RBAC Support for RAD

When a client application connects to a local or a remote RAD service, it initiates a new RAD slave process to execute remote procedure calls on behalf of the user and client. The RAD slave processes that are initiated by a normal user include basic privileges. However, if a RAD method wants to call a library function which requires root privileges, the user must authenticate as root to the RAD daemon before RBAC is added to RAD. This authentication requirement limits the utility of existing modules that have not been authenticated to. Also, all modules associated with a connection in legacy Oracle Solaris executed within a single slave process. Therefore, you could not associate module privileges at a process level.

Starting with Oracle Solaris 11.4, each module executes its own slave process, therefore you can apply process attributes for each module. This feature also ensures that each slave process can apply process attributes independently. To provide process attributes to a module, you create a rights profile that assigns privileges to a module. For details, see Creating a Rights Profile That Includes Privileged Commands in Securing Users and Processes in Oracle Solaris 11.4.

A possible exec_attr entry for a RAD User Security rights profile might display as follows:

RAD User Security:solaris:cmd:::/usr/lib/rad/module/mod_RADusermgr.so.1:privs=proc_zone

For more information, see the privileges(7) and exec_attr(5) man pages.

For more information RBAC, see Chapter 1, About Using Rights to Control Users and Processes in Securing Users and Processes in Oracle Solaris 11.4.