Let's examine Solaris RBAC terminology.
1. Roles - is the highest level of abstraction in Solaris RBAC, it is special type of account which
inherits security attributes from profiles.
Place of definition: /etc/user_attr file.
2. Profiles - combine authorities and commands(with different uid,euid,gid,egid and privileges).
Defined in two files: /etc/security/exec_attr and /etc/security/prof_attr
3. Authorizations - defines class of actions that you can perform.
Example: Solaris.device.cdrw - permits users read-write operations on CD-ROM.
Authorizations are defined in /etc/security/auth_attr file.
But I don't suggest to edit these files directly, use special tools as much as possible.
So lets try to create custom profile-> create role -> assign it to a user.
1. Log on to the machine as root or assume the primary administrator role.
2. Edit the /etc/security/prof_attr file and add the following line to it:
PrintOpr:::Can perform printer related tasks:profiles=Printer Management, All
Save the file and exit.
3. Create a role with name printRole and assign it the PrintOpr profile (remember, the profile name is case sensitive) by issuing the following command:
roleadd -P PrintOpr printRole
4.Set the password for this role by using the passwd command:
passwd printRole
5. Create a user with name testuser and assign it the role printRole:
useradd -R printRole -d <dirName> testuser
where <dirName> specifies the full path to the home directory that will be assigned to the user being created.
6. Set the password for testuser by issuing the passwd command:
passwd testuser
7. Test that the role has been created and assigned to the user:Log out, and log in as testuser.Issue the roles command to see whether the testuser has the role assigned to it:
roles
Assume the role:
su printRole
Display the profiles that are assigned to this role:
profiles
Solaris 10 have several predefined profiles also:
Primary administrator. This rights profile consists of all the rights of a superuser.
System administrator. This profile contains most of the rights except for security-related rights. It provides the ability to perform
most non-security administrative tasks, such as printer management, cron management, device management,
file system management, mail management, backup and restore, name service management,
network management, software installation, and process and user management. However, it includes several other profiles, which makes it a powerful profile.
Operator. This profile contains limited rights to manage files and offline media. It provides the ability to perform backups and printer maintenance.
By default, it does not include the rights to restore files.
Printer management. This profile consists of a limited number of authorizations and commands to handle printing.
Basic Solaris user. This profile enables users to use the Solaris system within the security boundaries set up on the system.
This profile is assigned, by default, to all the Solaris users.
All. This profile consists of commands that do not have security attributes.
1. Roles - is the highest level of abstraction in Solaris RBAC, it is special type of account which
inherits security attributes from profiles.
Place of definition: /etc/user_attr file.
2. Profiles - combine authorities and commands(with different uid,euid,gid,egid and privileges).
Defined in two files: /etc/security/exec_attr and /etc/security/prof_attr
3. Authorizations - defines class of actions that you can perform.
Example: Solaris.device.cdrw - permits users read-write operations on CD-ROM.
Authorizations are defined in /etc/security/auth_attr file.
But I don't suggest to edit these files directly, use special tools as much as possible.
So lets try to create custom profile-> create role -> assign it to a user.
1. Log on to the machine as root or assume the primary administrator role.
2. Edit the /etc/security/prof_attr file and add the following line to it:
PrintOpr:::Can perform printer related tasks:profiles=Printer Management, All
Save the file and exit.
3. Create a role with name printRole and assign it the PrintOpr profile (remember, the profile name is case sensitive) by issuing the following command:
roleadd -P PrintOpr printRole
4.Set the password for this role by using the passwd command:
passwd printRole
5. Create a user with name testuser and assign it the role printRole:
useradd -R printRole -d <dirName> testuser
where <dirName> specifies the full path to the home directory that will be assigned to the user being created.
6. Set the password for testuser by issuing the passwd command:
passwd testuser
7. Test that the role has been created and assigned to the user:Log out, and log in as testuser.Issue the roles command to see whether the testuser has the role assigned to it:
roles
Assume the role:
su printRole
Display the profiles that are assigned to this role:
profiles
Solaris 10 have several predefined profiles also:
Primary administrator. This rights profile consists of all the rights of a superuser.
System administrator. This profile contains most of the rights except for security-related rights. It provides the ability to perform
most non-security administrative tasks, such as printer management, cron management, device management,
file system management, mail management, backup and restore, name service management,
network management, software installation, and process and user management. However, it includes several other profiles, which makes it a powerful profile.
Operator. This profile contains limited rights to manage files and offline media. It provides the ability to perform backups and printer maintenance.
By default, it does not include the rights to restore files.
Printer management. This profile consists of a limited number of authorizations and commands to handle printing.
Basic Solaris user. This profile enables users to use the Solaris system within the security boundaries set up on the system.
This profile is assigned, by default, to all the Solaris users.
All. This profile consists of commands that do not have security attributes.
Comments