FA logo
Technical Tip

QUESTION

How can I create a custom RBAC (Role-Based Access Control) profile under Solaris 11?

surfaceANSWER
In Solaris 11, privileged access can be granted to users to allow them to perform certain administrative duties, such as running certain commands, updating crontabs, control printer activity, etc.
A set of these privileges an be combined into a Rights profile.
Such a profile can contain authorisations, privileges, commands with security attributes (e.g. setuid), and other rights profiles. (i.e. nested rights profiles).

This example provides a minimal set of privileges, stored in a Rights profile called Support Level 6:-
 - Edit the /etc/motd and /etc/nologin files.
 - Run the logins command.
 - Network Time Protocol (NTP) Management.
 - Dynamic Host Configuration Protocol (DHCP) Management.

We could add all the above security attributes individually to the new profile, but instead we will create separate profiles which will allow editing of /etc/motd and /etc/nologin.
To proceed, we’ll first create the /etc/motd edit profile:-

# profiles  -p  "Configure MOTD"
profiles:Configure MOTD> set auths=solaris.admin.edit/etc/motd
profiles:Configure MOTD> set desc="Edit /etc/motd"
profiles:Configure MOTD> exit

Check it:-

# profiles  -p  "Configure MOTD"  info
        name=Configure MOTD
        desc=Edit /etc/motd
        auths=solaris.admin.edit/etc/motd

Now the /etc/nologin profile:-

# profiles  -p  "Configure NOLOGIN"
Configure NOLOGIN> set auths=solaris.admin.edit/etc/nologin
profiles:Configure NOLOGIN> set desc="Edit /etc/nologin"
profiles:Configure NOLOGIN> exit

Check it:-

# profiles  -p  "Configure NOLOGIN"  info
        name=Configure NOLOGIN
        desc=Edit /etc/nologin
        auths=solaris.admin.edit/etc/nologin

Note that we could have created a single profile and specified both auths:-

set auths=solaris.admin.edit/etc/motd,solaris.admin.edit/etc/nologin


DHCP and NTP management profiles already exist:-
# profiles  -a | egrep  -i  'ntp | dhcp'
    DHCP Management
    NTP Management

To view a profile:-
# profiles  -p  "NTP Management"  info
        name=NTP Management
        desc=Manage the NTP service
        auths=solaris.smf.manage.ntp,solaris.smf.value.ntp

The mechanism to allow execution of the logins command can be included in the main profile, which we can now proceed to create.

# profiles  -p  "Support Level 6"
profiles:Support Level 6> set  profiles="DHCP Management,NTP Management,Configure MOTD,Configure NOLOGIN"
profiles:Support Level 6> add  cmd=/usr/bin/logins
profiles:Support Level 6:logins> set  euid=0
profiles:Support Level 6:logins> set  egid=0
profiles:Support Level 6:logins> end
profiles:Support Level 6> set  desc="Support Level 6 profile for Newark site"
profiles:Support Level 6> info
        name=Support Level 6
        desc=Support Level 6 profile for Newark site
        profiles=DHCP Management,NTP Management,Configure MOTD,Configure NOLOGIN
        cmd=/usr/bin/logins
profiles:Support Level 6> exit

Check it:-

# profiles  -p  "Support Level 6"  info
        name=Support Level 6
        desc=Support Level 6 profile for Newark site
        profiles=DHCP Management,NTP Management,Configure MOTD,Configure NOLOGIN
        cmd=/usr/bin/logins

The new profiles are stored in /etc/security/prof_attr, except for the logins attribute, which is in /etc/security/exec_attr.

We can now assign the new profile to existing users using usermod, or initially with useradd.
The user can invoke a profile shell or pfexec to run their privileged commands.
To assign the profile to joe:-
# usermod  -P  +"Support Level 6"  joe
UX: usermod: joe is currently logged in, some changes may not take effect until next login.

Note the above warning.

The user’s entry in /etc/user_attr will now contain the assigned Support Level 6 entry.
Use profiles -l joe to list the profiles assigned to joe.

To modify the new profile:-
# profiles  -p  "Support Level 6"
profiles:Support Level 6> info
        name=Support Level 6
        desc=Support Level 6 profile for Newark site
        profiles=DHCP Management,NTP Management,Configure MOTD,Configure NOLOGIN
        cmd=/usr/bin/logins
profiles:Support Level 6> remove profiles="DHCP Management"
(Removes the DHCP Management profile)
profiles:Support Level 6> select  cmd=/usr/bin/logins
profiles:Support Level 6:logins> set  euid=1
profiles:Support Level 6:logins> end
(The above changes the effective user ID for running the logins command - not a realistic thing to do.)
profiles:Support Level 6> exit

# profiles  -p  "Support Level 6"  info
List the modified profile.

To remove a profile altogether:-
# profiles  -p  "Support Level 6"  delete

To unassign the profile from joe:-
# usermod   -P   -"Support Level 6"  joe

First Alternative course tutors can answer questions like this ... and are happy to do so. Look around our site for relevant courses in Linux -Unix - Solaris

close window