Hi,
I got only one response and that was from Sean Quaint. He was right on
target with setting up RBAC on Sol8.
Here is how you do it (mostly from Sean's response and a little of my
experience):
1. make a backup copy of the following files (to be safe):
/etc/user_attr
/etc/security/prof_attr
/etc/security/exec_attr
/etc/security/auth_attr
2. add to /etc/security/exec_attr (adds the executable permissions for the
profile)
profile_name:suser:cmd::::path_to_command:options
(
example to use snoop:
Netadmin:suser:cmd:::/usr/sbin/snoop:uid=0
)
3. add to /etc/security/prof_attr (adds the profile)
profile_name::::comment(optional):
(
example: Netadmin::::Can do net stuff:
)
4. add a role account that can use the Netadmin profile
roleadd -m -P "Netadmin,All" netboy && passwd netboy
(netboy will be added to the /etc/passwd and /etc/shadow file with a
shell of pfsh (profile sh). This means netboy will not be able to be logged
into, just sued into.)
5. Now use usermod to associate joe with netboy
usermod -R netboy joe (joe is a normal user on the system and cannot be
in use when you do this)
6. Now joe can su to netboy and run the snoop command.
Extra notes:
*nscd caches RBAC info, so if things aren't working like they should, try
stopping and starting nscd (/etc/init.d/nscd stop|start)
*unlike the sun docs, you don't have to edit anything in the /etc/auth_attr
file for this particular setup.
*some decent (but somewhat incomplete) docs on RBAC:
http://docs.sun.com/ab2/coll.47.11/SYSADV2/@Ab2PageView/26238?DwebQuery=rbac&oqt=rbac&Ab2Lang=C&Ab2Enc=iso-8859-1
http://www.securityfocus.com - search for RBAC in Sun section
Hope that helps. Once again a BIG thanks goes out to Sean Quaint.
--Konstantin
ORIGINAL QUESTION:
---------------------------
Konstantin Rozinov wrote:
> Hey folks,
>
> Today I was playing around with RBAC (Role Based Access Control) on
> Solaris 8. I looked at the doc.sun.com site for the RBAC documentation,
> but followin their every word I was still unable to set it up.
>
> I am thinking they might have missed something.....maybe someone knows a
> better article/doc on RBAC implementation.....
>
> I am guessing that they forgot to mention to edit the /etc/password file
> to add the role account?
>
> Thanks in advance will summarize.
>
> --Konstantin
>
> _______________________________________________
> sunmanagers mailing list
> sunmanagers@sunmanagers.org
> http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:25 CDT