Scribd
Upload
203 views3 pages

Solaris 10 - RBAC Hands-On Guide

The document describes how to set up role-based access control (RBAC) on a Solaris system. It includes: 1) Defining RBAC profiles and their permissions 2) Configuring commands that roles can execute 3) Adding a new "User Administration" role and giving it the necessary permissions 4) Creating a new user account and assigning it to the new role

Uploaded by

Nugi Nugraha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
203 views3 pages

Solaris 10 - RBAC Hands-On Guide

The document describes how to set up role-based access control (RBAC) on a Solaris system. It includes: 1) Defining RBAC profiles and their permissions 2) Configuring commands that roles can execute 3) Adding a new "User Administration" role and giving it the necessary permissions 4) Creating a new user account and assigning it to the new role

Uploaded by

Nugi Nugraha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

1.

RBAC Prole
/etc/security/prof_attr
User Management:::Manage users, groups, home
directory:auths=solaris.profmgr.read,solaris.admin.usermgr.write,solaris.admin.userm
gr.read,solaris.admin.usermgr.manage ;help=RtUserMngmnt.html
User Security:::Manage passwords,
clearances:auths=solaris.role.*,solaris.profmgr.*,solaris.label.range,solaris.admin.use
rmgr.*;help=RtUserSecurity.html
2. RBAC Command
/etc/security/exec_attr
User Management:solaris:cmd:::/usr/sbin/groupadd:uid=0
User Management:solaris:cmd:::/usr/sbin/groupdel:uid=0
User Management:solaris:cmd:::/usr/sbin/groupmod:uid=0
User Management:solaris:cmd:::/usr/sbin/roleadd:euid=0
User Management:solaris:cmd:::/usr/sbin/roledel:euid=0
User Management:solaris:cmd:::/usr/sbin/rolemod:euid=0
User Management:solaris:cmd:::/usr/sbin/useradd:euid=0
User Management:solaris:cmd:::/usr/sbin/userdel:euid=0
User Management:solaris:cmd:::/usr/sbin/usermod:euid=0
User Management:suser:cmd:::/usr/sbin/grpck:euid=0
User Management:suser:cmd:::/usr/sbin/pwck:euid=0
User Security:solaris:act:::SDTscgui;*;*;*;0:uid=0
User Security:solaris:cmd:::/usr/sbin/passmgmt:uid=0
User Security:suser:cmd:::/usr/bin/passwd:uid=0
User Security:suser:cmd:::/usr/sbin/pwck:euid=0
User Security:suser:cmd:::/usr/sbin/pwconv:euid=0
3. Add a role
Adding a role is nice and easy:
# roleadd -c "User Administration Role" -m -d /export/home/r_uadm r_uadm
We also need to give the role a password:
# passwd r_uadm
4. add a profile to the role
# rolemod -P "User Management","User Security" r_uadm
# grep r_uadm /etc/user_attr
r_uadm::::type=role;profiles=User Management,User Security
5. add a user account for IDM admin
# useradd -c "IDM Administrator" -d /export/home/idmadmin -m idmadmin
# passwd idmadmin
Finally well add the role to our user account:
# usermod -R r_uadm idmadmin
And just look in /etc/user_attr to make sure the changes have been
made:
# grep r_uadm /etc/user_attr
r_uadm::::type=role;profiles=User Management,User Security
idmadmin::::type=normal;roles=r_uadm
result:
-bash-3.00$ roles
r_uadm
-bash-3.00$ /usr/sbin/useradd -d /export/home/test -m test
UX: /usr/sbin/useradd: ERROR: Permission denied.
-bash-3.00$ profiles
Basic Solaris User
All
-bash-3.00$ su r_uadm
Password:
$ profiles
User Management
User Security
Basic Solaris User
All
$ /usr/sbin/useradd -d /export/home/test -m test
cpio: Cannot open file "/export/home/test/.profile", errno 13, Permission denied
cpio: Cannot open file "/export/home/test/local.cshrc", errno 13, Permission
denied
cpio: Cannot open file "/export/home/test/local.login", errno 13, Permission
denied
cpio: Cannot open file "/export/home/test/local.profile", errno 13, Permission
denied
0 blocks
4 error(s)
UX: /usr/sbin/useradd: ERROR: Unable to copy skeleton directory into home
directory: No such file or directory.
rm: Unable to remove directory /export/home/test: Permission denied
-- solution:
Change the "exec_attr" entry for useradd/userdel from "euid=0" to "uid=0"

You might also like