To better describe RBAC, it’s easier to first describe how a system administrator would utilize RBAC to delegate an administrative task to a nonroot user in a fictional setting at Acme Corp.
At the fictional Acme Corp., the system administrator is overwhelmed with tasks. He is going to delegate some of his responsibility to Neil, a user from the engineering department who helps out sometimes with system administration tasks.
The system administrator first needs to define which tasks he wants Neil to help out with. He has identified three tasks:
Changing user passwords but not adding or removing accounts
Mounting and sharing file systems
Managing crontabs
In RBAC, when we speak of delegating administrative tasks, it is referred to as a role account. A role account is a special type of user account that is intended for performing a set of administrative tasks. Role accounts get their capabilities from rights profiles and authorizations. It is like a normal user account in most respects except that users can gain access to it only through the su command after they have logged in to the system with their normal login account. A role account is not accessible for normal logins (for example, through the CDE login window). From a role account, a user can access commands with special attributes—typically the root user’s ID—that are not available to users in normal accounts.
At Acme Corp, the system administrator needs to define a role username for the tasks he wants to delegate. Let’s use the role username adminusr. After Neil logs in with his normal login name of neil, he then needs to issue the su command and switch to adminusr whenever he wants to perform administrative tasks.
The easiest way to define a role account is by using the Solaris Management Console, as described in the next chapter. Chapter 18, “Solaris Management Console,” provides all the information you need to define this administrative role for a user. In this chapter, however, I’ll describe how to create a role via the command line.
So far, we have determined that we want to name the role account adminusr. The system administrator creates the role account using the roleadd command. The roleadd command adds a role account to the /etc/passwd, etc/shadow, and /etc/user_attr files. The syntax for the roleadd command is as follows:
roleadd [-c comment] [-d dir] [-e expire] [-f inactive] [-g group] [-G group]
[-m] [-k skel_dir] [-u uid] [-s shell] [-P profile] [-A authorization] <role username>
You’ll notice that roleadd looks a great deal like the useradd command described in Chapter 13, “Setting Up User Accounts.” Table 17.1 describes the options for the roleadd command.
The other options are the same as those described for the useradd command in Chapter 13.
When creating a role account with the roleadd command, you need to specify an authorization and profile to the role. An authorization is a user right that grants access to a restricted function. It is a unique string that identifies what is being authorized as well as who created the authorization.
Certain privileged programs check the authorizations to determine whether users can execute restricted functionality. The following are the predefined authorizations from the /etc/security/auth_attr file that apply to the tasks to be delegated:
solaris.admin.usermgr.pswd:::Change User Passwords::help=UserMgrPswd.html solaris.jobs.grant:::Delegate Cron & At Administration::help=JobsGrant.html solaris.jobs.user:::Manage Owned Jobs::help=AuthJobsUser.html solaris.jobs.admin:::Manage All Jobs::help=AuthJobsAdmin.html solaris.jobs.:::Job Scheduler::help=JobHeader.html solaris.admin.fsmgr.write:::Mount/Share File Systems::help=FsMgrWrite.html
Notice the short description in the fourth field of the authorization. All authorizations are stored in the auth_attr database, so the system administrator needs to use one or more of the authorizations stored in that file. For the Acme Corp. example, the system administrator needs to specify the authorizations named, as shown here:
solaris.admin.usermgr.pswd solaris.jobs.grant solaris.jobs.user solaris.jobs.admin solaris.admin.fsmgr.write
When a name ends with the word “grant,” the entry defines a grant authorization. Grant authorizations are used to support fine-grained delegation. Users with appropriate grant authorizations can delegate some of their authorizations to others. To assign an authorization, the user needs to have both the authorization itself and the appropriate grant authorization. For example, a role with the authorizations solaris.admin.usermgr.grant and solaris.admin.usermgr.pswd can delegate the solaris.admin.usermgr.pswd authorization to another user.
Therefore, the system administrator would issue the roleadd command, as follows:
roleadd –m –d /export/home/adminusr –c "Admin Assistant" –A solaris.admin.usermgr.pswd,solaris.jobs.grant,solaris.jobs.user,solaris.jobs.admin, solaris.admin.fsmgr.write adminusr
The system responds with the following:
64 blocks
A role account named adminusr with the required directory structures has been created. Note the following entries in the /etc/passwd and /etc/ user_attr files that were created. In the /etc/passwd file entry:
adminusr:x:100:1:Admin Asst:/export/home/adminusr:/bin/pfsh
Note
Notice that the name of the shell is /bin/pfsh. Authorized users can obtain privileged applications from the command line of a special shell called a profile shell. A profile shell is launched when the user runs su to assume a role. The profile shells are pfsh, pfcsh, and pfksh, and they correspond to the Bourne shell (sh), C shell (csh), and Korn shell (ksh), respectively.
In the /etc/user_attr entry:
adminusr::::type=role;auths=solaris.admin.usermgr.pswd,solaris.jobs.admin, solaris.admin.fsmgr.write;profiles=All
Also a home directory for adminusr has been created in /export/home. The next step is to set the password for the adminusr role account by typing the following:
passwd adminusr <enter the new password twice>
Now we need to set up Neil’s account so that he can access the new role account named adminusr. With the usermod command, we assign the role to the user account using the –R option, as follows:
usermod –R adminusr neil
Notice that an entry in /etc/user_attr has been added for neil.
adminusr::::type=role;auths=solaris.admin.usermgr.pswd,solaris.jobs.admin, solaris.admin.fsmgr.write;profiles=All neil::::type=normal;roles=adminusr
To access the administrative functions, Neil needs to first log in using his regular user account named neil. Neil can check which roles he has been granted by typing the following:
roles
The system responds with the roles that have been granted to the user account neil, as follows:
adminusr
Neil then needs to su to the adminusr account by typing the following:
su adminusr
<enter the password for adminusr>
Now Neil can modify user passwords, manage crontabs, and mount and share file systems. Any other user trying to su to the adminusr account gets this message:
$ su adminusr Password: Roles can only be assumed by authorized users su: Sorry $
If, later on, the system administrator wants to assign additional authorizations to the role account named adminusr, he would do so using the rolemod command. The rolemod command modifies a role’s login information on the system. The syntax for the rolemod command is as follows:
rolemod [-u uid] [-o] [-g group] [-G group] [-d dir] [-m] [-s shell][-c comment] [-l new_logname] [-f inactive] [-e expire] [-A authorization] [-P profile] <role account>
Options to the rolemod command are described in Table 17.2.
To add the capability to purge log files, you need to add solaris.admin.logsvc .purge to the list of authorizations for adminusr. To do this, issue the rolemod command as follows:
rolemod –A solaris.admin.usermgr.pswd,solaris.jobs.admin,solaris.admin.fsmgr.write, solaris.admin.logsvc.purge adminusr
Note
I re-entered all of the authorizations. The rolemod command does not add to the existing authorizations; it replaces any existing authorization setting.
The rolemod command modifies the adminusr entry in the /etc/user_attr file as follows:
adminusr::::type=role;auths=solaris.admin.usermgr.pswd,solaris.jobs.admin, solaris.admin.logsvc.purge;profiles=All
If you want to remove a role account, use the roledel command as follows:
roledel [-r] <role account name>
The –r option removes the role’s home directory from the system. For example, to remove the adminusr role account along with the home directory, issue the following command:
roledel –r adminusr
The next section discusses each of the RBAC databases in detail, describing the entries made when I executed the roleadd and usermod commands.