This chapter describes how to use role-based access control (RBAC) and the required setup for Oracle Solaris OS where privileges are available.
Role-based access control (RBAC), a feature in Oracle Solaris, permits non-privileged users to have access to certain privileged functionality, under certain specified circumstances. At a minimum, you can grant the equivalent of setuid root to a particular program, but only when run by a certain user. RBAC enables you to fine-tune access to privileges so that they are available in a restricted environment and only when needed.
In addition, Oracle Solaris includes privileges that give finer-grained access so that a process that requires elevated access can be granted just the minimum access necessary to satisfy its needs without having to use the traditional UID 0 full-access. For example, a program that needs to bind to a privileged port (typically one with a port number that is less than 1024, such as port 25 for SMTP) would have needed root access just for that one activity. With privileges, the program can use the net_privaddr privilege to grant it the access needed to bind to the port without having full root access. By compartmentalizing privileged functions, security is greatly enhanced.
You can use RBAC for both methods, and each improves Oracle Communications Messaging Server security.
Role-based access control is managed through several files that are located in the /etc and /etc/security directories. You first create a profile that defines the new access that can be granted to the Messaging Server user account. Then you list all the special access that is granted to that profile. Finally, the Messaging Server user account is given access to the new profile.
The special access permitted by the profile is managed through intermediate commands that run the programs with the defined access. The pfexec(1) command is generally responsible for running a program that can then be given elevated access. pfexec is used by the Messaging Server start-msg, stop-msg, and imsimta (through the imtacli program) commands, and the job_controller, to take advantage of role-based access controls.
For more information about role-based access controls, see rbac(5).
Caution:
Implementing role-based access controls involves modifying system files that provide security definitions for the operating system and incorrect modifications may result in potential problems.The following steps make direct modifications to files in the /etc/security directly, which can also be made by using the Oracle Solaris Management Console (smc(1m)).
Assumptions in the Examples: The following example commands assume that the Messaging Server is installed in the /opt/sun/comms/messaging64 directory and that the Messaging Server processes are using mailsrv as the Unix user.
Copy MessagingServer_home/examples/rbac/MessagingServer.html to the /usr/lib/help/profiles/locale/C directory. This file is referenced by the Messaging Server profile definition. For example:
cp /opt/sun/comms/messaging64/examples/rbac/MessagingServer.html /usr/lib/help/profiles/locale/C
Append the contents of MessagingServer_home/examples/rbac/prof_attr.example to /etc/security/prof_attr. This is the Messaging Server profile definition.
cat /opt/sun/comms/messaging64/examples/rbac/prof_attr.example >> /etc/security/prof_attr
Edit MessagingServer_home/examples/rbac/exec_attr.example to replace msg.RootPath with the actual path for your Messaging Server installation. For this example, instances of msg.RootPath are replaced with /opt/sun/comms/messaging64.
Append the contents of the edited MessagingServer_home/examples/rbac/exec_attr.example to /etc/security/exec_attr. This defines the special permissions granted to the Messaging Server profile.
cat /opt/sun/comms/messaging64/examples/rbac/exec_attr.example >> /etc/security/exec_attr
Modify the user account used by the Messaging Server to have access to this new profile.
usermod -P 'Oracle Communications Messaging Server' mailsrv
Modify the dispatcher process privilege, so that the dispatcher is able to successfully start. Edit the /etc/security/exec_attr file and add proc_taskid, for example:
Oracle Communications Messaging Server:solaris:cmd:::/opt/sun/comms/messaging64/lib/dispatcher:privs=net_privaddr,proc_taskid
Set the rbac option to 1 to fully enable RBAC usage. For example:
msconfig set rbac 1 msconfig show rbac role.base.rbac = 1
Once the RBAC has been set up, the Messaging Server user has sufficient access so as not to require being run as root, to use the following commands:
start-msg
stop-msg
imsimta restart | shutdown | startup | stop
For more information about role-based access controls, see the following sources:
Oracle Solaris 10 documentation: System Administration Guide: Security Services (Roles, Rights Profiles, and Privileges)
man pages: smc(1M), usermod(1M), prof_attr(4), exec_attr(4), privileges(5), rbac(5)