Today I was playing around with RBAC (Role Based Access Control) on
Solaris 8. I looked at the doc.sun.com site for the RBAC documentation,
but followin their every word I was still unable to set it up.
I am thinking they might have missed something.....maybe someone knows a
better article/doc on RBAC implementation.....
I am guessing that they forgot to mention to edit the /etc/password file
to add the role account?
Thanks in advance will summarize.
--Konstantin
_______________________________________________
sunmanagers mailing list
sunma...@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Hi,
I got only one response and that was from Sean Quaint. He was right on
target with setting up RBAC on Sol8.
Here is how you do it (mostly from Sean's response and a little of my
experience):
1. make a backup copy of the following files (to be safe):
/etc/user_attr
/etc/security/prof_attr
/etc/security/exec_attr
/etc/security/auth_attr
2. add to /etc/security/exec_attr (adds the executable permissions for the
profile)
profile_name:suser:cmd::::path_to_command:options
(
example to use snoop:
Netadmin:suser:cmd:::/usr/sbin/snoop:uid=0
)
3. add to /etc/security/prof_attr (adds the profile)
profile_name::::comment(optional):
(
example: Netadmin::::Can do net stuff:
)
4. add a role account that can use the Netadmin profile
roleadd -m -P "Netadmin,All" netboy && passwd netboy
(netboy will be added to the /etc/passwd and /etc/shadow file with a
shell of pfsh (profile sh). This means netboy will not be able to be logged
into, just sued into.)
5. Now use usermod to associate joe with netboy
usermod -R netboy joe (joe is a normal user on the system and cannot be
in use when you do this)
6. Now joe can su to netboy and run the snoop command.
Extra notes:
*nscd caches RBAC info, so if things aren't working like they should, try
stopping and starting nscd (/etc/init.d/nscd stop|start)
*unlike the sun docs, you don't have to edit anything in the /etc/auth_attr
file for this particular setup.
*some decent (but somewhat incomplete) docs on RBAC:
http://docs.sun.com/ab2/coll.47.11/SYSADV2/@Ab2PageView/26238?DwebQuery=rbac&oqt=rbac&Ab2Lang=C&Ab2Enc=iso-8859-1
http://www.securityfocus.com - search for RBAC in Sun section
Hope that helps. Once again a BIG thanks goes out to Sean Quaint.
--Konstantin
ORIGINAL QUESTION:
---------------------------
Konstantin Rozinov wrote:
--------------8D2D6D4CEE3EE9F494DCDCBA
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<font face="Courier New,Courier"><font size=-1>Hi,</font></font><font face="Courier New,Courier"><font size=-1></font></font>
<p><font face="Courier New,Courier"><font size=-1>I got only one response
and that was from Sean Quaint. He was right on target with setting
up RBAC on Sol8.</font></font><font face="Courier New,Courier"><font size=-1></font></font>
<p><font face="Courier New,Courier"><font size=-1>Here is how you do it
(mostly from Sean's response and a little of my experience):</font></font><font face="Courier New,Courier"><font size=-1></font></font>
<p><font face="Courier New,Courier"><font size=-1>1. make a backup copy
of the following files (to be safe):</font></font>
<br><font face="Courier New,Courier"><font size=-1>
/etc/user_attr</font></font>
<br><font face="Courier New,Courier"><font size=-1>
/etc/security/prof_attr</font></font>
<br><font face="Courier New,Courier"><font size=-1>
/etc/security/exec_attr</font></font>
<br><font face="Courier New,Courier"><font size=-1>
/etc/security/auth_attr</font></font><font face="Courier New,Courier"><font size=-1></font></font>
<p><font face="Courier New,Courier"><font size=-1>2. add to /etc/security/exec_attr
(adds the executable permissions for the profile)</font></font>
<br><font face="Courier New,Courier"><font size=-1> profile_name:suser:cmd::::path_to_command:options</font></font>
<br><font face="Courier New,Courier"><font size=-1> (</font></font>
<br><font face="Courier New,Courier"><font size=-1>
example to use snoop:</font></font>
<br><font face="Courier New,Courier"><font size=-1>
Netadmin:suser:cmd:::/usr/sbin/snoop:uid=0</font></font>
<br><font face="Courier New,Courier"><font size=-1> )</font></font><font face="Courier New,Courier"><font size=-1></font></font>
<p><font face="Courier New,Courier"><font size=-1>3. add to /etc/security/prof_attr
(adds the profile)</font></font>
<br><font face="Courier New,Courier"><font size=-1> profile_name::::comment(optional):</font></font>
<br><font face="Courier New,Courier"><font size=-1> (</font></font>
<br><font face="Courier New,Courier"><font size=-1>
example: Netadmin::::Can do net stuff:</font></font>
<br><font face="Courier New,Courier"><font size=-1> )</font></font><font face="Courier New,Courier"><font size=-1></font></font>
<p><font face="Courier New,Courier"><font size=-1>4. add a role account
that can use the Netadmin profile</font></font>
<br><font face="Courier New,Courier"><font size=-1> roleadd
-m -P "Netadmin,All" netboy && passwd netboy</font></font>
<br><font face="Courier New,Courier"><font size=-1> (netboy
will be added to the /etc/passwd and /etc/shadow file with a shell of pfsh
(profile sh). This means netboy will not be able to be logged into,
just sued into.)</font></font><font face="Courier New,Courier"><font size=-1></font></font>
<p><font face="Courier New,Courier"><font size=-1>5. Now use usermod to
associate joe with netboy</font></font>
<br><font face="Courier New,Courier"><font size=-1> usermod
-R netboy joe (joe is a normal user on the system and cannot be in use
when you do this)</font></font><font face="Courier New,Courier"><font size=-1></font></font>
<p><font face="Courier New,Courier"><font size=-1>6. Now joe can su to
netboy and run the snoop command.</font></font><font face="Courier New,Courier"><font size=-1></font></font>
<p><font face="Courier New,Courier"><font size=-1>Extra notes:</font></font>
<br><font face="Courier New,Courier"><font size=-1>*nscd caches RBAC info,
so if things aren't working like they should, try stopping and starting
nscd (/etc/init.d/nscd stop|start)</font></font>
<br><font face="Courier New,Courier"><font size=-1>*unlike the sun docs,
you don't have to edit anything in the /etc/auth_attr file for this particular
setup.</font></font><font face="Courier New,Courier"><font size=-1></font></font>
<p><font face="Courier New,Courier"><font size=-1>*some decent (but somewhat
incomplete) docs on RBAC:</font></font>
<br><font face="Courier New,Courier"><font size=-1><A HREF="http://docs.sun.com/ab2/coll.47.11/SYSADV2/@Ab2PageView/26238?DwebQuery=rbac&oqt=rbac&amp;Ab2Lang=C&amp;Ab2Enc=iso-8859-1">http://docs.sun.com/ab2/coll.47.11/SYSADV2/@Ab2PageView/26238?DwebQuery=rbac&oqt=rbac&amp;Ab2Lang=C&amp;Ab2Enc=iso-8859-1</A></font></font>
<br><font face="Courier New,Courier"><font size=-1><A HREF="http://www.securityfocus.com">http://www.securityfocus.com</A>
- search for RBAC in Sun section</font></font>
<br><font face="Courier New,Courier"><font size=-1></font></font> <font face="Courier New,Courier"><font size=-1></font></font>
<p><font face="Courier New,Courier"><font size=-1>Hope that helps. Once
again a BIG thanks goes out to Sean Quaint.</font></font>
<br><font face="Courier New,Courier"><font size=-1></font></font> <font face="Courier New,Courier"><font size=-1></font></font>
<p><font face="Courier New,Courier"><font size=-1>--Konstantin</font></font>
<br><font face="Courier New,Courier"><font size=-1></font></font>
<p><font face="Arial,Helvetica">ORIGINAL QUESTION:</font>
<br><font face="Arial,Helvetica">---------------------------</font>
<p><font face="Arial,Helvetica">Konstantin Rozinov wrote:</font>
<blockquote TYPE=CITE><font face="Arial,Helvetica">Hey folks,</font>
<p><font face="Arial,Helvetica">Today I was playing around with RBAC (Role
Based Access Control) on</font>
<br><font face="Arial,Helvetica">Solaris 8. I looked at the doc.sun.com
site for the RBAC documentation,</font>
<br><font face="Arial,Helvetica">but followin their every word I was still
unable to set it up.</font>
<p><font face="Arial,Helvetica">I am thinking they might have missed something.....maybe
someone knows a</font>
<br><font face="Arial,Helvetica">better article/doc on RBAC implementation.....</font>
<p><font face="Arial,Helvetica">I am guessing that they forgot to mention
to edit the /etc/password file</font>
<br><font face="Arial,Helvetica">to add the role account?</font>
<p><font face="Arial,Helvetica">Thanks in advance will summarize.</font>
<p><font face="Arial,Helvetica">--Konstantin</font>
<p><font face="Arial,Helvetica">_______________________________________________</font>
<br><font face="Arial,Helvetica">sunmanagers mailing list</font>
<br><font face="Arial,Helvetica">sunma...@sunmanagers.org</font>
<br><font face="Arial,Helvetica"><a href="http://www.sunmanagers.org/mailman/listinfo/sunmanagers">http://www.sunmanagers.org/mailman/listinfo/sunmanagers</a></font></blockquote>
</html>
--------------8D2D6D4CEE3EE9F494DCDCBA--