Making Root a Role
This procedure shows how to change root from a user to a role within a local scope. Changing root to a role prevents users from logging in to that server directly as root. Users must first log in as themselves so their UIDs are available for auditing.
Caution - If you make root a role without assigning
it to a valid user or without a currently existing role equivalent to root, no one can become root.
How to Make Root a Role
Log in to the target server.
Become superuser.
Edit the /etc/user_attr file.
Here is an excerpt from a typical user_attr file.
root::::type=normal;auths=solaris.*,solaris.grant;profiles=All johnDoe::::type=normal
Check that your name is in the file.
Add root to the roles that are assigned to your record.
Assign the root role to any applicable users. If you intend to use primaryadmin as your most powerful role, you do not have to assign root to any users.
johnDoe::::type=normal;roles=root
Go to the root record in the file and change type=normal to type=root.
root::::type=role;auths=solaris.*,solaris.grant;profiles=All
Save the file.
Managing RBAC Information (Task Map)
The following task map shows where to obtain information for performing specific RBAC tasks.
Task | Description | For Instructions |
|---|---|---|
Use privileged applications | To run applications that can affect security or system operations requires becoming superuser or assuming a role. | |
Create roles | To add new roles, that is, special identities for running privileged applications. | "How to Create a Role by Using the Administrative Roles Tool" |
Change role properties | To change the properties of a role, that is, the assigned users, rights profiles, and authorizations that are assigned to a role. | "How to Change a Role by Using the Administrative Roles Tool" |
Create or change rights profiles | To add or change a rights profile, including the assignment of authorizations, commands with security attributes, and supplementary rights profiles. | "How to Create or Change a Rights Profile by Using the Rights Tool" |
Change a user's RBAC properties | To change the roles, rights profiles, or authorizations that are assigned to a user. | "How to Modify a User's RBAC Properties by Using the User Accounts Tool" "How to Modify a User's RBAC Properties From the Command Line" |
Secure legacy applications | To turn on the set ID permissions for legacy applications. Scripts can contain commands with set IDs. Legacy applications can check for authorizations, if appropriate. | "How to Add Security Attributes to a Legacy Application" |
These procedures manage the elements that are used in role-based access control (RBAC). For user management procedures, refer to "Managing User Accounts and Groups (Tasks)" in System Administration Guide: Basic Administration.
Using Privileged Applications
To run privileged applications, you must first become superuser or assume a role. Although running privileged applications as a normal user is possible, it is discouraged to avoid errors that are caused by users who inadvertently exercise this privilege.
How to Assume a Role at the Command Line
Use the su command as follows:
% su my-role Password: my-role-password #
Typing su by itself lets you become superuser. Typing su with a role name lets you assume that role (if it has been assigned to you). You must supply the appropriate password. Assuming a role switches the command line to the profile shell for that role. The profile shell has been modified to run commands with the security attributes that are assigned in the role's rights profiles.
Type a command in the shell.
The command is executed with any assigned security attributes and setuid or setgid permissions.
How to Assume a Role in the Console Tools
Start the Solaris Management Console.
Use one of the following methods:
Type smc at the command line.
Click the Solaris Management Console icon in the Tools subpanel.
Double-click the Solaris Management Console icon in the Application Manager.
All Solaris Management Console tools have extensive context-sensitive help that document each field. In addition, you can access various help topics from the Help menu. Note that it does not matter whether you are logged in as root or as a normal user when you start the console.
Select the toolbox for your task.
Navigate to the toolbox that contains the tool or collection in the appropriate scope and click the icon. The scopes are files (local), NIS, NIS+, and LDAP. If the appropriate toolbox is not displayed in the navigation pane, choose Open Toolbox from the Console menu and load the relevant toolbox.
Select the tool.
Navigate to the tool or collection to be used and click the icon. The tools for managing the RBAC elements are all part of the User Tool Collection.
Authenticate yourself in the Login: User Name dialog box.
Your choices are the following:
Type your user name and password to assume a role or to operate as a normal user.
Type root and the root password to operate as superuser.
Note that if you have not yet set up any roles or if the roles that are set up cannot perform the appropriate tasks, you need to log in as root. If you authenticate yourself as root (or as a user with no roles assigned), the tools are loaded into the console and you can proceed to Step 6.
Authenticate yourself in the Login: Role dialog box.
The Role option menu in the dialog box displays the roles that are assigned to you. Choose a role and type the role password. If you are to operate as a normal user, type your user name and password.
Navigate to the tool to be run and click the icon.
Creating Roles
To create a role, you must either assume a role that has the Primary Administrator rights profile assigned to it or run as root user. See "RBAC Roles" and "Configuring Recommended Roles" to learn more about roles.
How to Create a Role by Using the Administrative Roles Tool
Start the Administrative Roles tool.
Run the Administrative Roles tool, start the Solaris Management Console, as described in "How to Assume a Role in the Console Tools". Then, open the User Tool Collection, and click the Administrative Roles icon.
Start the Add Administrative Role wizard.
Select Add Administrative Role from the Action menu to start the Add Administrative Role wizard for configuring roles.
Fill in the fields in the series of dialog boxes. Click Finish when done.
Use the Next and Back buttons to navigate between dialog boxes. Note that the Next button does not become active until all required fields have been filled in. The last dialog box is for reviewing the entered data, at which point you can go back to change entries or click Finish to save the new role. Table 18-1 summarizes the dialog boxes.
Open a terminal window, become root, and start and stop the name service cache daemon.
The new role does not take effect until the name service cache daemon is restarted. After becoming root, type as follows:
# /etc/init.d/nscd stop # /etc/init.d/nscd start
Table 18-1 Add Administrative Role Wizard: Dialog Boxes and Fields
Dialog Box | Fields | Field Description |
|---|---|---|
Step 1: Enter a role name | Role Name | Short name of the role. |
| Full Name | Long version of the name. |
| Description | Description of the role. |
| Role ID Number | UID for the role, automatically incremented. |
| Role Shell | The profile shells that are available to roles: Administrator's C, Administrator's Bourne, or Administrator's Korn shell. |
| Create a role mailing list | Makes a mailing list for users who are assigned to this role. |
Step 2: Enter a role password | Role Password | ******** |
| Confirm Password | ******** |
Step 3: Select role rights | Available Rights / Granted Rights | Assigns or removes a role's rights profiles. Note that the system does not prevent you from typing multiple occurrences of the same command. The attributes that are assigned to the first occurrence of a command in a rights profile have precedence and all subsequent occurrences are ignored. Use the Up and Down arrows to change the order. |
Step 4: Select a home directory | Server | Server for the home directory. |
| Path | Home directory path. |
Step 5: Assign users to this role | Add | Adds users who can assume this role. Must be in the same scope. |
| Delete | Deletes users who are assigned to this role. |