administrative Command History
    Administrator Message Edit
    Audit Configuration
    ...
  2. Search for a functional area.

    In the following example, you search for rights profiles about administering zones.

    $ profiles -a | grep -i zone
    Zone Security
    Zone Configuration
    Zone Management
    Zone Migration
    Zone Cold Migration
  3. Review the contents of the rights profile that best describes the rights you plan to assign.

    Continuing with the zones example, you are going to assign rights to secure zones.

    $ profiles -p "Zone Security" info
            name=Zone Security
            desc=Zones Virtual Application Environment Security
            auths=solaris.zone.*,solaris.auth.delegate
            cmd=/usr/sbin/txzonemgr
            cmd=/usr/sbin/zonecfg
            cmd=/usr/lib/rad/module/mod_zonemgr.so.1

    The output indicates that the assignee will have all authorizations that begin with the string solaris.zone, and the solaris.auth.delegate authorization. The assignee can run the txzonemgr and zonecfg commands, and use the RAD command mod_zonemgr.so.1 module.

    For details about the rights that are assigned to the commands, continue with the following step. For descriptions of the solaris.zone authorizations, see Step 5.

  4. Search for the commands in the privileged commands database.
    $ getent exec_attr | grep "^Zone Security"
    Zone Security:solaris:cmd:RO::/usr/sbin/txzonemgr:uid=0
    Zone Security:solaris:cmd:RO::/usr/sbin/zonecfg:uid=0
    Zone Security:solaris:cmd:RO::/usr/lib/rad/module/mod_zonemgr.so.1:uid=0

    The output indicates that the commands will run with a UID of 0, not with the assignee's UID. RO indicates that this rights profile is read-only.

  5. (Optional) Review the definitions of the authorizations that are in your chosen rights profile.
    $ getent auth_attr | grep solaris.zone
    solaris.zone.:RO::Zone Management::
    solaris.zone.clonefrom:RO::Clone another Zone::
    solaris.zone.login:RO::Zone Login::
    solaris.zone.manage:RO::Zone Deployment::
    solaris.zone.config:RO::Modify the Persistent Zone Configuration::
    solaris.zone.liveconfig:RO::Inspect and Modify the Live Zone Configuration::
    solaris.zone.migrate:RO::Zone Migration::
    solaris.zone.migrate.cold:RO::Zone Cold Migration::
    $ getent auth_attr | grep solaris.auth.delegate
    solaris.auth.delegate:RO::Assign owned authorizations::
Example 1  Determining Which Rights a Command Requires

In this example, the administrator wants to assign the pfctl command to a network administrator, but does not know what other rights the assignee might need to handle the Packet Filter (PF) firewall.

  1. The administrator searches the privileged commands database, exec_attr, for the pfctl command.

    $ getent exec_attr | grep pfctl
    Network Firewall Management:solaris:cmd:RO::/usr/sbin/pfctl:privs=sys_ip_config

    The output indicates that the pfctl command is part of the Network Firewall Management rights profile and runs with the sys_ip_config privilege.

  2. The administrator reviews the content of the rights profile.

    $ profiles -p "Network Firewall Management" info
            name=Network Firewall Management
            desc=Firewall Administration
            auths=solaris.smf.value.network.firewall,solaris.smf.manage.network.firewall
            cmd=/usr/sbin/pfconf
            cmd=/usr/sbin/pfctl

    The output indicates that the Network Firewall Management profile authorizes the assignee to modify the SMF properties of the firewall, and also contains the pfconf command.

  3. The administrator looks up the pfconf command in the privileged commands database.

    $ getent exec_attr | grep pfconf
    Network Firewall Management:solaris:cmd:RO::/usr/sbin/pfconf:privs=sys_ip_config
  4. The administrator reviews the definitions of the authorizations that are in the chosen profile.

    $ getent auth_attr | grep firewall
    solaris.smf.manage.network.firewall:RO::Manage Network Firewall::
    solaris.smf.value.network.firewall:RO::Change Network Firewall Configuration::
    solaris.smf.manage.firewall:RO::Manage Firewall Service::
    solaris.smf.value.firewall.config:RO::Change Service Firewall Config::
  5. If the rights profile includes all the functions the assignee needs, the administrator assigns it to the user, or creates a role and assigns the role to the user. For examples, see Creating a Role and Example 12, Creating a Trusted User to Administer DHCP.

  6. If the assignee needs more network capabilities, the administrator continues to investigate.

    The administrator lists all network rights profiles, chooses another one, and repeats the search.

    $ profiles -a | grep ^Network
    Network Autoconf Admin
    Network Autoconf User
    Network ILB
    Network Dot1x Management
    Network LLDP
    Network VRRP
    Network DLMP
    Network Management
    Network Observability
    Network TCP Key Management
    Network Security
    Network Wifi Management
    Network Wifi Security
    Network Link Security
    Network IPsec Management
    Network Firewall Management

    The administrator can also create a custom networking rights profile by following the instructions in Creating Rights Profiles and Authorizations.