Tuesday, May 15, 2012

RBAC on Solaris

Introduction 

Role Based Access Control ( RBAC ) on Solaris aims at deprecating the 'sudo' command with a native framework. RBAC isn't very user intuitive and isn't really an elegant approach to access control, but it does work quite well and once you've mastered the basics it'll all start making a bit more sense.

Firstly, some definitions:

Profile - A profile is a set of properties which reference one or many authorizations

Authorization - "An authorization is a discrete right that can be granted to a role or user. Authorizations are checked by RBAC-compliant applications before a user gets access to the application or specific operations within it. This check replaces the tests in conventional UNIX applications for UID=0 " ( http://docs.oracle.com/cd/E19683-01/817-0365/rbacref-21/index.html)

Roles - Similar to a 'user', a role is created for a user to escalate to in order to perform a specific operation

There's an array of default profiles and authorizations in Solaris, they are definitely worth researching and understanding. The relvant files/directories are:

  • /etc/security/prof_attr.d/
  • /etc/security/exec_attr.d/ 
  • /etc/security/auth_attr.d/ 

 Every user created on the system, by default, will be assigned the profiles "All" ( to run all commands ) and "Basic Solaris User" (allows escalated access for cd-related commands in order to interact with the cd drive)
You can change these default profiles by changing the relevant variables in /etc/security/policy.conf :

# egrep "AUTH|PROF" /etc/security/policy.conf
AUTHS_GRANTED=
PROFS_GRANTED=Basic Solaris User

Using RBAC 

As a very basic example of RBAC, say you have a user 'williama' who is a new administrator. You want to grant this administrator access to the user maintenance commands - useradd, usermod, groupadd etc. Here's how you'd go about it:

Check the user doesn't already have the access:
# profiles -l williama
williama:
      Basic Solaris User
        auths=solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.wusb.read
        profiles=All
          /usr/bin/cdrecord.bin      privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,net_privaddr
          /usr/bin/readcd.bin        privs=file_dac_read,sys_devices,net_privaddr
          /usr/bin/cdda2wav.bin      privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr
      All
          *
As this is a system command, it most likely already has a profile and authorization somewhere:

# cd /etc/security
# egrep "useradd|usermod|groupmod" exec_attr.d/*
exec_attr.d/core-os:User Management:solaris:cmd:RO::/usr/sbin/useradd:euid=0
exec_attr.d/core-os:User Management:solaris:cmd:RO::/usr/sbin/usermod:euid=0
exec_attr.d/core-os:User Management:solaris:cmd:RO::/usr/sbin/groupmod:euid=0
exec_attr.d/core-os:User Security:solaris:cmd:RO::/usr/sbin/usermod:euid=0
exec_attr.d/core-os:User Security:solaris:cmd:RO::/usr/sbin/groupmod:euid=0

There we go, it's called "User Management". Now just modify the user's account to include this profile.

# usermod -P "User Management" williama
Found user in files repository.
Check that it all worked.


# profiles williama
williama:
          User Management
          Basic Solaris User
          All

# profiles -l williama
williama:
      User Management
        auths=solaris.user.manage,solaris.role.manage,solaris.group.manage,solaris.project.delegate,solaris.account.activate
          /usr/sbin/grpck            euid=0
          /usr/sbin/pwck             euid=0
          /usr/sbin/useradd          euid=0
          /usr/sbin/userdel          euid=0
          /usr/sbin/usermod          euid=0
          /usr/sbin/roleadd          euid=0
          /usr/sbin/roledel          euid=0
          /usr/sbin/rolemod          euid=0
          /usr/sbin/groupadd         euid=0
          /usr/sbin/groupdel         euid=0
          /usr/sbin/groupmod         euid=0
          /usr/bin/passwd            euid=0
      Basic Solaris User
        auths=solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.wusb.read
        profiles=All
          /usr/bin/cdrecord.bin      privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,net_privaddr
          /usr/bin/readcd.bin        privs=file_dac_read,sys_devices,net_privaddr
          /usr/bin/cdda2wav.bin      privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr
      All
          *

# su - williama
.....
$ pfexec /usr/sbin/useradd -md /export/home/test test

$ id -a test
uid=60009(test) gid=10(staff) groups=10(staff)


Now that this administrator can add/remove users, you also want them to be able to reboot the machine.
As above, there is a pre-defined profile for this, but let's not use that for now...

Firstly, create a profile, giving it a name and short description:

# echo "REBOOT:::profile for rebooting:" >>  /etc/security/prof_attr

Create the exec attribute

# echo "REBOOT:solaris:cmd:::/usr/sbin/reboot:euid=0"  >>  /etc/security/exec_attr

Assign the profile to the user ( use the + here, so all the previous profiles don't get overwritten )

# usermod -P +REBOOT  williama

Check that it all works

# profiles -l williama
williama:
      User Management
        auths=solaris.user.manage,solaris.role.manage,solaris.group.manage,solaris.project.delegate,solaris.account.activate
          /usr/sbin/grpck            euid=0
          /usr/sbin/pwck             euid=0
          /usr/sbin/useradd          euid=0
          /usr/sbin/userdel          euid=0
          /usr/sbin/usermod          euid=0
          /usr/sbin/roleadd          euid=0
          /usr/sbin/roledel          euid=0
          /usr/sbin/rolemod          euid=0
          /usr/sbin/groupadd         euid=0
          /usr/sbin/groupdel         euid=0
          /usr/sbin/groupmod         euid=0
          /usr/bin/passwd            euid=0
      REBOOT
          /usr/sbin/reboot           euid=0
      Basic Solaris User
        auths=solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.wusb.read
        profiles=All
          /usr/bin/cdrecord.bin      privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,net_privaddr
          /usr/bin/readcd.bin        privs=file_dac_read,sys_devices,net_privaddr
          /usr/bin/cdda2wav.bin      privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr
      All
          *

Using Roles

There is another way to achieve the above and that is through the use of 'roles'. That is, you create a role, allow the user to 'su' to this role, then execute the relevant commands.

To start off, the user has no roles.

# roles williama
No roles

Create the 'reboot' role and assign it a password

# roleadd -m -d /export/home/reboot reboot
# passwd reboot
....

Assign the REBOOT profile ( created above ) to the role

# rolemod -P REBOOT reboot

Assign the user the 'reboot' role
# usermod -R reboot williama
# roles williama
reboot

Now, test.

$ su reboot
...
$ reboot

Posted by at

1 comment:

unixlad said...

I like your blog. I am trying to introduce RBAC into my work environment to replace sudo, but my colleague here doesn't like it and won't let me use it. If you ask me he's a bit behind the times. I think your blog might change his mind.

May 15, 2012 at 12:00 PM

Post a Comment

Subscribe to: Post Comments (Atom)