RBAC (Role Based Access Control)
/etc/user_attr -- The extended user attributes database, which associates users and roles with
authorizations and right profiles in addition to the /etc/passwd, /etc/group,
and /etc/shadow files
/etc/security/prof_attr -- The rights profile attributes database, which defines profiles, lists
the profile’s assigned authorizations and any nested rights profiles,
and identifies the associated help files.
/etc/security/exec_attr -- The execution attributed database, which defines the privileged
commands and scripts assigned to a profile.
/etc/security/auth_attr -- The authorization attributes database, which defines authorizations
and their attributes. This database also identifies the associated
/etc/security/policy.conf -- File provides system default authorizations for users
The /etc/user_attr Database
attr : An optional list of semicolon separated (;) key value pairs that describe the security attributes to be applied when the user runs commands.
type -- Can be normal or role. A role is assumed after the user has logged in.
auths -- Specifies a list of authorization chosen from names defined in the auth_attr DB
profiles -- Specifies a list of profile names chosen from the /etc/security/prof_attr DB
roles -- Specifies a list of role names defined in the same /etc/user_attr DB. Roles are
indicated by setting the type value to role. Roles cannot be assigned to other roles.
sysadmin::::type=role;profiles=Device Management,Filesystem Management,Printer Management
The /etc/security/prof_attr Database
attr : The security attrinutes to apply to the object upon execution. You can specify zero or more key. The two valid keys are help and auths.
# grep ‘Printer Management’ /etc/security/prof_attr
Printer Management:::manage Printers, daemns, \
The Printer Management profile, which is defined in the /etc/security/prof_attr DB, is assigned to the sysadmin role in the /etc/user_attr DB.
The Printer management profile is defined in the prof_attr DB as having all authorizations, beginning with the solaris.admin.printer.string, assigned to it. These authorizations are defined in the /etc/security/auth_attr DB.
solaris.admin.printer.read:::view printer information::\
The /etc/security/exec_attr Database
name -- Name of the profile
policy -- The security policy associated with this entry. The suser (superuser policy model)
is the only valid policy entry.
type -- The type of entity. Whose attributes are specified. The only valid type is cmd
id -- a string identifying the entity. Command should have full path or a path with wildcard
attr -- euid and uid | egid and gid
The /etc/security/auth_attr Database
You can assign authorization directly to users or roles in the /etc/user_attr DB. You can also assign authorizations to rights profiles, which are assigned to roles.
authname -- A unique character string that identifies the authorization in the prefix.suffix[.] format.
The /etc/security/policy.conf file
This file lets you grant specific rights profiles and authorization to all users. Two types of entries in the file are
# cat policy.conf
PROFS_GRANTED=Basic Solaris Users
# roleadd –m –d /export/home/tarback –m –c “Privileged tar backup role” –p “Media Backup, Media Restore” tarback
-A authorization and -p profile -- Assign authorization and profiles respectively to the role.
# rolemod –A auth1,auth2 –p profile1,profile2 role1
Additional Commands Used to Perform RBAC Functions
auths Displays authorizations for a user
makedbm Makes a dbm file
nscd Identifies the name service. Useful for caching the 4 RBAC DB details
pam_roles Identifies the role account management module for password authentication
pfexec Identifies the profile shells used to execute commands with attributes specifies
policy.conf Identifies the config file for the security policy. Lists granted authorization
profiles Displays profiles for a specified user
roles Displays roles granted to a user
roleadd Adds a role account to the system
rolemod Modifies the role’s account info in the system
roledel Deletes a role’s account from the system
Profile -- Privilege to profile -- Creating Role -- Role to profile -- Role to user
/etc/security/prof_attr -- Contains profile details
Creating profile in prof_attr
uadd::Profile for user admin
init:::Profile for init process
/etc/security/exec_attr -- Privilege to profile
# roleadd –d /export/home/role1 –m role1
# passwd role1
Role to Profile
# rolemod –P uadd,init role1
Adding role to user
# usermod –R role1 user1
/etc/user_attr -- Details about role & user to role
Login as normal user
Switch to role profile & use the privilege command
/etc/security/auth_attr -- Authorization file -- Config file for users & this roles