Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Role-Based Access Control
First appearing in the Solaris 8 OE release, role-based access control (RBAC) is an alternative to the all-or-nothing superuser privilege model. In the superuser (root) model, the power to do anything to the system—be it deleting files, adding users, starting or stopping daemons—is granted after the superuser privilege level is obtained. RBAC provides the least privilege model.
The least privilege model breaks up the capabilities of the superuser into roles. A role is a special type of user account from which privileged applications might be run. A user assumes a role with the su(1M) command. For example, operators might have the backup role assigned to them that allows them to run ufsdump(1M) with privilege. In addition, users might have one or more roles. Even root can be made into a role to prevent anonymous root logins.
In the Solaris 8 and 9 OE releases, RBAC is optional. It is not on by default because no default roles are created. For sites with earlier Solaris OE releases, an alternative to RBAC is sudo, maintained by Todd Miller. sudo provides the capabilities of su(1M) on a per-command, per-user assignment basis.
TABLE 0-2 Pros and Cons of Using RBAC, sudo, and root Shell
|
Name |
Pro |
Con |
|
RBAC |
Limits privilege by either granting limited root-level privileges or restricting what a user account can do. It is an integral feature of the Solaris OE. |
Requires a change in the mindset away from the superuser model. Is not available in the Solaris 2.6 or 7 OE. |
|
sudo |
Works on non-RBAC-capable Solaris OE releases. |
Must be downloaded, built, and tested. Is not Sun supported software. Grants only limited access to root-level privilege. |
|
root Shell |
Most power in using a system. |
Any direct root login can do anything to the system. Console logins defeat auditing. |
To Use RBAC to Restrict a User to Only Copying Files
Become the superuser.
Add the execution attributes of the role.
Add the name of the role.
Comment out PROFS_GRANTED=Basic Solaris User in the /etc/security/policy.conf file.
Assign the user the role.
Change the user's shell to a profile shell.
Restart the nscd daemon.
# cat <<_EOM_ >> /etc/security/exec_attr > Restricted Secure Shell:suser:cmd:::/usr/bin/scp: > _EOM_
# cat <<_EOM_ >> /etc/security/prof_attr > Restricted Secure Shell:::scp access only: > _EOM_
# cat <<_EOM_ >> /etc/user_attr > user::::profiles=Restricted Secure Shell > _EOM_
# usermod -s /usr/bin/pfksh user
# /etc/init.d/nscd stop # /etc/init.d/nscd start
The user will only be able to execute built-in shell commands and scp(1), as in the following example.
localhost$ ssh remotehost -| user user@remotehost's password: password Last Login: Thu Dec 12 21:51:44 2002 from someplace remotehost$ pwd /home/user remotehost$ cd / remotehost$ ls pfksh: ls: not found remotehost$ pwd / remotehost$ cat /etc/passwd pfksh: cat: not found remotehost$ exit localhost$ ssh remotehost -| user cat /etc/passwd Last Login: Thu Dec 12 21:51:44 2002 from someplace pfksh: cat: not found localhost$ scp index.html user@remotehost:index.html user@remotehost's password: password index.html 100% |*****************************| 526 00:00 localhost$
For more information on RBAC, refer to the following documents:
Solaris 9 OE System Administration Guide, specifically the Security Services chapter
"Solaris Operating Environment Security: Updated for the Solaris 9 Operating Environment," December 2002, by Alex Noordergraaf and Keith Watson
su(1M)
roles(1)
policy.conf(4)
exec_attr(4)
prof_attr(4)
usermod(1M)
roledel(1M)
rolemod(1M)
roleadd(1M)
For information on sudo, refer to: http://www.courtesan.com/sudo/