Solaris 10 RBAC

Physical analogy illustrating the superuser model versus RBAC

Role: A special identity that can be assumed by assigned users only.Authorization: A permission that can be assigned to a role or user to perform a class of actions otherwise prohibited by security policy.Rights ProfileA package that can be assigned to a role or user.

Elements of RBAC

Solaris RBAC Element Assignments

RBAC Example

RBAC Example – Authorization Assignments

Databases Supporting RBAC

user_attr (extended user attributesdatabase)

auth_attr (authorization attributes database)

prof_attr (rights profile attributes database)

exec_attr (profile execution attributes database)

1. Create a role named sdown. Give it a user ID of 5000 and a group IDof 10.# roleadd -u 5000 -g 10 -m -d /export/home/sdown sdown# passwd sdown2. Create the profile named Shut by adding a line to the prof_attrfile.# vi /etc/security/prof_attr(output omitted for brevity)Shut:::Able to shutdown the system:3. Add the profile to the role.# rolemod -P Shut sdown4. Verify that the role is included in the /etc/user_attr file.# more /etc/user_attr5. Create a user named user9 and assign it access to the sdown role.Give this user a user ID of 4009 and a group ID of 10.# useradd -u 4009 -g 10 -m -d /export/home/user9 -s /bin/ksh \-R sdown user9# passwd user9

Creating a User and a Role Using the Command-line Tools

6. Check the roles attributes for user9.# grep user9 /etc/user_attr7. Assign the shutdown command to the profile.# vi /etc/security/exec_attrShut:suser:cmd:::/usr/sbin/shutdown:uid=08. Use the su command to test the configuration as user9.# su user9Exercise: Configuring RBAC (Level 3)9. As user9, without assuming the new role, shut down the system.$ /usr/sbin/shutdown -i 6 -g 0/usr/sbin/shutdown: Only root can run /usr/sbin/shutdownWhat is the result of this shutdown attempt, and why?This shutdown attempt fails because user9 has not assumed the sdownrole yet, and as a regular user, does not have the rights profile to execute theshutdown command.

Creating a User and a Role Using the Command-line Tools

10. Execute the profiles command to determine which RBAC profilesare associated with user9.$ profilesBasic Solaris UserAll11. Execute the roles command to determine which RBAC roles areassociated with user9.$ rolessdown12. Assume the role sdown.$ su sdownPassword:$

Creating a User and a Role Using the Command-line Tools

14. List the commands that the sdown profile can execute.$ profiles -lShut:/usr/sbin/shutdown uid=0All:*Exercise: Configuring RBAC (Level 3)15. Shut down the system using the shutdown command.$ /usr/sbin/shutdown -i 6 -g 0Shutdown started. Fri Oct 22 16:15:28 BST 2004Do you want to continue? (y or n): nWhat is the result of this shutdown attempt? Why?This command succeeds because the sdown role has execute permissionwhen issuing the shutdown command.16. Log out of the sdown role.$ <Control-D>17. Log out as user9.$ <Control-D>

Creating a User and a Role Using the Command-line Tools