Using RBAC

To better describe RBAC, it’s easier to first describe how a system administrator would utilize RBAC to delegate an administrative task to a nonroot user in a fictional setting at Acme Corp.

At the fictional Acme Corp., the system administrator is overwhelmed with tasks. He is going to delegate some of his responsibility to Neil, a user from the engineering department who helps out sometimes with system administration tasks.

The system administrator first needs to define which tasks he wants Neil to help out with. He has identified three tasks:

  • Changing user passwords but not adding or removing accounts

  • Mounting and sharing file systems

  • Managing crontabs

In RBAC, when we speak of delegating administrative tasks, it is referred to as a role account. A role account is a special type of user account that is intended for performing a set of administrative tasks. Role accounts get their capabilities from rights profiles and authorizations. It is like a normal user account in most respects except that users can gain access to it only through the su command after they have logged in to the system with their normal login account. A role account is not accessible for normal logins (for example, through the CDE login window). From a role account, a user can access commands with special attributes—typically the root user’s ID—that are not available to users in normal accounts.

At Acme Corp, the system administrator needs to define a role username for the tasks he wants to delegate. Let’s use the role username adminusr. After Neil logs in with his normal login name of neil, he then needs to issue the su command and switch to adminusr whenever he wants to perform administrative tasks.

The easiest way to define a role account is by using the Solaris Management Console, as described in the next chapter. Chapter 18, “Solaris Management Console,” provides all the information you need to define this administrative role for a user. In this chapter, however, I’ll describe how to create a role via the command line.

So far, we have determined that we want to name the role account adminusr. The system administrator creates the role account using the roleadd command. The roleadd command adds a role account to the /etc/passwd, etc/shadow, and /etc/user_attr files. The syntax for the roleadd command is as follows:

roleadd [-c comment] [-d dir] [-e expire] [-f inactive] [-g group] [-G group]  
[-m] [-k skel_dir] [-u uid] [-s shell] [-P profile] [-A authorization] <role username>

You’ll notice that roleadd looks a great deal like the useradd command described in Chapter 13, “Setting Up User Accounts.” Table 17.1 describes the options for the roleadd command.

Table 17.1. roleadd Options
Option Description
-c <comment> Any text string to provide a brief description of the role.
-d <dir> The home directory of the new role account.
-m Creates the new role’s home directory if it does not already exist.
-s <shell> Specifies the user’s shell on login. The default is /bin/sh.
-A <authorization> <profile> These options assign authorizations -P and profiles to the role, respectively. Authorizations and profiles are described later in this section.

The other options are the same as those described for the useradd command in Chapter 13.

When creating a role account with the roleadd command, you need to specify an authorization and profile to the role. An authorization is a user right that grants access to a restricted function. It is a unique string that identifies what is being authorized as well as who created the authorization.

Certain privileged programs check the authorizations to determine whether users can execute restricted functionality. The following are the predefined authorizations from the /etc/security/auth_attr file that apply to the tasks to be delegated:

solaris.admin.usermgr.pswd:::Change User Passwords::help=UserMgrPswd.html 
solaris.jobs.grant:::Delegate Cron & At Administration::help=JobsGrant.html 
solaris.jobs.user:::Manage Owned Jobs::help=AuthJobsUser.html 
solaris.jobs.admin:::Manage All Jobs::help=AuthJobsAdmin.html 
solaris.jobs.:::Job Scheduler::help=JobHeader.html 
solaris.admin.fsmgr.write:::Mount/Share File Systems::help=FsMgrWrite.html

Notice the short description in the fourth field of the authorization. All authorizations are stored in the auth_attr database, so the system administrator needs to use one or more of the authorizations stored in that file. For the Acme Corp. example, the system administrator needs to specify the authorizations named, as shown here:

solaris.admin.usermgr.pswd 
solaris.jobs.grant 
solaris.jobs.user 
solaris.jobs.admin 
solaris.admin.fsmgr.write

When a name ends with the word “grant,” the entry defines a grant authorization. Grant authorizations are used to support fine-grained delegation. Users with appropriate grant authorizations can delegate some of their authorizations to others. To assign an authorization, the user needs to have both the authorization itself and the appropriate grant authorization. For example, a role with the authorizations solaris.admin.usermgr.grant and solaris.admin.usermgr.pswd can delegate the solaris.admin.usermgr.pswd authorization to another user.

Therefore, the system administrator would issue the roleadd command, as follows:

roleadd –m –d /export/home/adminusr –c "Admin Assistant" –A  
solaris.admin.usermgr.pswd,solaris.jobs.grant,solaris.jobs.user,solaris.jobs.admin, 
solaris.admin.fsmgr.write adminusr

The system responds with the following:

64 blocks

A role account named adminusr with the required directory structures has been created. Note the following entries in the /etc/passwd and /etc/ user_attr files that were created. In the /etc/passwd file entry:

adminusr:x:100:1:Admin Asst:/export/home/adminusr:/bin/pfsh

Note

Notice that the name of the shell is /bin/pfsh. Authorized users can obtain privileged applications from the command line of a special shell called a profile shell. A profile shell is launched when the user runs su to assume a role. The profile shells are pfsh, pfcsh, and pfksh, and they correspond to the Bourne shell (sh), C shell (csh), and Korn shell (ksh), respectively.


In the /etc/user_attr entry:

adminusr::::type=role;auths=solaris.admin.usermgr.pswd,solaris.jobs.admin, 
solaris.admin.fsmgr.write;profiles=All

Also a home directory for adminusr has been created in /export/home. The next step is to set the password for the adminusr role account by typing the following:

passwd adminusr 
<enter the new password twice>

Now we need to set up Neil’s account so that he can access the new role account named adminusr. With the usermod command, we assign the role to the user account using the –R option, as follows:

usermod –R adminusr neil

Notice that an entry in /etc/user_attr has been added for neil.

adminusr::::type=role;auths=solaris.admin.usermgr.pswd,solaris.jobs.admin, 
solaris.admin.fsmgr.write;profiles=All 
neil::::type=normal;roles=adminusr

To access the administrative functions, Neil needs to first log in using his regular user account named neil. Neil can check which roles he has been granted by typing the following:

roles

The system responds with the roles that have been granted to the user account neil, as follows:

adminusr

Neil then needs to su to the adminusr account by typing the following:

su adminusr 
<enter the password for adminusr>

Now Neil can modify user passwords, manage crontabs, and mount and share file systems. Any other user trying to su to the adminusr account gets this message:

$ su adminusr 
Password: 
Roles can only be assumed by authorized users 
su: Sorry 
$

If, later on, the system administrator wants to assign additional authorizations to the role account named adminusr, he would do so using the rolemod command. The rolemod command modifies a role’s login information on the system. The syntax for the rolemod command is as follows:

rolemod [-u uid] [-o] [-g group] [-G group] [-d dir] [-m] [-s shell][-c comment]  
[-l new_logname] [-f inactive] [-e expire] [-A authorization] 
[-P profile] <role account>

Options to the rolemod command are described in Table 17.2.

Table 17.2. rolemod Options
Option Description
-u <uid> Specifies a new UID for the role. It must be a non-negative decimal integer. The UID associated with the role’s home directory is not modified with this option; a role does not have access to its home directory until the UID is manually reassigned using the chown command.
-o Allows the specified UID to be duplicated (nonunique).
-g <group> Specifies an existing group’s integer ID or character string name. It redefines the role’s primary group membership.
-G <group> Specifies an existing group’s integer ID or character string name. It redefines the role’s supplementary group membership. Duplicates between groups when the -g and -G options are ignored.
-d <dir> Specifies the new home directory of the role. It defaults to <base_dir>/login, in which <base_dir> is the base directory for new login home directories and login is the new login.
-m Moves the role’s home directory to the new directory specified with the -d option. If the directory already exists, it must have the permissions read/write/execute by group, in which group is the role’s primary group.
-s <shell> Specifies the full pathname of the program used as the role’s shell on login. The value of shell must be a valid executable file.
-c <comment> Specifies a comment string. <comment> can be any text string. It is generally a short description of the login and is currently used as the field for the user’s full name. This information is stored in the user’s /etc/passwd entry.
-l <new_logname> Specifies the new login name for the role. The <new_logname> argument is a string of no more than eight bytes consisting of characters from the set of alphabetic characters, numeric characters, period (.), underline (_), and hyphen (-). The first character should be alphabetic, and the field should contain at least one lowercase alphabetic character. A warning message is written if these restrictions are not met. A future Solaris release might refuse to accept login fields that do not meet these requirements. The <new_logname> argument must contain at least one character and must not contain a colon (:) or newline ( ).
-f <inactive> Specifies the maximum number of days allowed between uses of a login ID before that login ID is declared invalid. Normal values are positive integers.
-e <expire> Specifies the expiration date for a role. After this date, no user can access this role. The <expire> option argument is a date entered using one of the date formats included in the template file /etc/ datemsk. For example, you can enter 12/30/01 or December 30, 2001.
-A <authorization> One or more comma-separated authorizations as defined in the auth_attr database. This replaces any existing authorization setting.
-P <profile> Replaces any existing profile setting. One or more comma-separated execution profiles are defined in the prof_attr database.

To add the capability to purge log files, you need to add solaris.admin.logsvc .purge to the list of authorizations for adminusr. To do this, issue the rolemod command as follows:

rolemod –A solaris.admin.usermgr.pswd,solaris.jobs.admin,solaris.admin.fsmgr.write, 
solaris.admin.logsvc.purge adminusr

Note

I re-entered all of the authorizations. The rolemod command does not add to the existing authorizations; it replaces any existing authorization setting.


The rolemod command modifies the adminusr entry in the /etc/user_attr file as follows:

adminusr::::type=role;auths=solaris.admin.usermgr.pswd,solaris.jobs.admin, 
solaris.admin.logsvc.purge;profiles=All

If you want to remove a role account, use the roledel command as follows:

roledel [-r] <role account name>

The –r option removes the role’s home directory from the system. For example, to remove the adminusr role account along with the home directory, issue the following command:

roledel –r adminusr

The next section discusses each of the RBAC databases in detail, describing the entries made when I executed the roleadd and usermod commands.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset