RBAC Operations
 |
Common operations performed in the context of RBAC include setting up profiles and defining roles. The following commands are commonly used.
-
smexec Creates, reads, updates, and deletes rows in the exec_attr database.
-
smmultiuser Performs batch functions.
-
smuser Performs operations on user accounts.
-
smprofile Creates, reads, updates, and deletes profiles in the prof_attr database.
-
smrole Creates, reads, updates, and deletes role accounts.
-
rolemod Modifies roles.
-
roledel Deletes roles.
-
roleadd Adds roles.
The prof_attr database contains all of the profile definitions for the system. For example, profiles might be created for the Primary Administrator, System Administrator, Operator, Basic Solaris User, and Printer Manager. A special profile is the All Rights profile, which is associated with all commands that have no security restrictions enforced on their use. This is the default profile, which covers all commands not designated as requiring specific authorization. In contrast, the Primary Administrator is granted explicit rights over all security- related commands and operations, as defined by the solaris.* authorization. The Primary Administrator can then delegate tasks to other users where appropriate if the solaris.grant authorization is granted. The scope of the Primary Administrator can be limited if this role is considered too close in power to the superuser.
The System Administrator, in contrast, has a much more limited role. Specific authorizations are granted to the System Administrator, rather than using wildcards to allow complete access. Typical commands defined in this profile allow auditing and accounting, printer administration, batch processing, device installation and configuration, file system repairs , e-mail administration, name and directory service configuration, process administration, and setting up new software. The Operator profile has very few privileges at all: Only printer and backup administration are permitted. Note that the Operator is not allowed to restore data; this privilege is reserved for the System Administrator or Primary Administrator. As an alternative to the Operator, the Printer Manager profile allows only printer administration tasks to be performed. Typical authorizations that are permitted include solaris.admin.printer.delete , solaris.admin.printer.modify , and solaris.admin.printer.read , encompassing commands like lpsched , lpstat , and lpq .
A slightly different approach is taken for the definition of the Basic Solaris User: This policy is contained within the policy.conf file. Typical authorizations permitted for the Basic Solaris User include the following:
| solaris.admin.dcmgr.read | Solaris.admin.diskmgr.read | solaris.admin.fsmgr.read |
| solaris.admin.logsvc.read | Solaris.admin.printer.read | solaris.admin.procmgr.user |
| solaris.admin.prodreg.read | Solaris.admin.serialmgr.read | solaris.admin.usermgr.read |
| solaris.compsys.read | Solaris.jobs.user | solaris.profmgr.read |
The following databases play a key role in RBAC s operations.
user_attr
The user_attr file is the RBAC user database. It contains a single entry by default, which defines the security information for every user that has access to RBAC. The following entry gives the root user permission to do everything on the system:
root::::type=normal;auths=solaris.*,solaris.grant;profiles=All
Clearly, if the power of root was to be reduced, solaris.* would need to be replaced with something more restricted in scope, such as solaris.admin.* .
auth_attr
The auth_attr file is the RBAC authorization database. It contains lists of all authorizations defined on the system. Some sample entries are shown here:
solaris.admin.fsmgr.:::Mounts and Shares:: solaris.admin.fsmgr.read:::View Mounts and Shares::help=AuthFsmgrRead.html solaris.admin.fsmgr.write:::Mount and Share Files::help=AuthFsmgrWrite.html solaris.admin.logsvc.:::Log Viewer:: solaris.admin.logsvc.purge:::Remove Log Files::help=AuthLogsvcPurge.html solaris.admin.logsvc.read:::View Log Files::help=AuthLogsvcRead.html solaris.admin.logsvc.write:::Manage Log Settings::help=AuthLogsvcWrite.html solaris.admin.serialmgr.:::Serial Port Manager:: solaris.admin.usermgr.:::User Accounts:: solaris.admin.usermgr.pswd:::Change Password::help=AuthUserMgrPswd.html solaris.admin.usermgr.read:::View Users and Roles:: help=AuthUsermgrRead.html solaris.admin.usermgr.write:::Manage Users::help=AuthUsermgrWrite.html
prof_attr
The prof_attr file is the RBAC profile database. Sample prof_attr entries for the Basic Solaris User, User Management, and User Security are shown here:
Basic Solaris User:::Automatically assigned rights: auths=solaris.profmgr.read,solaris.jobs.users, solaris.admin.usermgr.read,solaris.admin.logsvc.read, solaris.admin.fsmgr.read,solaris.admin.serialmgr.read, solaris.admin.diskmgr.read,solaris.admin.procmgr.user, solaris.compsys.read,solaris.admin.printer.read, solaris.admin.prodreg.read,solaris.admin.dcmgr.read; profiles=All;help=RtDefault.html User Management:::Manage users, groups, home directory: auths=profmgr.read,solaris.admin.usermgr.write, solaris.admin.usermgr.read;help=RtUserMngmnt.html User Security:::Manage passwords, clearances: auths=solaris.role.*,solaris.profmgr.*,solaris.admin.usermgr.*; help=RtUserSecurity.html
exec_attr
The exec_attr file is the RBAC command database. It contains lists of commands associated with a specific profile. For example, a set of entries for the User Manager profile would look like this:
User Management:suser:cmd:::/etc/init.d/utmpd:uid=0;gid=sys User Management:suser:cmd:::/usr/sbin/grpck:euid=0 User Management:suser:cmd:::/usr/sbin/pwck:euid=0
EAN: 2147483647
Pages: 265