Role-Based Access Control (RBAC)

individual users can be assigned to roles, such as system administrator, network administrator, or operator.
Roles are associated with rights profiles

Roles can also be assigned authorizations. An authorization grants access to restricted functions in RBAC compliant applications. RBAC compliant
applications are linked to libsecdb so they can be checked for privilege

Key RBAC Files

The authorizations, roles, rights profiles, and privileged commands are defined in four files.
/etc/user_attr file
/etc/security/prof_attr file
/etc/security/policy.conf file
/etc/security/exec_attr file

/etc/user_attr file contains user and role information that supplements the /etc/passwd and /etc/shadow files.

When creating a new user account with no rights profiles, authorizations or roles, nothing is added to the file:

# useradd -m -d /export/home/chris chris
64 blocks
# grep chris /etc/user_attr

A role is a special identity, similar to a user account, for running privileged applications or commands that can be assumed by assigned
users only.

# roles root
No roles
# roles chris
No roles
A rights profile, is a collection of rights that can be assigned to a user.

The rights profile names and descriptions are defined in the /etc/security/prof_attr file. New rights profiles can be created by
editing this file or using the Solaris Management Console (SMC).

# profiles chris
Basic Solaris User

Every account has the All rights profile. It allows any command to be executed but with special security attributes. Other rights profiles given to
all new user accounts are defined in the /etc/security/policy.conf file

# grep ‘PROFS’ /etc/security/policy.conf
PROFS_GRANTED=Basic Solaris User

Printer Management rights profile being assigned to the chris user account:
# usermod -P “Printer Management” chris
# profiles chris
Printer Management
Basic Solaris User

This automatically updates the /etc/user_attr file as shown below:
# grep chris /etc/user_attr
chris::::type=normal;profiles=Printer Management

The /etc/security/exec_attr file holds the execution attributes. An execution attribute is associated with a rights profile name.

Special security attributes refer to attributes, such as UID, EUID, GID, and EGID, that can be added to a process when the command is run. Only the
users and roles assigned access to this rights profile can run the command with special security attributes.

# grep ‘Printer Management’ /etc/security/exec_attr
Printer Management:suser:cmd:::/etc/init.d/lp:euid=0;uid=0
Printer Management:suser:cmd:::/usr/bin/cancel:euid=lp;uid=lp
Printer Management:suser:cmd:::/usr/bin/lpset:egid=14
Printer Management:suser:cmd:::/usr/bin/lpstat:euid=0
Printer Management:suser:cmd:::/usr/lib/lp/local/accept:uid=lp
Printer Management:suser:cmd:::/usr/lib/lp/local/lpadmin:uid=lp;gid=8
Assigning Rights Profiles To Roles

Creating a Role

The roleadd command creates a role entry in the /etc/passwd, /etc/shadow, and /etc/user_attr files

-c comment A text string that provides a short description of the role.
-d dir Specifies the home directory of the new role.
-m Creates the new role’s home directory if it does not already exist.
-P profile Assigns rights profiles to the role. Use commas (,) to separate multiple rights profil

# roleadd -m -d /export/home/level1 -c “Level One Support” -P “Printer Management,Media Backup,Media Restore” level1
64 blocks
# passwd level1
In this example, the roleadd command creates a new role called level1, builds the home directory, and assigns the role with rights profiles of
Printer Management, Media Backup, and Media Restore. The role can not be used until a password is applied to it.
The changes to the /etc/passwd, /etc/shadow, and
/etc/user_attr files are shown below:
# grep level1 /etc/passwd
level1:x:102:1:Level One Support:/export/home/level1:/bin/pfsh
# grep level1 /etc/shadow
# grep level1 /etc/user_attr
level1::::type=role;profiles=Printer Management,Media Backup,Media Restore

Modifying a Role

rolemod ————->changes the definition of the specified role and makes the appropriate login-related changes to the system file and file system.

-e expire Specifies the expiration date for a role.
-l new_logname Specifies the new login name for the role.
-P profile Specifies one or more comma-separated rights profiles, as defined in the /etc/security/prof_attr file.
-s shell Specifies the full path name of the program that is used as the role’s shell when logging in. These shells are special versions of the
Bourne shell (sh), C shell (csh), and Korn shell (ksh).

# rolemod -P profile1,profile2 -s /usr/bin/pfksh level1

In this example, the rolemod command assigns the profile1 and profile2 profiles and the /usr/bin/pfksh profile shell to the role named level1.

Purpose of the Profile Shells

A profile shell is a special type of shell that enables access to the privileged rights that are assigned to the rights profile. The standard
UNIX shells can not be used, as they are not aware of the RBAC files, and do not consult them.

When the user executes a command, the profile shell searches the role’s rights profiles and associated rights. If the same command appears in
more than one profile, the profile shell uses the first matching entry. The profile shell executes the command with the attributes specified in the
RBAC configuration files.

The profile shells are pfsh, pfcsh, and pfksh. These profile shells correspond to Bourne shell (sh), C shell (csh), and Korn shell (ksh), respectively.
Assigning Roles To Users

A user can have access to many roles. The useradd command or Solaris Management Console (SMC) can be used to define which roles a new user
has access to.

with the -R option to define roles

# useradd -m -d /export/home/paul -R level1 paul
64 blocks
# passwd paul
New Password: paul
Re-enter new Password: paul
passwd: password successfully changed for paul

# roles paul

# usermod -R level1 chris

# usermod -R “” chris ————->to remove all role access from the chris account

Using Roles

As it is not possible to log in to a role account, log in as a regular user first. The roles command shows the roles available to your account.

$ id
uid=103(paul) gid=1(other)

$ roles

Switch the user to the role account with the su command.

$ su level1
Password: level1

$ id
uid=102(level1) gid=1(other)

The level1 role has the two default rights profiles and was configured with three extra rights profiles.
$ profiles
Printer Management
Media Backup
Media Restore
Basic Solaris User

An authorization grants access to restricted functions in RBAC compliant applications.

You cannot create new authorizations, however, you can create and assign authorizations to new applications

/etc/security/auth_attr ————–>predefined authorizations are listed

# cat /etc/security/auth_attr
(output omitted)
solaris.jobs.:::Job Scheduler::help=JobHeader.html
solaris.jobs.admin:::Manage All Jobs::help=AuthJobsAdmin.html
solaris.jobs.grant:::Delegate Cron & At Administration::help=JobsGrant.html
solaris.jobs.user:::Manage Owned Jobs::help=AuthJobsUser.html
(output omitted)
Caution – An authorization that ends with the suffix grant permits a user to delegate any assigned authorizations that begin with the same prefix to
other users.
delegate the solaris.admin.usermgr.read authorization to another user.

delegate any of the authorizations with the solaris.admin.usermgr prefix to other users.

Default Authorizations
All users have the Basic Solaris User profile by default.
# profiles chris
Printer Management
Basic Solaris User
# grep ’Basic Solaris User’ /etc/security/prof_attr
Basic Solaris User:::Automatically assigned rights:
es=All; help=RtDefault.html
# grep ‘AUTHS’ /etc/security/policy.conf
Assigning Authorizations
Authorizations can be assigned to user accounts. Authorizations can also be assigned to roles or embedded in a rights profile which can be assigned
to a user or role.

Assigning Authorizations To User Accounts

The following example shows that a regular user is not permitted to look at another user’s crontab file:
# su – chris
Sun Microsystems Inc. SunOS 5.10 s10_68 Sep. 20, 2004
$ crontab -l root
crontab: you must be super-user to access another user’s crontab file
$ exit
-R —>role
-A —>authrization

# usermod -A solaris.jobs.admin chris

# auths chris

Assigning Authorizations To Roles
If a large number of user accounts require the same configuration and management of authorizations, it can be easier to assign the
authorizations to a role and give the users access to the role.

# roleadd -m -d /export/home/level2 -P “Mail Management” \
-A “solaris.admin.usermgr.*” level2
64 blocks
# passwd level2
New Password: level2
Re-enter new Password: level2
passwd: password successfully changed for level2
# profiles level2
Mail Management
Basic Solaris User
# auths level2
(output omitted)

Assigning Authorizations To Rights Profiles

For example, the predefined Cron Management rights profile includes commands and authorizations. The /etc/security/prof_attr file
defines the authorizations.

# grep ‘^Cron’ /etc/security/prof_attr
Cron Management:::Manage at and cron

The /etc/security/exec_attr defines the commands and special security attributes.

# grep ‘^Cron’ /etc/security/exec_attr
Cron Management:suser:cmd:::/etc/init.d/cron:uid=0;gid=sys
Cron Management:suser:cmd:::/usr/bin/crontab:euid=0

The rights profile can then be given to a user:
# usermod -P “Cron Management” paul
Or a role:
# rolemod -P “Cron Management” level2