You can create or change a rights profile when the provided rights profiles do not contain the collection of rights that you need. You might create a rights profile for users with limited rights, for a new application, or various other reasons.
The rights profiles that Oracle Solaris provides are read-only. You can clone a provided rights profile for modification if its collection of rights is insufficient. For example, you might want to add the solaris.admin.edit/path-to-system-file authorization to a provided rights profile. For background, see More About Rights Profiles.
You can create an authorization when the provided authorizations do not include the authorizations that are coded in your privileged applications. You cannot change an existing authorization. For background, see More About User Authorizations.
For examples of limiting privileges in a rights profile, see Example 29, Creating a Remote Users Rights Profile and Example 30, Removing Basic Privileges From a Rights Profile.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights.
# profiles -p [-S repository] profile-name
You are prompted for a description.
Use the set subcommand for profile properties that have a single value, such as set desc. Use the add subcommand for properties that can have more than one value, such as add cmd.
The following command creates the custom PAM rights profile in How to Assign a Modified PAM Policy in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3. The name is shortened for display purposes.
# profiles -p -S LDAP "Site PAM LDAP" profiles:Site PAM LDAP> set desc="Profile which sets pam_policy=ldap" ...LDAP> set pam_policy=ldap ...LDAP> commit ...LDAP> end ...LDAP> exit
In this example, the administrator creates a rights profile for Sun Ray users in the LDAP repository. The administrator has already created a Sun Ray version of the Basic Solaris User rights profile, and has removed all rights profiles from the policy.conf file on the Sun Ray server.
# profiles -p -S LDAP "Sun Ray Users" profiles:Sun Ray Users> set desc="For all users of Sun Rays" ... Ray Users> add profiles="Sun Ray Basic User" ... Ray Users> set defaultpriv="basic,!proc_info" ... Ray Users> set limitpriv="basic,!proc_info" ... Ray Users> end ... Ray Users> exit
The administrator verifies the contents.
# profiles -p "Sun Ray Users" info
Found profile in LDAP repository.
name=Sun Ray Users
desc=For all users of Sun Rays
defaultpriv=basic,!proc_info,
limitpriv=basic,!proc_info,
profiles=Sun Ray Basic User
Example 47 Creating a Rights Profile That Includes Privileged Commands
In this example, the security administrator adds privileges to an application in a rights profile that the administrator creates. The application is privilege-aware.
# profiles -p SiteApp profiles:SiteApp> set desc="Site application" profiles:SiteApp> add cmd="/opt/site-app/bin/site-cmd" profiles:SiteApp:site-cmd> add privs="proc_fork,proc_taskid" profiles:SiteApp:site-cmd> end profiles:SiteApp> exit
To verify, the administrator selects the site-cmd.
# profiles -p SiteApp "select cmd=/opt/site-app/bin/site-cmd; info;end" Found profile in files repository. id=/opt/site-app/bin/site-cmd privs=proc_fork,proc_taskid
Next Steps
Assign the rights profile to a trusted user or role. For examples, see Example 12, Creating a Trusted User to Administer DHCP and Example 22, Enabling a Trusted User to Read Extended Accounting Files.
See Also
To troubleshoot rights assignment, see How to Troubleshoot Rights Assignments. For background, see Order of Search for Assigned Rights.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights.
# profiles -p [-S repository] existing-profile-name
Add the existing rights profile as a supplementary rights profile to the new profile, then add the enhancements. See Example 48, Cloning and Enhancing the Network IPsec Management Rights Profile.
See Example 49, Cloning and Removing Selected Rights From a Rights Profile.
In this example, the administrator adds a solaris.admin.edit authorization to a site IPsec Management rights profile so that the root role is not required. This rights profile will be assigned only to users who are trusted to modify the /etc/hosts file.
The administrator verifies that the Network IPsec Management rights profile cannot be modified.
# profiles -p "Network IPsec Management" profiles:Network IPsec Management> add auths="solaris.admin.edit/etc/hosts" Cannot add. Profile cannot be modified
The administrator creates a rights profile that includes the Network IPsec Management profile.
# profiles -p "Total IPsec Mgt" ... IPsec Mgt> set desc="Network IPsec Mgt plus /etc/hosts" ... IPsec Mgt> add profiles="Network IPsec Management" ... IPsec Mgt> add auths="solaris.admin.edit/etc/hosts" ... IPsec Mgt> end ... IPsec Mgt> exit
The administrator verifies the contents.
# profiles -p "Total IPsec Mgt" info
name=Total IPsec Mgt
desc=Network IPsec Mgt plus /etc/hosts
auths=solaris.admin.edit/etc/hosts
profiles=Network IPsec Management
In this example, the administrator separates managing the properties of the VSCAN service from the ability to enable and disable the service.
First, the administrator lists the contents of the rights profile that Oracle Solaris provides.
# profiles -p "VSCAN Management" info
name=VSCAN Management
desc=Manage the VSCAN service
auths=solaris.smf.manage.vscan,solaris.smf.value.vscan,
solaris.smf.modify.application
help=RtVscanMngmnt.html
Then, the administrator creates a rights profile that can enable and disable the service.
# profiles -p "VSCAN Management" profiles:VSCAN Management> set name="VSCAN Control" profiles:VSCAN Control> set desc="Start and stop the VSCAN service" ... VSCAN Control> remove auths="solaris.smf.value.vscan" ... VSCAN Control> remove auths="solaris.smf.modify.application" ... VSCAN Control> end ... VSCAN Control> exit
Then, the administrator creates a rights profile that can change the properties of the service.
# profiles -p "VSCAN Management" profiles:VSCAN Management> set name="VSCAN Properties" profiles:VSCAN Properties> set desc="Modify VSCAN service properties" ... VSCAN Properties> remove auths="solaris.smf.manage.vscan" ... VSCAN Properties> end ... VSCAN Properties> exit
The administrator verifies the contents of the new rights profiles.
# profiles -p "VSCAN Control" info
name=VSCAN Control
desc=Start and stop the VSCAN service
auths=solaris.smf.manage.vscan
# profiles -p "VSCAN Properties" info
name=VSCAN Properties
desc=Modify VSCAN service properties
auths=solaris.smf.value.vscan,solaris.smf.modify.application
Next Steps
Assign the rights profile to a trusted user or role. For examples, see Example 12, Creating a Trusted User to Administer DHCP and Example 22, Enabling a Trusted User to Read Extended Accounting Files.
See Also
To troubleshoot rights assignment, see How to Troubleshoot Rights Assignments. For background, see Order of Search for Assigned Rights.
Before You Begin
Developers have defined and used the authorization in the applications that you are installing. For instructions, see About Authorizations in Developer’s Guide to Oracle Solaris 11.3 Security.
For example, create the help file for an authorization to enable the user to modify the data in an application.
# pfedit /docs/helps/NewcoSiteAppModData.html
<HTML>
-- Copyright 2015 Newco. All rights reserved.
-- NewcoSiteAppModData.html
-->
<HEAD>
<TITLE>NewCo Modify SiteApp Data Authorization</TITLE>
</HEAD>
<BODY>
The com.newco.siteapp.data.modify authorization authorizes you
to modify existing data in the application.
<p>
Only authorized accounts are permitted to modify data.
Use this authorization with care.
<p>
</BODY>
</HTML>
For example, the following command creates the com.newco.siteapp.data.modify authorization on the local system.
# auths add -t "SiteApp Data Modify Authorized" \ -h /docs/helps/NewcoSiteAppModData.html com.newco.siteapp.data.modify
You can now test the authorization, then add it to a rights profile and assign the profile to a role or user.
In this example, the administrator tests the com.newco.siteapp.data.modify authorization with the SiteApp rights profile from Example 47, Creating a Rights Profile That Includes Privileged Commands.
# usermod -A com.newco.siteapp.data.modify -P SiteApp tester1
When the test succeeds, the administrator removes the authorization.
# rolemod -A-=com.newco.siteapp.data.modify siteapptester
For ease of maintenance, the administrator adds the authorization to the SiteApp rights profile in Example 51, Adding Authorizations to a Rights Profile.
Example 51 Adding Authorizations to a Rights ProfileAfter testing that the authorization works correctly, the security administrator adds the com.newco.siteapp.data.modify authorization to an existing rights profile. Example 47, Creating a Rights Profile That Includes Privileged Commands shows how the administrator created the profile.
# profiles -p "SiteApp" profiles:SiteApp> add auths="com.newco.siteapp.data.modify" profiles:SiteApp> end profiles:SiteApp> exit
To verify, the administrator lists the contents of the profile.
# profiles -p SiteApp Found profile in files repository. id=/opt/site-app/bin/site-cmd auths=com.newco.siteapp.data.modify
Next Steps
Assign the rights profile to a trusted user or role. For examples, see Example 12, Creating a Trusted User to Administer DHCP and Example 22, Enabling a Trusted User to Read Extended Accounting Files.
See Also
To troubleshoot rights assignment, see How to Troubleshoot Rights Assignments. For background, see Order of Search for Assigned Rights.