rbac, RBAC - 基于角色的访问控制
基于角色的访问控制允许系统管理员将部分系统的管理控制委托给用户。可以通过以下两种方式使用户能够以附加特权运行命令:
将配置文件直接分配给用户,在此情况下无需进行其他验证
创建角色并将配置文件分配给角色。此外,还可用于针对用户构建限制性环境,使用户无法运行通常允许其运行的命令。
配置文件是命令和授权的命名集合,其中的命令和授权是以附加特权和/或真实有效的特定 UID 与 GID 运行的。For example, most of the printer system can be managed by having the lp commands run with the UID of lp.某些命令需要 privileges(7) 中定义的特权方可运行。For example, the “Process Management” profile allows a user to run the kill command with the proc_owner privilege so that it can send signals to processes it does not own.
有关管理员如何扩展系统提供的配置文件并创建自己的配置文件的信息,请参见 exec_attr(5) 和 prof_attr(5)。配置文件配置可存储在任何当前支持的名称服务中(文件、NIS、LDAP)。
配置文件还可搭配服务管理工具 (Service Management Facility, SMF) 使用,以控制运行服务时所使用的特权和 UID/GID。有关详细信息,请参见 smf_security(7)。
搜索配置文件时会按照 user_attr(5) 数据库和 policy.conf(5) 中用户条目指定的顺序。对于每个用户,共有两组配置文件,即已验证集和未验证集。The user is required to reauthenticate prior to using pfexec(1) to execute commands which match an entry in the exec_attr(5) database corresponding to the authenticated profiles set.如果从终端执行命令,系统会缓存当前用户和 tty 的验证状态,但该验证状态会受到为 PAM 堆栈 /etc/pam.d/pfexec 中的 pam_tty_tickets(7) 设置的超时选项的影响。如果当前没有 tty,但存在活动的 X11 会话,系统会通过 zenity(1) 对话框提示用户进行验证。This authentication state is cached for the current user and DISPLAY environment setting.
Processes that have been successfully reauthenticated, including those that were implicitly authenticated within the timeout value of the cache, are marked with an additional process flag, PRIV_PFEXEC_AUTH, which exempts child processes from subsequent reauthentication.Both the PRIV_PFEXEC and PRIV_PFEXEC_AUTH flags are inherited by child processes unless the real uid is changed.
与未验证配置文件集匹配的命令不需要进行重新验证,但其优先级低于已验证配置文件集中的命令。如果同一命令出现在多个配置文件中,则配置文件 shell 将使用第一个匹配的条目。
角色是一种特殊的共享帐户,无法直接登录系统,而该系统只能由授权用户使用 su(8) 命令或以 ssh(1) 通过网络(使用基于主机的验证或 GSS-API 验证时)进行访问。It can not login with rlogin(1), telnet(1), or gdm(8).
角色与普通用户一样具有 UID、口令和起始目录。可以使用用户自己的口令或按角色的口令(user_attr(5) 中的 roleauth 关键字控制基于角色的行为)对角色进行验证。Usually a role's login shell is one of the profile shells (see pfsh(1) for a list) that are granted one or more Profiles, allowing the role to always execute commands with privilege.
一般情况下,只有在需要共享帐户环境时才需要角色。通常将配置文件直接分配给用户即可。
root 用户可以使用 usermod(8) 命令配置为角色。这样可确保即使 root 口令更广为人知,也只有授权用户才能成为 root 用户。
# usermod -K type=role root
将 root 设置为角色不会限制对单一用户模式的访问。应使用其他方法保护系统控制台,如使用 eeprom(8) 设置安全口令。
授权是一个唯一字符串,代表用户执行某些操作或某类操作的权限。Authorizations are normally only checked by programs that always run with some privilege, for example setuid(2) programs such as cdrw(1) or the system cron(8) daemon.
授权定义存储在 auth_attr(5) 数据库中。对于编程授权检查,只有授权名称才很重要。
auth_attr 数据库中部分典型值如下所示:
solaris.jobs.:::Cron and At Jobs::help=JobHeader.html
solaris.jobs.grant:::Delegate Cron & At \
Administration::help=JobsGrant.html
solaris.jobs.admin:::Manage All Jobs::help=AuthJobsAdmin.html
solaris.jobs.user:::Cron & At User::help=JobsUser.html
以 grant 后缀结尾的授权名称字符串为特殊授权,可让用户将具有相同前缀和功能区域的授权委托给其他用户。
所有以 solaris 开头的授权名称均会保留以供操作系统供应商进行分配。开发人员和管理员可以创建自己的顶层名称空间;建议使用唯一标识符,如公司名称、DNS 域名或应用程序名称。
要通过 C 代码检查授权,开发人员应使用 chkauthattr(3C) 库函数,该函数将会验证用户是否具有给定的授权。
可在 Shell 脚本中明确检查授权,方法是检查 auths(1) 实用程序的输出。For example,
for auth in `auths | tr , " "` NOTFOUND ; do
["$auth" = "solaris.date" ] && break # authorization found
done
if [ "$auth" != "solaris.date" ] ; then
echo >&2 "$PROG: ERROR: you are not authorized to set the date"
exit 1
fi
授权还可供服务管理工具 (Service Management Facility, SMF) 用于控制可更改服务状态或重新配置服务的用户。有关详细信息,请参见 smf_security(7)。
RBAC in Solaris provides a similar set of functionality to sudo(8) that is often provided with UNIX or UNIX-like systems, including Oracle Solaris.
One of the most obvious differences between Solaris RBAC and sudo is the authentication model.在 sudo 中,用户以自身身份重新进行验证。In Solaris RBAC, no additional authentication is needed when unauthenticated profiles are assigned directly to the user.Authentication may be needed in Solaris RBAC when executing commands from an authenticated profile, or when the user authenticates to a shared account called a role.
Using the NOPASSWD functionality in sudo is similar to assigning the profile to the user and having the user execute the command using pfexec(1).For example, if sudoers(5) allows the user to run kill(1) as UID 0 but without authentication (NOPASSWD), the user would run:
$ sudo kill -HUP 1235
In Solaris RBAC, if the user has a normal (that is, no profile) login shell, the user would execute the equivalent operation by being assigned the “Process Management” profile and would use pfexec as follows:
$ pfexec kill -HUP 1235
如果用户将某个配置文件 shell(如 pfsh)作为登录 shell,则 kill 始终会使用附加特权来运行,而不需要“前缀”。For example,
$ kill -HUP 1235
An RBAC role is similar in concept to the User_Alias in sudoers(5), except that the role password rather than the user password is required.
RBAC 中的执行配置文件 (exec_attr(5) 条目与 sudoers 中的 Cmnd_Alias 类似。
There is currently no equivalent of the Host_Alias sudo(8) functionality in Solaris RBAC.
auths(1), ld.so.1(1), pfexec(1), pfsh(1), profiles(1), roles(1), auth_attr(5), exec_attr(5), prof_attr(5), sudoers(5), user_attr(5), pam_tty_tickets(7), smf_security(7), sudo(8)
Support for authenticated profiles was added in Oracle Solaris 11.2.0.
RBAC was added to Solaris in Solaris 8.