This chapter covers tasks for distributing the capabilities of superuser by using discrete roles. The mechanisms that roles can use include rights profiles, authorizations, and privileges. The following is a list of the task maps in this chapter.Using RBAC (Task Map) Configuring RBAC (Task Map) Using Roles (Task Map) Managing RBAC (Task Map) rightrights profilesFor an overview of RBAC, see Role-Based Access Control (Overview). For reference information, see Chapter 10, Role-Based Access Control (Reference). To use privileges with RBAC or without RBAC, see Chapter 11, Privileges (Tasks). task mapsusing RBAC usingRBAC task map To use RBAC requires planning, configuring RBAC, and knowing how to assume a role. Once roles become familiar, you might further customize RBAC to handle new operations. The following task map points to these major tasks.Task Description For Instructions Plan and configure RBAC Configure RBAC at your site. Configuring RBAC (Task Map) Use roles Assume roles from the command line and in the Solaris Management Console GUI. Using Roles (Task Map) Customize RBAC Customize RBAC for your site. Managing RBAC (Task Map) task mapsconfiguring RBAC configuringRBAC task map To use RBAC effectively requires planning. Use the following task map to plan and initially implement RBAC at your site.Task Description For Instructions 1. Plan for RBAC Involves examining your site's security needs, and deciding how to use RBAC at your site. How to Plan Your RBAC Implementation 2. Learn to use the Solaris Management Console Involves becoming familiar with the Solaris Management Console. Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration 3. Configure the first user and role Uses the RBAC configuration tools in the Solaris Management Console to create a user and a role, and to assign the role to the user. Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration 4. (Optional) Create other users who can assume roles Ensures that users who can assume an administrative role exist. Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration 5. (Recommended) Create other roles and assign them to users Uses the RBAC tools to create roles for particular administrative areas, and to assign the roles to users. How to Create and Assign a Role by Using the GUI Example 9–5 Uses the command line to create roles, and to assign the roles to users How to Create a Role From the Command Line How to Assign a Role to a Local User 6. (Recommended) Audit role actions Preselect an audit class that includes the audit event that records role actions. How to Audit Roles 7. (Optional) Make root user a role Prevents anonymous root login, which is a security hole. How to Make root User Into a Role RBACconfiguring configuringRBAC RBAC can be configured with the following utilities:Solaris Management Console GUI – The preferred method for performing RBAC-related tasks is through the GUI. The console tools for managing the RBAC elements are contained in the Users Tool collection. Solaris Management Console commands – With the Solaris Management Console command-line interfaces, such as smrole, you can operate on any name service. The Solaris Management Console commands require authentication to connect to the server. As a result, these commands are not practical for use in scripts. Local commands – With the user* and role* set of command-line interfaces, such as useradd, you can operate on local files only. The commands that operate on local files must be run by superuser or by a role with the appropriate privileges. RBACplanning planningRBAC configuringRBAC administeringroles to replace superuser replacingsuperuser with roles RBAC can be an integral part of how an organization manages its information resources. Planning requires a thorough knowledge of the RBAC capabilities as well as the security requirements of your organization. Learn the basic RBAC concepts.Read Role-Based Access Control (Overview). Using RBAC to administer a system is very different from using conventional UNIX administrative practices. You should be familiar with the RBAC concepts before you start your implementation. For greater detail, see Chapter 10, Role-Based Access Control (Reference). Examine your security policy.Your organization's security policy should detail the potential threats to your system, measure the risk of each threat, and have a strategy to counter these threats. Isolating the security-relevant tasks through RBAC can be a part of the strategy. Although you can install the recommended roles and their configurations as is, you might need to customize your RBAC configuration to adhere to your security policy. Decide how much RBAC your organization needs.Depending on your security needs, you can use varying degrees of RBAC, as follows:No RBAC – You can perform all tasks as root user. In this configuration, you log in as yourself. Then, you type root as the user when you select a Solaris Management Console tool. Single Role Only – This method adds one role. The one role is assigned the Primary Administrator rights profile. This method is similar to the superuser model, in that the role has superuser capabilities. However, this method enables you to track the user who has assumed the role. Recommended Roles – This method creates three roles that are based on the following rights profiles: Primary Administrator, System Administrator, and Operator. The roles are suitable for organizations with administrators at different levels of responsibility. Custom Roles – You can create your own roles to meet the security requirements of your organization. The new roles can be based on existing or customized rights profiles. To customize rights profiles that enforce separation of duty, see Creating Roles and Users in Trusted Extensions in Solaris Trusted Extensions Administrator’s Procedures. Root User as a Role – This method prevents any user from logging in as root. Instead, users must log in as ordinary users prior to assuming the root role. For details, see How to Make root User Into a Role. Decide which recommended roles are appropriate for your organization.Review the capabilities of the recommended roles and default rights profiles. Default rights profiles enable administrators to configure a recommended role by using a single profile.Three default rights profiles are available for configuring the recommended roles:Primary Administrator rights profile – For configuring a role that can perform all administrative tasks, can grant rights to others, and can edit rights that are associated with administrative roles. A user in this role can assign this role to other users, and can grant rights to other users. System Administrator rights profile – For configuring a role that can perform most administrative tasks that are not related to security. For example, the System Administrator can add new user accounts, but cannot set passwords or grant rights to other users. Operator rights profile – For configuring a role that can perform simple administrative tasks, such as media backup and printer maintenance. To further examine rights profiles, read one of the following:In the /etc/security directory, read the contents of the prof_attr database and the exec_attr database. In the Solaris Management Console, use the Rights tool to display the contents of a rights profile. In this book, refer to Contents of Rights Profiles for summaries of some typical rights profiles. Decide if any additional roles or rights profiles are appropriate for your organization.Look for other applications or families of applications at your site that might benefit from restricted access. Applications that affect security, that can cause denial-of-service problems, or that require special administrator training are good candidates for RBAC. You can customize roles and rights profiles to handle the security requirements of your organization.Determine which commands are needed for the new task. Decide which rights profile is appropriate for this task.Check if an existing rights profile can handle this task or if a separate rights profile needs to be created. Determine which role is appropriate for this rights profile.Decide if the rights profile for this task should be assigned to an existing role or if a new role should be created. If you use an existing role, check that the other rights profiles are appropriate for users who are assigned to this role. Decide which users should be assigned to the available roles.According to the principle of least privilege, you should assign users to roles that are appropriate to their level of trust. When you prevent users from access to tasks that the users do not need to perform, you reduce potential problems. rights profilescreating roles for rolescreatingfor particular profiles administeringroles RBACadding roles rolesadding for particular profiles configuringroles creatingrolesfor particular profiles addingrolesfor particular profiles To create a new role, you can be superuser, or you can use the Primary Administrator role. In this procedure, the creator of the new role has assumed the role of Primary Administrator. You have already created users who can assume a role at your site. If the users are not yet created, create them by following the instructions in How to Add a User With the Solaris Management Console’s Users Tool in System Administration Guide: Basic AdministrationUsing the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. You have been assigned the Primary Administrator role by following the procedures in Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Start the Solaris Management Console.# /usr/sbin/smc &For login instructions, see How to Assume a Role in the Solaris Management Console. Click the Administrative Roles icon. Select Add Administrative Role from the Action menu. Create a new role by filling in the fields in the series of dialog boxes.For possible roles, see Example 9–1 to Example 9–4.All tools in the Solaris Management Console display information in the bottom section of the page or at the left side of a wizard panel. Choose Help at any time to find additional information about performing tasks in this interface. assigningrole to a userAssign the role to a user.After filling in the properties of the role, the last dialog box prompts you for a user for the role. daemonsnscd (name service cache daemon)nscd (name service cache daemon)starting with svcadm commandsvcadm commandrestarting name serviceIn a terminal window, restart the name service cache daemon.# svcadm restart system/name-service-cacheFor more information, see the svcadm1M and nscd1M man pages. System Administrator (RBAC)creating role addingSystem Administrator role creatingSystem Administrator role rolescreatingSystem Administrator role In this example, the new role can do system administration tasks that are not connected to security. The role is created by performing the preceding procedure with the following parameters:Role name: sysadmin Role full name: System Administrator Role description: Performs non-security admin tasks Rights profile: System AdministratorThis rights profile is at the top of the list of profiles that are included in the role. Operator (RBAC)creating role addingOperator role creatingOperator role rolescreatingOperator role The Operator rights profile can manage printers and back up the system to offline media. You might want to assign the role to one user on each shift. To do so, you would select the role mailing list option in the Step 1: Enter a Role Name dialog box. The role is created by performing the preceding procedure with the following parameters:Role name: operadm Role full name: Operator Role description: Backup operator Rights profile: OperatorThis rights profile must be at the top of the list of profiles that are included in the role. rolescreatingsecurity-related roles addingsecurity-related roles creatingsecurity-related roles By default, the only rights profile that contains security-related commands and rights is the Primary Administrator profile. If you want to create a role that is not as powerful as Primary Administrator, but can handle some security-related tasks, you must create the role.In the following example, the role protects devices. The role is created by performing the preceding procedure with the following parameters:rolescreatingDevice Security roleDevice Security (RBAC)creating roleRole name: devicesec Role full name: Device Security Role description: Configures Devices Rights profile: Device Security In the following example, the role secures systems and hosts on the network. The role is created by performing the preceding procedure with the following parameters:rolescreatingNetwork Security roleNetwork Security (RBAC)creating roleRole name: netsec Role full name: Network Security Role description: Handles IPsec, IKE, and SSH Rights profile: Network Security rolescreatingrole with limited scope addingroleswith limited scope creatingroleswith limited scope rolescreatingDHCP Management role DHCP Management (RBAC)creating role A number of rights profiles are of limited scope. In this example, the sole task of the role is to manage DHCP. The role is created by performing the preceding procedure with the following parameters:Role name: dhcpmgt Role full name: DHCP Management Role description: Manages Dynamic Host Config Protocol Rights profile: DHCP Management rolesmodifying assignment to a user addingrolesto a user modifyingrole assignment to a user assigningrole to a user In this example, a role is added to an existing user. The user's role assignment is modified by clicking the User Accounts icon in the Users tool in the Solaris Management Console, double-clicking the user, and following the online help to add a role to the user's capabilities. rolestroubleshootingtroubleshootingrole capabilitiesCheck the following if the role does not have the capabilities that it should:Are the role's rights profiles listed in the GUI from most to least powerful?For example, if the All rights profile is at the top of the list, then no commands are run with security attributes. A profile that contains commands with security attributes must precede the All rights profile in the list. Do the commands in the role's rights profiles have the appropriate security attributes?For example, when the policy is suser, some commands require uid=0 rather than euid=0. Is the rights profile defined in the appropriate name service scope? Is the role operating in the name service scope where the rights profile is defined? Has the name service cache, svc:/system/name-service-cache, been restarted?The nscd daemon can have a lengthy time-to-live interval. By restarting the daemon, you update the name service with current data. rolescreatingon command line addingrolesfrom command line creatingroleson command line configuringrolesfrom command line RBACadding roles from command line rolesadding from command line The Solaris Management Console GUI is the preferred method for managing RBAC. To use the GUI, see How to Create and Assign a Role by Using the GUI. You can also use the command-line interfaces, as described in this procedure.Do not attempt to administer RBAC with the command line and the graphical user interface at the same time. Conflicting changes could be made to the configuration, and the behavior would be unpredictable. You can use both tools to administer RBAC, but you cannot use both concurrently. To create a role, you must either assume a role that includes the Primary Administrator rights profile, or switch to the user root. &rolePAstep;Choose one of the following commands to create a role on the command line.roleadd commandusingFor roles in the local name service scope, use the roleadd command.The roleadd command is more limited than the Solaris Management Console GUI or command-line interfaces. After running the roleadd command, you must run the usermod command to assign the role to a user. And, the user then must set the password for the role, as shown in How to Assign a Role to a Local User. # roleadd -c comment \ -g group -m homedir -u UID -s shell \ -P profile rolenamec commentIs a comment that describes rolename. g groupIs the group assignment for rolename. m homedirIs the path to the home directory for rolename. u UIDIs the UID for rolename. s shellIs the login shell for rolename. This shell must be a profile shell. P profileIs one or more rights profiles for rolename. rolenameIs the name of the new local role. Use the smrole add command.This command creates a role in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.$ /usr/sadm/bin/smrole -D domain-name \ -r admin-role -l <Type admin-role password> \ add -- -n rolename -a rolename -d directory\ -F full-description -p profileD domain-nameIs the name of the domain that you want to manage. r admin-roleIs the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization. lIs the prompt for the password of admin-role. --Is the required separator between authentication options and subcommand options. n rolenameIs the name of the new role. c commentIs the comment that describes the capabilities of the role. a usernameIs the name of the user who can assume rolename. d directoryIs the home directory for rolename. F full-descriptionIs the full description for rolename. This description is displayed in the Solaris Management Console GUI. p profileIs a rights profile that is included in the capabilities of rolename. This option gives commands with administrative capabilities to the role. You can specify multiple p profile options. To put the changes into effect, see How to Assign a Role to a Local User. rolescreatingCustom Operator role smrole commandusing addingcustomized role creatingcustomized role Custom Operator (RBAC)creating role RBACadding custom roles addingcustom roles (RBAC) rolesadding custom roles configuringcustom roles a optionsmrole command The smrole command specifies a new role and its attributes in a name service. In the following example, the Primary Administrator creates a new version of the Operator role. The role includes the standard Operator rights profile as well as the Media Restore rights profile. Note that the command prompts you for a password for the new role.% su - primaryadm Password: <Type primaryadm password> $ /usr/sadm/bin/smrole add -H myHost -- -c "Backup and Restore Operator" \ -n operadm2 -a janedoe -d /export/home/operadm \ -F "Backup/Restore Operator" -p "Operator" -p "Media Restore" Authenticating as user: primaryadm Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: <Type primaryadm password> Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost Login to myHost as user primaryadm was successful. Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful. Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password ::<Type operadm2 password> $ svcadm restart system/name-service-cacheThe smrole command with the list subcommand is used to display the new role:$ /usr/sadm/bin/smrole list -- Authenticating as user: primaryadm Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: <Type primaryadm password> Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost Login to myHost as user primaryadm was successful. Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful. root 0 Superuser primaryadm 100 Most powerful role sysadmin 101 Performs non-security admin tasks operadm 102 Backup Operator operadm2 103 Backup/Restore Operator rolesassigning with usermod command usermod commandusing to assign role assigningrole to a user locally This procedure assigns a local role to a local user, restarts the name cache daemon, and then shows how the user can assume the role.To assign a role to a user in a distributed name service, see How to Create a Role From the Command Line and How to Change the Properties of a Role. You have added a local role, as described in How to Create a Role From the Command Line. You must have assumed the role of Primary Administrator or have switched to superuser. Assign the role to a local user.If you added a local role with the roleadd command, this step is required. This step is optional when you use the smrole command and the Solaris Management Console to create a role.# usermod -u UID -R rolenameu UIDIs the UID of the user. R rolenameIs the role that is being assigned to the user. To put the changes into effect, restart the name service cache daemon.# svcadm restart system/name-service-cacheIf you added a role with a Solaris Management Console interface, go to Using Roles (Task Map). Otherwise, continue with the next step. To unlock the role account, the user must create a password.If you added a local role with the roleadd command, this step is required.% su - rolename Password: <Type rolename password> Confirm Password: <Retype rolename password> $ rolescreatingCrypto Management role addingcryptomgt role addingsecurity-related role Crypto Management (RBAC)creating role cryptographic frameworkadministering with role In this example, a role is created to administer the Solaris Cryptographic Framework. The Crypto Management rights profile contains the cryptoadm command for administering hardware and software cryptographic services on a local system.# roleadd -c "Cryptographic Services manager" \ -g 14 -m /export/home/cryptoadm -u 104 -s pfksh \ -P "Crypto Management" cryptomgt # usermod -u 1111 -R cryptomgt # svcadm restart system/name-service-cache % su - cryptomgt Password: <Type cryptomgt password> Confirm Password: <Retype cryptomgt password> $ /usr/ucb/whoami cryptomgt $For information about the Solaris Cryptographic Framework, see Chapter 13, Solaris Cryptographic Framework (Overview). To administer the framework, see Administering the Cryptographic Framework (Task Map). rolesauditing auditingroles addingauditing of roles RBACauditing roles monitoringuse of privileged commands The actions that a role performs can be audited. Included in the audit record is the login name of the user who assumed the role, the role name, and the action that the role performed. The 6180:AUE_prof_cmd:profile command:ua,as audit event collects the information. By preselecting the as class or the ua class, you can audit role actions. Plan for auditing and edit the audit configuration files.For more information, see Solaris Auditing (Task Map). Include the ua class or the as class in the flags line of the audit_control file.# audit_control file dir:/var/audit flags:lo,as minfree:20 naflags:loThe ua class and the as class include other audit events. To see the audit events that are included in a class, read the audit_event file. You can also use the bsmrecord command, as shown in Example 30–25. Finish configuring the auditing service, then enable auditing.For more information, see Configuring and Enabling the Auditing Service (Tasks). rolesmaking root user into role rolescreatingroot role root userchanging to root role accessroot accesspreventing login (RBAC) configuringroot user as role creatingroot user as role changingroot user into role This procedure shows how to change root from a login user to a role. When you complete this procedure, you can no longer directly log in to the system as root, except in single-user mode. You must be assigned the root role and su to root.By changing the root user into a role, you prevent anonymous root login. Because a user must log in and then assume the root role, the user's login ID is provided to the auditing service and is in the sulog file.In this procedure, you create a local user and assign the root role to the user. To prevent users from assuming the role, see Example 9–8. As a regular user, log in to the target system. Assume the Primary Administrator role, or become superuser.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. useradd commandadding local useraddinglocal usercreatinglocal userusersadding local useruserscreating local userCreate a local user who can assume the root role.For safety, at least one local user should be assigned the root role.$ useradd -c comment -u uid -d homedir usernamec commentIs the comment that describes the user. d homedirIs the home directory of the user. This directory should be on the local system. u uidIs the user identification number. usernameIs the name of the new local user. # useradd -c "JDoe's local account" -u 123 -d /export/home1 jdoe-local Give the user a password.# passwd -r files jdoe-local New Password: <Type password> Re-enter new Password: <Retype password> passwd: password successfully changed for jdoe-local # Make sure that you are not logged in as root.# who jdoe console May 24 13:51 (:0) jdoe pts/5 May 24 13:51 (:0.0) jdoe pts/4 May 24 13:51 (:0.0) jdoe pts/10 May 24 13:51 (:0.0) Change root user into a role.# usermod -K type=role root Verify that root is a role.The root entry in the user_attr file should appear similar to the following:# grep root /etc/user_attr root::::type=role;auths=solaris.*,solaris.grant;profiles=... Assign the root role to your local account.# usermod -R root jdoe-localIf you do not assign the root role to a user, no one can become superuser, except in single-user mode. You must type a root password to enter single-user mode. Configure the name service to return in case of failure.Open a new terminal window and assume the root role.% whoami jdoe % su - jdoe-local Enter password: <Type jdoe-local password> % roles root % su - root Enter password: <Type root password> # Edit the nsswitch.conf file.configuringname serviceFor example, the following entries in the nsswitch.conf file would enable the name service to return.passwd: files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return] group: files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return] Assign the root role to selected user accounts in the name service.For the procedure, see How to Change the RBAC Properties of a User. In this example, site security policy requires that several discrete roles configure the system. These discrete roles have been created and tested. To prevent the root account from being used to configure the system, the security administrator changes root into a role, but does not assign the role. The root role retains a password to enter the system in single-user mode.First, the administrator verifies that root is not an assigned role.% whoami jdoe-local % su - root Password: a!2@3#4$5%6^7 # grep roles /etc/user_attr jdoe-local::::type=normal;roles=secadmin kdoe-local::::type=normal;roles=sysadminStill in the root account, the administrator changes root into a role.# usermod -K type=role rootThen, the administrator verifies the change in the root entry in the user_attr file.# grep root /etc/user_attr root::::type=role;auths=solaris.*,solaris.grant;profiles=... In this example, the administrator is decommissioning a system and wants to log in to the desktop as superuser. The system has been removed from the network.First, the administrator assumes the root role to remove all root role assignments.% whoami jdoe-local % su - root Password: a!2@3#4$5%6^7 # grep roles /etc/user_attr jdoe-local::::type=normal;roles=root kdoe-local::::type=normal;roles=root # usermod -R "" jdoe-local # usermod -R "" kdoe-local # grep roles /etc/user_attr #Still in the root role, the administrator changes root into a user.# rolemod -K type=normal rootThen, the administrator verifies the change in the root entry in the user_attr file.# grep root /etc/user_attr root::::type=normal;auths=solaris.*,solaris.grant;profiles=... In a desktop environment, you cannot directly log in as root when root is a role. A diagnostic message indicates that root is a role on your system. If you do not have a local account that can assume the root role, create one. As root, log in to the system in single-user mode, create a local user account, and assign the root role to the new account. Then, log in as the new user and assume the root role.No one can become superuser if you change the root user into a role and fail to make one of the following assignments:Assign the root role to a valid user. Assign a rights profile that is equivalent to root's rights profile to a valid user. The Primary Administrator profile is an equivalent rights profile for root capabilities. Create a role that has the capabilities of root and assign the role to a valid user. A role that is assigned the Primary Administrator profile is equivalent to the root role. task mapsusing rolesusingroles task mapassuming rolehow touser proceduresassuming a roleuser proceduresusing an assigned roleThe following task map points to procedures for using your role after roles have been assigned.Task Description For Instructions Use the Solaris Management Console Authenticate yourself as a role to perform administrative tasks in the Solaris Management Console. How to Assume a Role in the Solaris Management Console Assume a role in a terminal window Perform command-line administrative tasks in a profile shell. How to Assume a Role in a Terminal Window usingrolesAfter you have set up roles with default Solaris rights profiles, and assigned the roles to users, the roles can be used. A role can be assumed on the command line. In the Solaris Management Console, a role can also be used for administering the system locally and over the network.rolesassuming in a terminal window assuming rolein a terminal window rolesassuming su commandin role assumption rolesusing an assigned role The role must already be assigned to you. The name service must be updated with that information. roles commandusingdisplayingroles you can assumelistingroles you can assumeroleslisting local rolesIn a terminal window, determine which roles you can assume.% roles Comma-separated list of role names is displayed Use the su command to assume a role.% su - rolename Password: <Type rolename password> $The su - rolename command changes the shell to a profile shell for the role. A profile shell recognizes security attributes (authorizations, privileges, and set ID bits). Verify that you are now in a role.$ /usr/ucb/whoami rolenameYou can now perform role tasks in this terminal window. View the capabilities of your role.For the procedure, see How to Determine the Privileged Commands That a Role Can Run. rolesassuming Primary Administrator role assuming rolePrimary Administrator Primary Administrator (RBAC)assuming role In the following example, the user assumes the role of Primary Administrator. In the default configuration, this role is equivalent to superuser. The role then checks to see which privileges are available to any command that is typed in the profile shell for the role.% roles sysadmin,oper,primaryadm % su - primaryadm Password: <Type primaryadm password> $ /usr/ucb/whoami Prompt has changed to role prompt primaryadm $ ppriv $$ 1200: pfksh flags = <none> E (Effective): all I (Inheritable): basic P (Permitted): all L (Limit): allFor information about privileges, see Privileges (Overview). rolesassuming root role assuming roleroot root role (RBAC)assuming role In the following example, the user assumes the root role. The role was created in How to Make root User Into a Role% roles root % su - root Password: <Type root password> # /usr/ucb/whoami Prompt has changed to role prompt root $ ppriv $$ 1200: pfksh flags = <none> E: all I: basic P: all L: allFor information about privileges, see Privileges (Overview). rolesassuming System Administrator role assuming roleSystem Administrator System Administrator (RBAC)assuming role In the following example, the user assumes the role of System Administrator. In contrast to the Primary Administrator role, the System Administrator has the basic set of privileges in its effective set.% roles sysadmin,oper,primaryadm % su - sysadmin Password: <Type sysadmin password> $ /usr/ucb/whoami Prompt has changed to role prompt sysadmin $ ppriv $$ 1200: pfksh flags = <none> E: basic I: basic P: basic L: allFor information about privileges, see Privileges (Overview). For a short description of the capabilities of the role, see System Administrator Rights Profile. rolesassuming in Solaris Management Console assuming rolein Solaris Management Console RBACusing privileged applications rolesassuming su commandin role assumption rolesusing an assigned role To change information in the Solaris Management Console GUI requires administrative capabilities. A role gives you administrative capabilities. If you want to view information, you must have the solaris.admin.usermgr.read authorization. The Basic Solaris User rights profile includes this authorization. An administrative role that can change the properties of users or roles must have already been assigned to you. For example, the Primary Administrator role can change the properties of users or roles. Start the Solaris Management Console.% /usr/sbin/smc &For detailed instructions, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. Select the toolbox for your task.Navigate to the toolbox that contains the tool or collection in the appropriate name service scope and click the icon. The scopes are files (local), NIS, NIS+, and LDAP. If the appropriate toolbox is not displayed in the navigation pane, choose Open Toolbox from the Console menu and load the relevant toolbox. Select the tool that you want to use.Navigate to the tool or collection and click the icon. The tools for managing the RBAC elements are in the Users tool, as shown in the following figure. Window titled Management Tools shows the Navigation pane on the left, the Tools pane on the right, and the Information pane with Context Help below. Type your user name and password in the Login: User Name dialog box. Authenticate yourself in the Login: Role dialog box.The Role option menu in the dialog box displays the roles that are assigned to you. Choose a role and type the role password. managingRBAC task map task mapsmanaging RBAC The following task map points to procedures for customizing role-based access control (RBAC) after RBAC has been initially implemented.Task Description For Instructions Change the role password An authorized user or role changes the password of another role. How to Change the Password of a Role Modify the properties of a role Modifies the capabilities (privileges, privileged commands, profiles, or authorizations) of a role. How to Change the Properties of a Role Create or change rights profiles Creates a rights profile. Or modifies the authorizations, privileged commands, or supplementary rights profiles in a rights profile. How to Create or Change a Rights Profile Change a user's administrative capabilities Adds a role, a rights profile, an authorization, or privileges to an ordinary user. How to Change the RBAC Properties of a User Secure legacy applications Turns on the set ID permissions for legacy applications. Scripts can contain commands with set IDs. Legacy applications can check for authorizations, if appropriate. How to Add RBAC Properties to Legacy Applications These procedures manage the elements that are used in RBAC. For user management procedures, refer to Chapter 5, Managing User Accounts and Groups (Tasks), in System Administration Guide: Basic Administration. The Solaris Management Console GUI is the preferred method for managing RBAC.Do not attempt to administer RBAC with the command line and the graphical user interface at the same time. Conflicting changes could be made to the configuration, and the behavior would be unpredictable. Both tools can administer RBAC, but you cannot use both tools concurrently. roleschanging password of passwordschanging role password changingpassword of role administeringrole password RBACchanging role passwords passwd commandchanging password of role You must have assumed a role that includes the User Security profile or have switched to superuser. You cannot be in the role whose password you want to change. A role cannot change its own password. Use one of the following methods to change a role's password.As superuser or in a role that includes the User Security rights profile, run the passwd command.$ passwd -r naming-service target-rolenamer naming-serviceApplies the password change to one of the following repositories files, nis, nisplus, or ldap. If a repository is not specified, the password is changed in files. target-rolenameIs the name of an existing role that you want to modify. For more command options, see the passwd1 man page. Change the password in the Solaris Management Console.To start the console, see How to Assume a Role in the Solaris Management Console. Log in to the console as superuser or in a role that includes the User Security rights profile.The login role cannot be the target role. Choose the appropriate scope.The Files scope modifies the role password on the local system. The LDAP scope modifies the role password in the LDAP naming service. Navigate to Administrative Roles and follow the instructions in the left-hand pane.For more extensive information, see the online help. As superuser or in a role that includes the User Security rights profile, run the smrole command with the modify subcommand.smrole commandchanging properties of roleThis command runs as a client of the Solaris Management Console server.$ /usr/sadm/bin/smrole -D domain-name -r admin-role -l <Type admin-role password> \ modify -- -n target-rolename -P passwordD domain-nameIs the name of the domain that you want to manage. r admin-roleIs the name of the administrative role that can modify the target role. The administrative role must have the solaris.admin.usermgr.pswd authorization. The administrative role and the target role cannot be the same role. lIs the prompt for the password of admin-role. --Is the required separator between authentication options and subcommand options. n target-rolenameIs the name of the target role. P passwordIs the new password for target-rolename. For the full list of command options, see the smrole1M man page. In this example, superuser changes the password of the local operadm role.# passwd -r files operadm New password: Type new password Re-enter new password: Retype new password In this example, the Primary Admin role changes the password of the operadm role in the LDAP directory service.$ passwd -r ldap operadm New password: Type new password Re-enter new password: Retype new password In this example, the administrator contacts the Solaris Management Console server to change the operadm password in the NIS domain. When the administrator does not provide the password before pressing the Return key, the New Password: prompt appears.$ /usr/sadm/bin/smrole -D nis:/examplehost/example.domain \ -r primaryadm -l <Type primaryadm password> \ modify -- -n operadm -P Press the Return key New Password: a!2@3#4$5%6*7 $ roleschanging properties of rolesmodifying changingproperties of role administeringproperties of a role configuringroles modifyingroles (RBAC) obtainingprivileged commands RBACmodifying roles You must have assumed the role of Primary Administrator or have switched to superuser to change the properties of a role. Role properties include password, rights profiles, and authorizations.To change a role's password property, see How to Change the Password of a Role. Use one of the following methods to change the properties of a role.Use the Users tool in the Solaris Management Console.To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to modify a role in Administrative Roles. For more extensive information, see the online help. Use the rolemod command.rolemod commandchanging properties of roleThis command modifies the attributes of a role that is defined in the local name service.$ rolemod -c comment -P profile-list rolenamec commentIs the new comment that describes the capabilities of the role. P profile-listIs the list of the profiles that are included in the role. This list replaces the current list of profiles. rolenameIs the name of an existing, local role that you want to modify. For more command options, see the rolemod1M man page. Use the smrole command with the modify subcommand.smrole commandchanging properties of roleThis command modifies the attributes of a role in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.$ /usr/sadm/bin/smrole -D domain-name \ -r admin-role -l <Type admin-role password> \ modify -- -n rolename -r username -u usernameD domain-nameIs the name of the domain that you want to manage. r admin-roleIs the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization. lIs the prompt for the password of admin-role. --Is the required separator between authentication options and subcommand options. n rolenameIs the name of the new role. r usernameIs the name of the user who can no longer assume rolename. u usernameIs the name of the user who can now assume rolename. For more command options, see the smrole1M man page. In this example, the operadm role is modified to include the Media Restore rights profile.$ rolemod -c "Handles printers, backup, AND restore" \ -P "Printer Management,Media Backup,Media Restore,All" operadm In the following example, the operadm role is modified to add the Media Restore rights profile.$ /usr/sadm/bin/smrole -r primaryadm -l <Type primaryadm password> \ modify -- -n operadm -c "Handles printers, backup, AND restore" \ -p "Media Restore" In the following example, the clockmgr role is changed. The NIS user whose ID is 108 can no longer assume the role. The NIS user whose ID is 110 can assume the role clockmgr.$ /usr/sadm/bin/smrole -D nis:/examplehost/example.domain \ -r primaryadm -l <Type primaryadm password> \ modify -- -n clockmgr -r 108 -u 110 changingrights profile contents rights profileschanging contents of rights profilesmethods of creating rights profilesmodifying addingnew rights profile creatingrights profiles administeringrights profiles administeringRBAC properties RBACediting rights profiles Rights tooldescription addingattributes to a rights profile configuringrights profiles A rights profile is a property of a role. You should create or change a rights profile when the prof_attr database does not contain a rights profile that fulfills your needs. To learn more about rights profiles, see RBAC Rights Profiles. To create or change a rights profile, you must have assumed the role of Primary Administrator or have switched to superuser. Use one of the following methods to create or change a rights profile.configuringrights profilesUse the Users tool in the Solaris Management Console.To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to create or change a rights profile in Rights. For more extensive information, see the online help. smprofile commandchanging rights profileUse the smprofile command.deletingrights profilesrights profilescreatingon command lineThis command enables you to add, modify, list, or delete a rights profile. The command works on files, and in a distributed name service, such as NIS, NIS+, or LDAP. The smprofile command runs as a client of the Solaris Management Console server.$ /usr/sadm/bin/smprofile -D domain-name \ -r admin-role -l <Type admin-role password> \ add | modify -- -n profile-name \ -d description -m help-file -p supplementary-profileD domain-nameIs the name of the domain that you want to manage. r admin-roleIs the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization. lIs the prompt for the password of admin-role. --Is the required separator between authentication options and subcommand options. n profile-nameIs the name of the new profile. d descriptionIs a short description of the profile. m help-fileIs the name of the HTML help file that you have created and placed in the /usr/lib/help/profiles/locale/C directory. p supplementary-profileIs the name of an existing rights profile that is included in this rights profile. You can specify multiple p supplementary-profile options. For more command options, see the smprofile1M man page. changingrights profile from command lineconfiguringrights profile from command linerights profileschanging from command lineIn the following example, the Network Management rights profile is made a supplementary profile of the Network Security rights profile. The role that contains the Network Security profile can now configure the network and hosts, as well has run security-relevant commands.$ /usr/sadm/bin/smprofile -D nisplus:/example.host/example.domain \ -r primaryadm -l <Type primaryadm password> \ modify -- -n "Network Security" \ -d "Manage network and host configuration and security" \ -m RtNetConfSec.html -p "Network Management"The administrator created a new help file, RtNetConfSec.html, and placed it in the /usr/lib/help/profiles/locale/C directory, before running this command. In the following example, the security administrator of MyCompany customizes the Console User rights profile. Another goal is to retain the customized rights profile when the Solaris OS is updated to a later version.First, the administrator closes the Solaris Management Console.Then, the administrator opens the prof_attr file, copies the Console User rights profile to the next line, and renames the second entry. The administrator uses the existing help file, RtConsUser.html.# vi /etc/security/prof_attr Console User:::Manage System as the Console User:help=RtConsUser.html MyCompany Console User:::Manage System as the Console User:help=RtConsUser.htmlThe administrator assumes the secadmin role. The secadmin role can modify the security features of a system. The secadmin role opens the Solaris Management Console, clicks the System Configuration and the Users tool, types the role password, and double-clicks the Rights tool.The administrator double-clicks the MyCompany Console User rights profile. Under the Authorizations tab, the administrator adds two authorizations to the Authorizations Included list and saves the changes. When the system is patched or updated to a later version of the Solaris OS, the Console User rights profile is updated and the MyCompany Console User rights profile is not changed. RBACadding new rights profileaddingrights profiles with Solaris Management Consolerights profilescreatingin Solaris Management Consolecreatingrights profiles with Solaris Management ConsoleThe following table shows sample data for a hypothetical rights profile that is called “Build Administrator”. This rights profile includes the commands in the subdirectory /usr/local/swctrl/bin. These commands have an effective UID of 0. The Build Administrator rights profile would be useful for administrators who manage the builds and versioning for software development.Tab Field Example General Name Build Administrator Description For managing software builds and versioning. Help File Name BuildAdmin.html Commands Add Directory Click Add Directory, type /usr/local/swctrl/bin in the dialog box, and click OK. Commands Denied / Commands Permitted Move /usr/local/swctrl/bin to the Commands Permitted column. Set Security Attributes Select /usr/local/swctrl/bin, click Set Security Attributes, and set Effective UID = root. Authorizations Authorizations Excluded / Authorizations Included No authorizations. Supplementary Rights Rights Excluded / Rights Included No supplementary rights profiles. troubleshootingrights profilesrights profilestroubleshootingCheck the following if the rights profile does not provide the role with the capabilities that you expect:Are the rights profiles for the role listed in the GUI from most to least powerful?For example, if the All rights profile is at the top of the list, then no commands are run with security attributes. A profile that contains commands with security attributes must precede the All rights profile in the list. Is a command listed more than once in the role's rights profiles? If so, does the first instance of the command have all the security attributes that are required?For example, a command can require privileges for particular options to the command. For the options that require privileges to succeed, the first instance of the command in the highest rights profile in the list must have the assigned privileges. Do the commands in the role's rights profiles have the appropriate security attributes?For example, when the policy is suser, some commands require uid=0 rather than euid=0 to succeed. Has the name service cache, svc:/system/name-service-cache, been restarted?The nscd daemon can have a lengthy time-to-live interval. By restarting the daemon, you update the name service with current data. RBACmodifying users modifyingusers (RBAC) usersmodifying properties (RBAC) User Accounts tooldescription User properties include password, rights profiles, and authorizations. The most secure method of giving a user administrative capabilities is to assign a role to the user. For a discussion, see Security Considerations When Directly Assigning Security Attributes. You must have assumed the role of Primary Administrator or have switched to superuser to change the properties of a user. Use one of the following methods to change the RBAC properties of a user.Use the Users tool in the Solaris Management Console.To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to modify a user in User Accounts. For more extensive information, see the online help.It is not good practice to assign authorizations, privileges, or rights profiles directly to users. The preferred approach is to assign a role to users. Users then assume a role to perform privileged operations. usermod commandchanging user's RBAC propertiesUse the usermod command.This command modifies the attributes of a user that is defined in the local name service.$ usermod -R rolename usernameR rolenameIs the name of an existing local role. usernameIs the name of an existing, local user that you want to modify. For more command options, see the usermod1M man page. smuser commandchanging user's RBAC propertiesUse the smuser command with the modify subcommand.This command modifies the attributes of a user in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.$ /usr/sadm/bin/smuser -D domain-name \ -r admin-role -l <Type admin-role password> \ modify -- -n username -a rolenameD domain-nameIs the name of the domain that you want to manage. r admin-roleIs the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization. lIs the prompt for the password of admin-role. --Is the required separator between authentication options and subcommand options. n usernameIs the name of the user who is being assigned rolename. a rolenameIs the name of the role that you are assigning to username. You can specify multiple a rolenameoptions. For more command options, see the smuser1M man page. In this example, the user jdoe can now assume the role of System Administrator.$ usermod -R sysadmin jdoe RBACchanging user propertiesfrom command line changinguser properties from command line userschanging properties from command line In this example, the user jdoe is assigned two roles, System Administrator and Operator. Because the user and the roles are defined locally, the D option is not necessary.$ /usr/sadm/bin/smuser -r primaryadm -l <Type primaryadm password> \ modify -- -n jdoe -a sysadmin -a operadmIn the following example, the user is defined in the NIS name service. Therefore, the D option is required. Two roles are defined in the name service. One role, root, is defined locally.$ /usr/sadm/bin/smuser -D nis:/examplehost/example.domain \ -r primaryadm -l <Type primaryadm password> \ modify -- -n jdoe -a sysadmin -a operadm -a root addingRBAC properties to legacy applications addingsecurity attributes to legacy applications A legacy application is a command or set of commands. The security attributes are set for each command in a rights profile. The rights profile is then included in a role. A user who assumes the role can run the legacy application with the security attributes.To add legacy applications to the Solaris Management Console, see Adding Tools to the Solaris Management Console in System Administration Guide: Basic Administration. You must have assumed the role of Primary Administrator or have switched to superuser to change the security attributes of a command in a rights profile. Use the Users tool in the Solaris Management Console.To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to modify a rights profile in Rights. For more extensive information, see the online help. Add security attributes to the commands that implement the legacy application.You add security attributes to a legacy application in the same way that you would for any command. You must add the command with security attributes to a rights profile. For a legacy command, give the command euid=0 or uid=0 security attributes. For details of the procedure, see How to Create or Change a Rights Profile. After adding the legacy application to a rights profile, include the rights profile in a role's list of profiles.To add a rights profile to a role, see How to Change the Properties of a Role. RBACsecuring scriptsscriptssecuringsecuringscriptsIf a command in a script needs to have the setuid bit or setgid bit set to succeed, the script executable and the command must have the security attributes added in a rights profile. Then, the rights profile is included in a role, and the role is assigned to a user. When the user assumes the role and executes the script, the command runs with the security attributes.To add security attributes to a command or shell script, see How to Create or Change a Rights Profile. RBACchecking scripts or programs for authorizationsscriptschecking for RBAC authorizationsprogramschecking for RBAC authorizationsTo have a script for authorizations, you need to add a test that is based on the auths command. For detailed information about this command, see the auths1 man page.For example, the following line tests if the user has the authorization that is supplied as the $1 argument:if [ `/usr/bin/auths|/usr/xpg4/bin/grep $1` ]; then echo Auth granted else echo Auth denied fi* (asterisk)checking for in RBAC authorizationsasterisk (*)checking for in RBAC authorizationsauthorizations (RBAC)checking for wildcardsTo be more complete, the test should include logic that checks for other authorizations that use wildcards. For example, to test if the user has the solaris.admin.usermgr.write authorization, you would need to check for the following strings:solaris.admin.usermgr.write solaris.admin.usermgr.* solaris.admin.* solaris.* If you are writing a program, use the function getauthattr to test for the authorization.