In this example, the administrator creates a system that is useful only to administer the network. The administrator removes the Basic Solaris User rights profile and any authorizations from the /etc/security/policy.conf file. The Console User rights profile is not removed. The affected lines in the resulting policy.conf file are the following:
... ##AUTHS_GRANTED= ##AUTH_PROFS_GRANTED= ##PROFS_GRANTED=Basic Solaris User CONSOLE_USER=Console User ...
Only a user who has been explicitly assigned authorizations, commands, or rights profiles is able to use this system. After login, the authorized user can perform administrative duties. If the authorized user is sitting at the system console, the user has the rights of the Console User.
Example 29 Creating a Remote Users Rights ProfileIn this example, the administrator creates a rights profile in the LDAP repository for users who log in remotely.
# profiles -p -S LDAP "Remote Users" profiles:Remote Users> set desc="For all logins from remote systems" ... Remote Users> set defaultpriv="basic,!proc_info" ... Remote Users> set limitpriv="basic,!proc_info" ... Remote Users> end ... Remote Users> exit
The administrator verifies the contents.
# profiles -p "Remote Users" info Found profile in LDAP repository. name=Remote Users desc=For all logins from remote systems defaultpriv=basic,!proc_info, limitpriv=basic,!proc_infoExample 30 Removing Basic Privileges From a Rights Profile
In the following example, after thorough testing, the security administrator removes another basic privilege from the Remote Users rights profile created in Example 29, Creating a Remote Users Rights Profile. Users who are assigned this profile cannot examine any processes outside their current session, and they cannot add another session.
# profiles -p "Remote Users" profiles:Remote Users> set defaultpriv="basic,!proc_info,!proc_session" profiles:Remote Users> end profiles:Remote Users> exitExample 31 Restricting an Administrator to Explicitly Assigned Rights
You can restrict a role or user to a limited number of administrative actions in two ways.
Assign the Stop rights profile as the last profile in the user's list of profiles.
The Stop rights profile is the simplest way to create a restricted shell. The authorizations and rights profiles in the policy.conf file are not assigned to the user or role.
Modify the policy.conf file on a system, and require the role or user to use that system for administrative tasks. See Example 28, Modifying the policy.conf File to Limit the Rights Available to System Users.
The following command limits the auditrev role to performing only audit reviews.
# rolemod -K profiles="Audit Review,Stop" auditrev
Because the auditrev role does not have the Console User rights profile, the auditor cannot shut down the system. Because this role does not have the solaris.device.cdrw authorization, the auditor cannot read from or write to the CD-ROM drive. Because this role does not have the Basic Solaris User rights profile, no commands from that profile can be run in this role. Because the All rights profile is not assigned, the ls command will not run. The role uses the File Browser to select the audit files for review.
For more information, see Order of Search for Assigned Rights and Rights Profiles Reference.
Example 32 Preventing Selected Applications From Spawning New ProcessesIn this example, the administrator creates a rights profile for applications that do not require subprocesses for correct operation. For convenience, the administrator creates a directory to hold these executables. When new applications are added that do not require subprocesses, the executables can be added to this directory. Or, if the executable is required to be in a specific directory, the administrator can link to it from /opt/local/noex/app-executable.
# profiles -p "Prevent App Subprocess" profiles:Prevent App Subprocess> set desc="Keep apps from execing processes" profiles:Prevent App Subprocess> add cmd=/opt/local/noex/mkmod ... Subprocess:mkmod> set limitprivs=all,!proc_exec ... Subprocess:mkmod> end ... Subprocess> add cmd=/opt/local/noex/gomap ... Subprocess:gomap> set limitprivs=all,!proc_exec ... Subprocess:gomap> end ... Subprocess> commit ... Subprocess> exit