Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Modifying System-Wide Privileges, Authorizations, and Rights Profiles

This section assumes that you have completed New Feature – Enabling the account-policy Service.

The following command displays the RBAC policy variables as SMF properties:

$ svcprop -p rbac account-policy
rbac/console_user_profiles astring Console\ User
rbac/default_auth_profiles astring
rbac/default_authorizations astring
rbac/default_limit_privileges astring
rbac/default_privileges astring
rbac/default_profiles astring Basic\ Solaris\ User
Example 35  Adding a Rights Profile to Every Login

In this example, the administrator adds the Site Console User rights profile and removes access to the Console User rights profile by users of the system. This example assumes the administrator has completed New Feature – Enabling the account-policy Service.

$ pfbash svccfg -s account-policy
svc:/.../account-policy> setprop config/etc_security_policyconf/disabled = boolean
svc:/.../account-policy> setprop rbac/console_user_profiles astring = ""
svc:/.../account-policy> setprop rbac/default_profiles astring = "Site Console User, Basic Solaris User"
svc:/.../account-policy> exit
$ svcadm refresh account-policy

How to Remove Power Management Capability From Users shows the contents of the Site Console User rights profile,

Modifying Which Privileges Are Available on a System

This section assumes that you have completed New Feature – Enabling the account-policy Service.

Under particular circumstances, you can remove privileges from a system. For example, you might prevent remote users from examining the status of processes that they do not own, Public systems might benefit from reduced privileges.

The following commands modify a public system to prevent file linking and viewing any processes outside of the user's session:

$ pfbash svccfg -s account-policy
svc:/.../account-policy> setprop config/etc_security_policyconf/disabled = boolean
svc:/.../account-policy> setprop rbac/default_privileges = "basic,!file_link_any"
svc:/.../account-policy> exit
$ svcadm refresh account-policy

Assigning a Rights Profile to a System

This section assumes that you have completed New Feature – Enabling the account-policy Service.

Rights profiles can specify the rights for a large number of users. They are easily maintained and can be applied to a system.

$ pfbash svccfg -s account-policy
svc:/.../account-policy> setprop config/etc_security_policyconf/disabled = boolean
svc:/.../account-policy> setprop rbac/default_profiles = "Example Rights Profile"
svc:/.../account-policy> exit
$ svcadm refresh account-policy
Example 36  Assigning the Editor Restrictions Rights Profile to All Logins

This example shows how to require all users of an editor on a system to authenticate before editing.

$ pfbash svccfg -s account-policy
svc:/.../account-policy> setprop config/etc_security_policyconf/disabled = boolean
svc:/.../account-policy> setprop rbac/default_profiles = "Editor Restrictions"
svc:/.../account-policy> exit
$ svcadm refresh account-policy

The "Editor Restrictions" profile was created in Example 26, Preventing Guests From Spawning Editor Subprocesses.

Example 37  Enabling Only the Console User to Log In

In this example, the administrator creates a system that is useful only to administer the network. The administrator removes the Basic Solaris User rights profile and any authorizations from the system. The Console User rights profile is not removed.

$ pfbash svccfg -s account-policy
svc:/.../account-policy> setprop config/etc_security_policyconf/disabled = boolean
svc:/.../account-policy> setprop rbac/default_authorizations = ""
svc:/.../account-policy> setprop rbac/default_profiles = ""
svc:/.../account-policy> exit
$ svcadm refresh account-policy

Only a user who has been explicitly assigned authorizations, commands, or rights profiles is able to use this system. After login, the authorized user can perform administrative duties. If the authorized user is sitting at the system console, the user has the rights of the Console User.