Viewing and Using RBAC Defaults (Tasks)

Users are assigned rights by default. Rights for all users of a system are assigned in the /etc/security/policy.conf file.

Viewing and Using RBAC Defaults (Task Map)

At Oracle Solaris installation, your system is configured with user rights and process rights. With no further configuration, use the following task map to view and use RBAC.

How to View All Defined Security Attributes

Use the following commands to list all authorizations, rights profiles, and commands with security attributes on the system. To list all defined privileges, see How to List the Privileges on the System.

1. List all authorizations.
   • List the names of all authorizations in the naming service.

     % auths info
         solaris.account.activate
         solaris.account.setpolicy
         solaris.admin.edit
     ...
         solaris.zone.login
         solaris.zone.manage

   • List authorization names per rights profile.

     % getent auth_attr | more
     solaris.:::All Solaris Authorizations::help=AllSolAuthsHeader.html
     solaris.account.:::Account Management::help=AccountHeader.html
     ...
     solaris.zone.login:::Zone Login::help=ZoneLogin.html
     solaris.zone.manage:::Zone Deployment::help=ZoneManage.html

2. List all rights profiles.
   • List the names of all rights profiles in the naming service.

     % profiles -a
             Console User
             CUPS Administration
             Desktop Removable Media User
     ...
             VSCAN Management
             WUSB Management

   • List the full definitions of all rights profiles.

     % getent prof_attr | more
     All:::Execute any command as the user or role:help=RtAll.html
     Audit Configuration:::Configure Solaris Audit:auths=solaris.smf.value.audit;
     help=RtAuditCfg.html
     ...
     Zone Management:::Zones Virtual Application Environment Administration:
     help=RtZoneMngmnt.html
     Zone Security:::Zones Virtual Application Environment Security:auths=solaris.zone.*,
     solaris.auth.delegate;help=RtZoneSecurity.html ...

3. List all commands with security attributes.

   % getent exec_attr | more
   All:solaris:cmd:::*:
   Audit Configuration:solaris:cmd:::/usr/sbin/auditconfig:privs=sys_audit
   ...
   Zone Security:solaris:cmd:::/usr/sbin/txzonemgr:uid=0
   Zone Security:solaris:cmd:::/usr/sbin/zonecfg:uid=0 ...

How to View Your Assigned Rights

Use the following commands to view your RBAC assignments. To view all rights that can be assigned, see How to View All Defined Security Attributes.

1. List your rights profiles.

   % profiles
   Basic Solaris User
   All

   The preceding rights profiles are assigned to all users by default. If you are the initial user, you have a longer list.

   % profiles Initial user
   System Administrator
   Audit Review
   ...
   CPU Power Management
   Basic Solaris User
   All

2. List your authorizations.

   % auths
   solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq
   solaris.network.autoconf.read,solaris.admin.wusb.read
   solaris.smf.manage.vbiosd,solaris.smf.value.vbiosd

   These authorizations are included in the rights profiles that are assigned to all users by default.

3. List your assigned roles.

   % roles
   root

   This role is assigned to the initial user by default. No roles indicates that you are not assigned a role.

4. List the privileges in your default shell.

   % ppriv $$
   1234:    /bin/csh
   flags = <none>
       E: basic
       I: basic
       P: basic
       L: all

   Every user is assigned the basic privilege set by default. The default limit set is all privileges.

   % ppriv -vl basic
   file_link_any
           Allows a process to create hardlinks to files owned by a uid
           different from the process' effective uid.
   file_read
           Allows a process to read objects in the filesystem.
   file_write
           Allows a process to modify objects in the filesystem.
   net_access
           Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.
   proc_exec
           Allows a process to call execve().
   proc_fork
           Allows a process to call fork1()/forkall()/vfork()
   proc_info
           Allows a process to examine the status of processes other
           than those it can send signals to.  Processes which cannot
           be examined cannot be seen in /proc and appear not to exist.
   proc_session
           Allows a process to send signals or trace processes outside its session.

5. List the privileges on commands in your rights profiles.

   % profiles -l
     Basic Solaris User
   ...
      /usr/bin/cdrecord.bin   privs=file_dac_read,sys_devices,
        proc_lock_memory,proc_priocntl,net_privaddr
      /usr/bin/readcd.bin     privs=file_dac_read,sys_devices,net_privaddr
      /usr/bin/cdda2wav.bin   privs=file_dac_read,sys_devices,
        proc_priocntl,net_privaddr
     All
      * 

   A user's rights profiles can include commands that run with particular privileges. The Basic Solaris User profile includes commands that enable users to read and write to CD-ROMs.

Example 9-1 Listing a User's Authorizations

% auths username
solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq

Example 9-2 Listing a User or Role's Rights Profiles

The following command lists the rights profiles of a specific user.

% profiles jdoe
jdoe: 
          Basic Solaris User
          All

The following command lists the rights profiles of a the cryptomgt role.

% profiles cryptomgt
cryptomgt:
          Crypto Management
          Basic Solaris User
          All

The following command lists the rights profiles of the root role:

% profiles root
root:
          All
          Console User
          Network Wifi Info
          Desktop Removable Media User
          Suspend To RAM
          Suspend To Disk
          Brightness
          CPU Power Management
          Network Autoconf User
          Basic Solaris User

Example 9-3 Listing a User's Assigned Roles

The following command lists the assigned roles of a specific user.

% roles jdoe
root

Example 9-4 Listing a User's Privileges on Specific Commands

The following command lists the privileged commands in a regular user's rights profiles.

% profiles -l jdoe
jdoe: 
  Basic Solaris User
...
   /usr/bin/cdda2wav.bin   privs=file_dac_read,sys_devices,
     proc_priocntl,net_privaddr
   /usr/bin/cdrecord.bin   privs=file_dac_read,sys_devices,
     proc_lock_memory,proc_priocntl,net_privaddr
   /usr/bin/readcd.bin     privs=file_dac_read,sys_devices,net_privaddr
...

How to Assume a Role

Before You Begin

The role must already be assigned to you. By default, only the root role exists.

1. In a terminal window, determine which roles you can assume.

   % roles
   Comma-separated list of role names is displayed

2. Use the su command to assume a role.

   % su - rolename
   Password: <Type rolename password>
   $

   The su - rolename command changes the shell to a profile shell for the role. A profile shell recognizes security attributes, such as authorizations, privileges, and set ID bits.

3. (Optional) Verify that you are now in a role.

   $ /usr/bin/whoami
   rolename

   You can now perform role tasks in this terminal window.

4. (Optional) View the capabilities of your role.

   For sample output, see How to View Your Assigned Rights.

   $ profiles -l
   verbose rights profiles output
   $ auths
   authorizations output

Example 9-5 Assuming the root Role

In the following example, the initial user assumes the root role and lists the privileges in the role's shell.

% roles
root
% su - root
Password: <Type root password>
# Prompt changes to root prompt
# ppriv $$
1200:   pfksh
flags = <none>
        E: all
        I: basic
        P: all
        L: all

For information about privileges, see Privileges (Overview).

How to Change the Security Attributes of a User

User properties include login shell, rights profiles, and roles. The most secure method of giving a user administrative capabilities is to assign a role to the user. For a discussion, see Security Considerations When Directly Assigning Security Attributes.

Before You Begin

In the default configuration, you must assume the root role to modify a user's security attributes.

After configuring RBAC for your site, you have other options. To change most security attributes of a user, including the password, you must become an administrator who is assigned the User Security rights profile. To assign audit flags or change a role's password, you must assume the root role. To change other user attributes, you must become an administrator who is assigned the User Management rights profile. For more information, see How to Use Your Assigned Administrative Rights.

• Use the usermod command.

  This command modifies the attributes of a user that is defined in the local naming service or the LDAP naming service. The RBAC arguments to this command are similar to the arguments to the useradd and rolemod commands, as described on the user_attr(4) man page, and shown in Step 1 in How to Change the Security Attributes of a User.

  The RBAC arguments to the command are the following:

  # usermod [-e expire] [-f inactive] [-s shell] [-m] [-A authorization-list] \
  [-P profile] [-R role] [-K key=value] [-S repository] login

  -e expire

  Is the date that a user login expires. Use this option to create temporary users.

  -f inactive

  Is the maximum number of days that is allowed between user logins. When the inactive value is exceeded, the user cannot log in. The default value is 0, no expiration date.

  -m

  Creates a home directory for rolename at the default location.

  -s shell

  Is the login shell for rolename. This shell must be a profile shell, such as pfbash. For a list of profile shells, see the pfexec(1) man page.

  ---

  Tip - You can also list the profile shells from the /usr/bin directory on your system, as in ls /usr/bin/pf*sh.

  ---

  -A authorizations-list

  Is one or more authorizations separated by commas. For the list of available authorizations, see How to View All Defined Security Attributes.

  -P profiles-list

  Is one or more rights profiles separated by commas. For the list of rights profiles, see How to View All Defined Security Attributes.

  -R roles-list

  Is one or more roles separated by commas. To create roles, see How to Create a Role.

  -K key=value

  Is a key=value pair. This option can be repeated. The following keys are available: audit_flags, auths, profiles, project, defaultpriv, limitpriv, lock_after_retries, pam_policy, and roleauth. For information about the keys, their values, and the authorizations that are required to set the values, see the user_attr(4) man page.

  -S repository

  Is one of files or ldap. The default is local files.

  login

  Is the user name.

  To assign authorizations to a user, see Example 9-7.

  To assign a rights profile to a user, see Example 9-6.

  To assign an existing role to a user, see How to Assign a Role. In the default configuration, you can assign the root role to an existing user.

  To modify the privileges of a user, see Example 9-13 and Example 9-9.

Example 9-6 Creating a User Who Can Manage DHCP

In this example, the security administrator creates a user in LDAP. At login, the jdoe-dhcp user is able to manage DHCP.

# useradd -P "DHCP Management" -s /usr/bin/pfbash -S ldap  jdoe-dhcp

Because the user is assigned pfbash as the login shell, the security attributes in the DHCP Management rights profile are available to the user in the user's default shell.

Example 9-7 Assigning Authorizations Directly to a User

In this example, the security administrator creates a local user who can control screen brightness.

# useradd -c "Screened JDoe, local" -s /usr/bin/pfbash \
-A solaris.system.power.brightness  jdoe-scr

This authorization is added to the user's existing authorization assignments.

Example 9-8 Removing Privileges From a User's Limit Set

In the following example, all sessions that originate from jdoe's initial login are prevented from using the sys_linkdir privilege. That is, the user cannot make hard links to directories, nor can the user unlink directories, even after the user runs the su command.

$ usermod -K 'limitpriv=all,!sys_linkdir' jdoe
$ userattr limitpriv jdoe
all,!sys_linkdir

Example 9-9 Assigning Privileges Directly to a User

In this example, the security administrator trusts the user jdoe with a very specific privilege that affects system time.

$ usermod -K defaultpriv='basic,proc_clock_highres' jdoe

The values for the defaultpriv keyword replace the existing values. Therefore, for the user to retain the basic privileges, the value basic is specified. In the default configuration, all users have basic privileges. For the list of basic privileges, see Step 4.

How to Use Your Assigned Administrative Rights

In the root role, the initial user has all administrative rights.

Step 1 shows how to administer the system if you are assigned administrative rights. Step 2 shows how non-root accounts can edit a system file.

Before You Begin

You have been assigned rights that regular users are not assigned. If you are not root, you must be assigned a role, an administrative rights profile, or specific privileges or authorizations.

1. Choose one of the following methods to run administrative commands.

   Open a terminal window.

   • Become root.

     % su -
     Password: Type the root password
     #

     ---

     Note - This method works whether root is a user or a role. The pound sign (#) prompt indicates that you are now root.

     ---

   • Assume a role that you have been assigned.

     In the following example, you assume an audit configuration role. This role includes the Audit Configuration rights profile.

     % su - audadmin
     Password: Type the audadmin password
     $

     The shell in which you typed this command is now in a profile shell. In this shell, you can run the auditconfig command. For more about profile shells, see Profile Shells and RBAC.

     ---

     Tip - Use the steps in How to View Your Assigned Rights to view the capabilities of your role.

     ---

   • As a user, use the pfbash command to create a shell that runs with administrative rights.

     For example, the following set of commands enables you to view audit preselection values and audit policy in the pfbash shell:

     % pfbash
     $ auditconfig -getflags
     active user default audit flags = ua,ap,lo(0x45000,0x45000)
     configured user default audit flags = ua,ap,lo(0x45000,0x45000)
     $ auditconfig -getpolicy
     configured audit policies = cnt
     active audit policies = cnt

   • As a user, use the pfexec command to create a process that runs with administrative rights.

     Run the pfexec command with the name of a privileged command from your rights profile. For example, the following command enables you to view the user's preselected audit flags:

     % pfexec auditconfig -getflags
     active user default audit flags = ua,ap,lo(0x45000,0x45000)
     configured user default audit flags = ua,ap,lo(0x45000,0x45000)

     The same privilege limitations apply to pfexec as to pfbash. However, to run another privileged command, you must type pfexec again before you type the privileged command.

     % pfexec auditconfig -getpolicy
     configured audit policies = cnt
     active audit policies = cnt

   • As a user, use the sudo command to create a process that runs with administrative rights.

     Run the sudo command with the name of an administrative command that you are assigned in the sudoers file. For more information, see the sudo(1M) and sudoers(4) man pages.

2. To edit a system file, use the pfedit command.

   If you are not root with the UID of 0, by default you cannot edit system files. However, if you are assigned the solaris.admin.edit/path-to-system-file authorization, you can edit system-file. For example, if you are assigned the solaris.admin.edit/etc/security/audit_warn authorization, you can edit the audit_warn file.

   $ pfedit /etc/security/audit_warn

   The command uses the value of $EDITOR to determine the text editor. For more information, see the pfedit(1M) man page. The pfedit command is usefully run by the root role, if auditing is configured to audit AUE_PFEXEC events.

Example 9-10 Caching Authentication for Ease of Role Use

In this example, the administrator configures a role to manage audit configuration, but provides ease of use by caching the user's authentication. First, the administrator creates and assigns the role.

# roleadd -K roleauth=user -P "Audit Configuration" audadmin
# usermod -R +audadmin jdoe

When jdoe uses the -c option when switching to the role, a password is required before the auditconfig output is displayed:

% su - audadmin -c auditconfig option
Password:
auditconfig output

If authentication is not being cached, and jdoe runs the command again immediately, a password prompt appears.

The administrator creates a file in the pam.d directory to hold an su stack that enables the caching of authentication, so that a password is initially required, but not thereafter until a certain amount of time has passed.

# pfedit /etc/pam.d/su
## Cache authentication for switched user
#
auth required           pam_unix_cred.so.1
auth sufficient         pam_tty_tickets.so.1
auth requisite          pam_authtok_get.so.1
auth required           pam_dhkeys.so.1
auth required           pam_unix_auth.so.1

After creating the file, the administrator checks the entries for typos, omissions, or repetitions.

The administrator must provide the entire preceding su stack. The pam_tty_tickets.so.1 module implements the cache. For more about PAM, see the pam.conf(4) man page and Chapter 14, Using Pluggable Authentication Modules.

After the administrator adds the su PAM file and reboots the system, all roles including the audadmin role are prompted only once for a password when running a series of commands.

% su - audadmin -c auditconfig option
Password:
auditconfig output
% su - audadmin -c auditconfig option
auditconfig output
...