administeringusers This chapter provides the Solaris Trusted Extensions procedures for configuring and managing users, user accounts, and rights profiles.Customizing the User Environment for Security (Task Map) Managing Users and Rights With the Solaris Management Console (Task Map) Handling Other Tasks in the Solaris Management Console (Task Map) customizinguser accounts userscustomizing environment tasks and task mapsCustomizing User Environment for Security (Task Map) Customizing User Environment for Security (Task Map) The following task map describes common tasks that you can perform when customizing a system for all users, or when customizing an individual user's account.Task Description For Instructions Change label attributes. Modify label attributes, such as minimum label and default label view, for a user account. How to Modify Default User Label Attributes Change Trusted Extensions policy for all users of a system. Changes the policy.conf file. How to Modify policy.conf Defaults Turns on the screensaver after a set amount of time.Logs the user out after a set amount of time that the system is idle. Example 13–1 Removes unnecessary privileges from all ordinary users of a system. Example 13–2 Prevents labels from being visible on a single-label system. Example 13–3 Removes labels from printed output at a public kiosk. Example 13–4 Configure initialization files for users. Configures startup files, such as .cshrc, .copy_files, and .soffice for all users. How to Configure Startup Files for Users in Trusted Extensions Lengthen the timeout for file relabeling. Configures some applications to enable authorized users to relabel files. How to Lengthen the Timeout When Relabeling Information Log in to a failsafe session. Fixes faulty user initialization files. How to Log In to a Failsafe Session in Trusted Extensions usersmodifying security defaults security attributesmodifying user defaults You can modify the default user label attributes during the configuration of the first system. The changes must be copied to every Trusted Extensions host. You must be in the Security Administrator role in the global zone. For details, see How to Enter the Global Zone in Trusted Extensions. Review the default user attribute settings in the /etc/security/tsol/label_encodings file.For the defaults, see label_encodings File Defaults. Modify the user attribute settings in the label_encodings file.Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions. In Trusted CDE, you can also use the Edit Label Encodings action. For details, see How to Start CDE Administrative Actions in Trusted Extensions.The label_encodings file should be the same on all hosts. Distribute a copy of the file to every Trusted Extensions host. policy.conf filehow to edit usersmodifying security defaults for all users security attributesmodifying defaults for all users files/etc/security/policy.conf /etc/security/policy.conf file Changing the policy.conf defaults in Trusted Extensions is similar to changing any security-relevant system file in the Solaris OS. In Trusted Extensions, you use a trusted editor to modify system files. You must be in the Security Administrator role in the global zone. For details, see How to Enter the Global Zone in Trusted Extensions. Review the default settings in the /etc/security/policy.conf file.For Trusted Extensions keywords, see Table 12–1. Modify the settings.Use the trusted editor to edit the system file. For details, see How to Edit Administrative Files in Trusted Extensions. logoutrequiring IDLECMD keywordchanging default changingIDLETIME keyword IDLETIME keywordchanging default policy.conf filechanging Trusted Extensions keywords In this example, the security administrator wants idle systems to return to the login screen. The default locks an idle system. Therefore, the Security Administrator role adds the IDLECMD keyword=value pair to the /etc/security/policy.conf file as follows:IDLECMD=LOGOUTThe administrator also wants systems to be idle a shorter amount of time before logout. Therefore, the Security Administrator role adds the IDLETIME keyword=value pair to the policy.conf file as follows:IDLETIME=10The system now logs out the user after the system is idle for 10 minutes. privilegesremoving proc_info from basic set proc_info privilegeremoving from basic set Sun Ray systemspreventing users from seeing others' processes processespreventing users from seeing others' processes userspreventing from seeing others' processes In this example, the security administrator of a Sun Ray installation does not want regular users to view the processes of other Sun Ray users. Therefore, on every system that is configured with Trusted Extensions, the administrator removes proc_info from the basic set of privileges. The PRIV_DEFAULT setting in the /etc/policy.conf file is modified as follows:PRIV_DEFAULT=basic,!proc_info In this example, the security administrator changes the default setting in a system's policy.conf file to hide labels. Any user on this system would not view labels, unless the user was specifically configured to be able to view labels. This setting is reasonable on a single-label system, or on a system that is available to the general public.# /etc/security/policy.conf … LABELVIEW=hideslTo configure a user to override this setting, see How to Hide Labels From a User. Security Administrator roleenabling unlabeled body pages from a public system printingauthorizations for unlabeled output from a public system solaris.print.unlabeled authorization solaris.print.nobanner authorization In this example, the security administrator enables a public kiosk computer to print without labels by typing the following in the computer's /etc/security/policy.conf file. At the next boot, print jobs by all users of this kiosk print without page labels.AUTHS_GRANTED= solaris.print.unlabeledThen, the administrator decides to save paper by removing banner and trailer pages. She first ensures that the Always Print Banners checkbox in the Print Manager is not selected. She then modifies the policy.conf entry to read the following and reboots. Now, all print jobs are unlabeled, and have no banner or trailer pages.AUTHS_GRANTED= solaris.print.unlabeled,solaris.print.nobanner administeringstartup files for users filesstartup usersstartup files .copy_files filesetting up for users files.copy_files .link_files filesetting up for users files.link_files usersusing .link_files file usersusing .copy_files file configuringstartup files for users startup filesprocedures for customizing userssetting up skeleton directories Users can put a .copy_files file and .link_files file into their home directory at the label that corresponds to their minimum sensitivity label. Users can also modify the existing .copy_files and .link_files files at the users' minimum label. This procedure is for the administrator role to automate the setup for a site. You must be in the System Administrator role in the global zone. For details, see How to Enter the Global Zone in Trusted Extensions. Create two Trusted Extensions startup files.You are going to add .copy_files and .link_files to your list of startup files.# cd /etc/skel # touch .copy_files .link_files Customize the .copy_files file.Start the trusted editor.For details, see How to Edit Administrative Files in Trusted Extensions. Type the full pathname to the .copy_files file./etc/skel/.copy_files Type into .copy_files, one file per line, the files to be copied into the user's home directory at all labels.Use .copy_files and .link_files Files for ideas. For sample files, see Example 13–5. Customize the .link_files file.Type the full pathname to the .link_files file in the trusted editor./etc/skel/.link_files Type into .link_files, one file per line, the files to be linked into the user's home directory at all labels. Customize the other startup files for your users.For a discussion of what to include in startup files, see Customizing a User’s Work Environment in System Administration Guide: Basic Administration. For details, see How to Customize User Initialization Files in System Administration Guide: Basic Administration. For an example, see Example 13–5. Create a skelP subdirectory for users whose default shell is a profile shell.The P indicates the Profile shell. Copy the customized startup files into the appropriate skeleton directory. Use the appropriate skelX pathname when you create the user.The X indicates the letter that begins the shell's name, such as B for Bourne, K for Korn, C for a C shell, and P for Profile shell. .copy_files filesetting up for users In this example, the security administrator configures files for every user's home directory. The files are in place before any user logs in. The files are at the user's minimum label. At this site, the users' default shell is the C shell.The security administrator creates a .copy_files and a .link_files file in the trusted editor with the following contents:## .copy_files for regular users ## Copy these files to my home directory in every zone .mailrc .mozilla .soffice :wq## .link_files for regular users with C shells ## Link these files to my home directory in every zone .cshrc .login .Xdefaults .Xdefaults-hostname :wq## .link_files for regular users with Korn shells # Link these files to my home directory in every zone .ksh .profile .Xdefaults .Xdefaults-hostname :wqIn the shell initialization files, the administrator ensures that the users' print jobs go to a labeled printer.## .cshrc file setenv PRINTER conf-printer1 setenv LPDEST conf-printer1## .ksh file export PRINTER conf-printer1 export LPDEST conf-printer1dtterm terminalforcing the sourcing of .profileThe administrator modifies the .Xdefaults-home-directory-server file to force the dtterm command to source the .profile file for a new terminal.## Xdefaults-HDserver Dtterm*LoginShell: trueThe customized files are copied to the appropriate skeleton directory.$ cp .copy_files .link_files .cshrc .login .profile \ .mailrc .Xdefaults .Xdefaults-home-directory-server \ /etc/skelC $ cp .copy_files .link_files .ksh .profile \ .mailrc .Xdefaults .Xdefaults-home-directory-server \ /etc/skelK If you create a .copy_files files at your lowest label, then log in to a higher zone to run the updatehome command and the command fails with an access error, try the following:Verify that from the higher-level zone you can view the lower-level directory.higher-level zone# ls /zone/lower-level-zone/home/username ACCESS ERROR: there are no files under that directory If you cannot view the directory, then restart the automount service in the higher-level zone:higher-level zone# svcadm restart autofs Unless you are using NFS mounts for home directories, the automounter in the higher-level zone should be loopback mounting from /zone/lower-level-zone/export/home/username to /zone/lower-level-zone/home/username. administeringtimeout when relabeling information lengthening timeoutfor relabeling userslengthening timeout when relabeling Selection Managerchanging timeout StarOfficelengthening timeout when relabeling Firefoxlengthening timeout when relabeling Mozillalengthening timeout when relabeling Thunderbirdlengthening timeout when relabeling GNOME ToolKit (GTK) librarylengthening timeout when relabeling files.gtkrc-mine .gtkrc-mine file filesoffice-install-directory/VCL.xcu filesVCL.xcu VCL.xcu file office-install-directory/VCL.xcu In Trusted Extensions, the Selection Manager mediates transfers of information between labels. The Selection Manager appears for drag-and-drop operations, and for cut-and-paste operations. Some applications require that you set a suitable timeout so that the Selection Manager has time to intervene. A value of two minutes is sufficient.Do not change the default timeout value on an unlabeled system. The operations fail with the longer timeout value. You must be in the System Administrator role in the global zone. For details, see How to Enter the Global Zone in Trusted Extensions. For the StarOffice application, do the following:Navigate to the file office-install-directory/VCL.xcu.where office-install-directory is the StarOffice installation directory, for example:office-top-dir/share/registry/data/org/staroffice Change the SelectionTimeout property value to 120.Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.The default value is three seconds. A value of 120 sets the timeout to two minutes. For users of applications that rely on the GNOME ToolKit (GTK) library, change the selection timeout property value to two minutes.As an alternative, you could have each user change the selection timeout property value. Most Sun Java Desktop System applications use the GTK library. Web browsers such as Mozilla, Firefox, and Thunderbird use the GTK library.By default, the selection timeout value is 300, or five seconds. A value of 7200 sets the timeout to two minutes.Create a GTK startup file.Name the file .gtkrc-mine. The .gtkrc-mine file belongs in the user's home directory at the minimum label. Add the selection timeout value to the file.## $HOME/.gtkrc-mine file *gtk-selection-timeout: 7200As in the Solaris OS, the gnome-settings-daemon reads this file on startup. Add the .gtkrc-mine file to the list in each user's .link_files file.For details, see How to Configure Startup Files for Users in Trusted Extensions. userslogging in to a failsafe session failsafe sessionlogging in desktopslogging in to a failsafe session sessionsfailsafe troubleshootingfailed login In Trusted Extensions, failsafe login is protected. If a regular user has customized shell initialization files and now cannot log in, you can use failsafe login to fix the user's files. You must know the root password. As in the Solaris OS, choose Options –> Failsafe Session on the login screen. At the prompt, have the user provide the user name and password. At the prompt for the root password, provide the password for root.You can now debug the user's initialization files. tasks and task mapsManaging Users and Rights With the Solaris Management Console Managing Users and Rights With the Solaris Management Console (Task Map) Security Administrator roleadministering network of users administeringnetwork of users Solaris Management Consoleadministering users In Trusted Extensions, you must use the Solaris Management Console to administer users, authorizations, rights, and roles. To manage users and their security attributes, assume the Security Administrator role.Task Description For Instructions Modify a user's label range. Modifies the labels at which a user can work. Modifications can restrict or extend the range that the label_encodings file permits. How to Modify a User's Label Range in the Solaris Management Console Create a rights profile for convenient authorizations. Several authorizations exist that might be useful for regular users. Creates a profile for users who qualify to have these authorizations. How to Create a Rights Profile for Convenient Authorizations Modify a user's default privilege set. Removes a privilege from the user's default privilege set. How to Restrict a User's Set of Privileges Prevent account locking for particular users. Users who can assume a role must have account locking turned off. How to Prevent Account Locking for Users Hide labels on a user's screen. On a single-label system, you might want a user to not view labels. How to Hide Labels From a User Enable a user to relabel data. Authorizes a user to downgrade information or upgrade information. How to Enable a User to Change the Security Level of Data Remove a user from the system. Completely removes a user and the user's processes.. How to Delete a User Account From a Trusted Extensions System Handle other tasks. Uses the Solaris Management Console to handle tasks that are not specific to Trusted Extensions. Handling Other Tasks in the Solaris Management Console (Task Map) You might want to extend a user's label range to give the user read access to an administrative application. For example, a user who can log in to the global zone could then run the Solaris Management Console. The user could view, but not not change the contents.Alternatively, you might want to restrict the user's label range. For example, a guest user might be limited to one label. You must be in the Security Administrator role in the global zone. Open a Trusted Extensions toolbox in the Solaris Management Console.Use a toolbox of the appropriate scope. For details, see Initialize the Solaris Management Console Server in Trusted Extensions. Under System Configuration, navigate to User Accounts.A password prompt might be displayed. Type the role password. Select the individual user from User Accounts. Click the Trusted Extensions Attributes tab. Dialog box shows the Trusted Extensions Attributes tab for a user. To extend the user's label range, choose a higher clearance.You can also lower the minimum label. To restrict the label range to one label, make the clearance equal to the minimum label. To save the changes, click OK. administeringconvenient authorizations for users rights profilesConvenient Authorizations authorizationsconvenient for users usersauthorizations for Security Administrator rolecreating Convenient Authorizations rights profile Security Administrator roleassigning authorizations to users Allocate Device authorization Downgrade DragNDrop or CutPaste Info authorization Downgrade File Label authorization DragNDrop or CutPaste without viewing contents authorization Print without Banner authorization Print Postscript authorization Print without Label authorization Remote Login authorization Shutdown authorization Upgrade DragNDrop or CutPaste Info authorization Upgrade File Label authorization labeled printingwithout banner page labeled printingremoving label labeled printingremoving PostScript restriction printingwithout labeled banners and trailers printingwithout page labels printingremoving PostScript restriction Where site security policy permits, you might want to create a rights profile that contains authorizations for users who can perform tasks that require authorization. To enable every user of a particular system to be authorized, see How to Modify policy.conf Defaults. You must be in the Security Administrator role in the global zone. Open a Trusted Extensions toolbox in the Solaris Management Console.Use a toolbox of the appropriate scope. For details, see Initialize the Solaris Management Console Server in Trusted Extensions. Under System Configuration, navigate to Rights.A password prompt might be displayed. Type the role password. To add a rights profile, click Action –> Add Right. Create a rights profile that contains one or more of the following authorizations.For the step-by-step procedure, see How to Create or Change a Rights Profile in System Administration Guide: Security Services.In the following figure, the Authorizations Included window shows the authorizations that might be convenient for users. Dialog box shows the authorizations that might be appropriate for users at your site. Allocate Device – Authorizes a user to allocate a peripheral device, such as a microphone.By default, Solaris users can read and write to a CD-ROM. However, in Trusted Extensions, only users who can allocate a device can access the CD-ROM drive. To allocate the drive for use requires authorization. Therefore, to read and write to a CD-ROM in Trusted Extensions, a user needs the Allocate Device authorization. Downgrade DragNDrop or CutPaste Info – Authorizes a user to select information from a higher-level file and place that information in a lower-level file. Downgrade File Label – Authorizes a user to lower the security level of a file DragNDrop or CutPaste without viewing contents – Authorizes a user to move information without viewing the information that is being moved. Print Postscript – Authorizes a user to print PostScript files. Print without Banner - Authorizes a user to print hard copy without a banner page. Print without Label – Authorizes a user to print hard copy that does not display labels. Remote Login – Authorizes a user to remotely log in. Shutdown the System – Authorizes a user to shut down the system and to shut down a zone. Upgrade DragNDrop or CutPaste Info – Authorizes a user to select information from a lower-level file and place that information in a higher-level file. Upgrade File Label – Authorizes a user to heighten the security level of a file. Assign the rights profile to a user or a role.For assistance, see the online help. For the step-by-step procedure, see How to Change the RBAC Properties of a User in System Administration Guide: Security Services. In the following example, the Security Administrator allows a role to print jobs without labels on body pages.In the Solaris Management Console, the security administrator navigates to Administrative Roles. She views the rights profiles that are included in a particular role, then ensures that the print-related authorizations are contained in one of the role's rights profiles. privilegesrestricting users' usersremoving some privileges administeringuser privileges changinguser privileges Site security might require that users be permitted fewer privileges than users are assigned by default. For example, at a site that uses Trusted Extensions on Sun Ray systems, you might want to prevent users from viewing other users' processes on the Sun Ray server. You must be in the Security Administrator role in the global zone. Open a Trusted Extensions toolbox in the Solaris Management Console.Use a toolbox of the appropriate scope. For details, see Initialize the Solaris Management Console Server in Trusted Extensions. Under System Configuration, navigate to User Accounts.A password prompt might be displayed. Type the role password. Double–click the icon for the user. Remove one or more of the privileges in the basic set.Double-click the icon for the user. Click the Rights tab. Dialog box shows the contents of the Rights tab for a regular user. Click the Edit button to the right of the basic set in the right_extended_attr field. Remove proc_session or file_link_any.By removing the proc_session privilege, you prevent the user from examining any processes outside the user's current session. By removing the file_link_any privilege, you prevent the user from making hard links to files that are not owned by the user.Do not remove the proc_fork or the proc_exec privilege. Without these privileges, the user would not be able to use the system. Dialog box shows the basic privilege set for a regular user. To save the changes, click OK. userspreventing account locking account lockingpreventing administeringaccount locking Trusted Extensions extends the user security features in the Solaris Management Console to include account locking. Turn off account locking for users who can assume a role. You must be in the Security Administrator role in the global zone. Start the Solaris Management Console.Use a toolbox of the appropriate scope. For details, see Initialize the Solaris Management Console Server in Trusted Extensions. Under System Configuration, navigate to User Accounts.A password prompt might be displayed. Type the role password. Double–click the icon for the user. Click the Trusted Extensions Attributes tab. In the Account Usage section, choose No from the pull-down menu next to Lock account after maximum failed logins. To save the changes, click OK. administeringhiding labels from users hiding labels from users labelshiding from users Hiding labels is useful at a site where users can work at a single label only. An organization might not want regular users to see labels or to be aware of mandatory access controls. Ordinary users can then work whose desktop closely resembles the Java Desktop System, Release number or the CDE desktop on a Solaris system. You must be in the Security Administrator role in the global zone. Open a Trusted Extensions toolbox in the Solaris Management Console.Use a toolbox of the appropriate scope. For details, see Initialize the Solaris Management Console Server in Trusted Extensions. Under System Configuration, navigate to User Accounts.A password prompt might be displayed. Type the role password. Double–click the icon for the user. Click the Trusted Extensions Attributes tab. Choose Hide from the Label: selection list.This setting overrides the value of LABELVIEW in the system's policy.conf file. For details, see Default User Security Attributes in Trusted Extensions. To save the changes, click OK. filesauthorizing a user or role to change label of directoriesauthorizing a user or role to change label of authorizationsauthorizing a user or role to change label labelsauthorizing a user or role to change label of data changinglabels by authorized users changingsecurity level of data administeringchanging label of information relabeling information A regular user or a role can be authorized to change the security level, or labels, of files and directories. The user or role, in addition to having the authorization, must be configured to work at more than one label. And, the labeled zones must be configured to permit relabeling. For the procedure, see How to Enable Files to be Relabeled From a Labeled Zone.Changing the security level of data is a privileged operation. This task is for trustworthy users only. You must be in the Security Administrator role in the global zone. Follow the procedure How to Create a Rights Profile for Convenient Authorizations to create a rights profile.The following authorizations enable a user to relabel a file:Downgrade File Label Upgrade File Label The following authorizations enable a user to relabel information within a file:Downgrade DragNDrop or CutPaste Info DragNDrop or CutPaste Info Without Viewing Upgrade DragNDrop or CutPaste Info Use the Solaris Management Console to assign the profile to the appropriate users and roles.For assistance, use the online help. For a step-by-step procedure, see How to Change the RBAC Properties of a User in System Administration Guide: Security Services. When a user is removed from the system, you must ensure that the user's home directory and any objects that the user owns are also deleted. As an alternative to deleting objects that are owned by the user, you might change the ownership of these objects to a valid user.You must also ensure that all batch jobs that are associated with the user are also deleted. No objects or processes belonging to a removed user can remain on the system. You must be in the System Administrator role. Archive the user's home directory at every label. Archive the user's mail files at every label. In the Solaris Management Console, delete the user account.Open a Trusted Extensions toolbox in the Solaris Management Console.Use a toolbox of the appropriate scope. For details, see Initialize the Solaris Management Console Server in Trusted Extensions. Under System Configuration, navigate to User Accounts.A password prompt might be displayed. Type the role password. Select the user account to be removed, and click the Delete button.You are prompted to delete the user's home directory and mail files. When you accept the prompt, the user's home directory and mail files are deleted in the global zone only. In every labeled zone, manually delete the user's directories and mail files.You are responsible for finding and deleting the user's temporary files at all labels, such as files in /tmp directories. tasks and task mapsHandling Other Tasks in the Solaris Management Console (Task Map) Handling Other Tasks in the Solaris Management Console (Task Map) Follow Solaris procedures to handle tasks in the Solaris Management Console. You must be superuser, or in a role in the global zone.Task For Instructions Perform administrative tasks by using the Solaris Management Console. Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration Create users. Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration Create roles. How to Create and Assign a Role by Using the GUI in System Administration Guide: Security Services Modify roles. How to Change the Properties of a Role in System Administration Guide: Security Services Create or modify a rights profile. How to Create or Change a Rights Profile in System Administration Guide: Security Services Change other security attributes of a user. How to Change the RBAC Properties of a User in System Administration Guide: Security Services Audit the actions of a role. How to Audit Roles in System Administration Guide: Security Services List the rights profiles by using smprofile list Dname-service-type:/server-name/domain-name Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services or the smprofile1M man page