November 10, 2009

Solaris 10: Playing with RBAC

Posted in Solaris at 10:16 am by alessiodini

Some days ago i used RBAC with Gianluca.
The customer needed a specific profile for software installation ( as simple user , not administrator ) .

Follow the steps for implementation.

1) We saw the file /etc/security/exec_attr file and we founded an existent profile called “Software Installation”:

# grep pkg /etc/security/exec_attr
Software Installation:suser:cmd:::/usr/bin/pkginfo:uid=0
Software Installation:suser:cmd:::/usr/bin/pkgmk:uid=0
Software Installation:suser:cmd:::/usr/bin/pkgparam:uid=0
Software Installation:suser:cmd:::/usr/bin/pkgproto:uid=0
Software Installation:suser:cmd:::/usr/bin/pkgtrans:uid=0
Software Installation:suser:cmd:::/usr/sbin/pkgadd:uid=0;gid=bin
Software Installation:suser:cmd:::/usr/sbin/pkgask:uid=0
Software Installation:suser:cmd:::/usr/sbin/pkgchk:uid=0
Software Installation:suser:cmd:::/usr/sbin/pkgrm:uid=0;gid=bin

Very good !!

2) We saw roleadd syntax and defaults:

# roleadd
UX: roleadd: ERROR: invalid syntax.
usage: roleadd [-u uid [-o] | -g group | -G group[[,group]…] |-d dir |
-s shell | -c comment | -m [-k skel_dir] | -f inactive |
-e expire | -A authorization [, authorization …] |
-P profile [, profile …] | -K key=value ] login
roleadd -D [-g group | -b base_dir | -f inactive | -e expire
-A authorization [, authorization …] |
-P profile [, profile …]]]

# roleadd -D <— ( show default values )
group=other,1 project=default,3 basedir=/home
skel=/etc/skel shell=/bin/pfsh inactive=0
expire= auths= profiles=All limitpriv=
defaultpriv= lock_after_retries=

3) we created role "package" with package password:

# roleadd -m -d /export/home/package -c "Installazione pacchetti" -P "Software Installation" package
64 blocks

# passwd package
New Password:
Re-enter new Password:
passwd: password successfully changed for package

# grep package /etc/passwd
package:x:104:1:Installazione pacchetti:/export/home/package:/bin/pfsh

# grep package /etc/user_attr
package::::type=role;profiles=Software Installation
#

4) we created user pkginst ( pkginst is the password ) and we assinged the “package” role:

# useradd -d /export/home/pkginst -m -R package pkginst
64 blocks
# passwd pkginst
New Password:
Re-enter new Password:
passwd: password successfully changed for pkginst

5) we verified that pkginst’s role:

# roles pkginst
package

# grep pkginst /etc/user_attr
pkginst::::type=normal;roles=package

6) we switched to pkginst user:

# su – pkginst
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$

7) from pkginst user we switched to role package:

$ su package
Password:
$

8) we verified the profiles:

$ profiles
Software Installation
Basic Solaris User
All

9) we verified UID and GID:

$ id -a
uid=104(package) gid=1(other) groups=1(other)
$

10) We tryed to use pkg* commands:

$ pkginfo | grep -i core
system SUNWadmc System administration core libraries
system SUNWcakr Core Solaris Kernel Architecture (Root)
system SUNWcar Core Architecture, (Root)
[…]

$ pwd
/tmp/etherdrivers-1.0.8/Packages/i386

$ /usr/sbin/pkgadd -d .

The following packages are available:
1 GEDenetd Garrett’s Solaris Ethernet Drivers
(i386) 1.0.8,REV=2006.10.16.19.30
2 GEDenetm Garrett’s Solaris Ethernet Drivers (Man Pages)
(i386) 1.0.8,REV=2006.10.16.19.30
3 GEDenetu Garrett’s Solaris Ethernet Drivers (Utility and Header)
(i386) 1.0.8,REV=2006.10.16.19.30

Select package(s) you wish to process (or ‘all’ to process
all packages). (default: all) [?,??,q]: q
$

Good!!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: