RBAC Reference

News Role engineering Recommended books Recommended Links Reference Solaris privileges sets Conversion of application accounts to Roles
user_attr prof_attr exec_attr auth_attr policy.conf Solaris Profile Shells  
sudo vs RBAC Emulation of SUDO using Solaris RBAC   ACLs usage is roles Profile Shells Humor Etc

There are three commands that gives information about a particular user account:

docs.sun.com System Administration Guide, Volume 2

Role-based access control (RBAC) is an alternative to the all-or-nothing security model of traditional superuser-based systems. The problem with the traditional model is not just that superuser is so powerful but that other users are not powerful enough to fix their own problems. Like its predecessor sudo, RBAC provides the ability to package superuser privileges for assignment to user accounts.

With RBAC, you can give users the ability to solve their own problems by assigning them packages of the appropriate privileges. Superuser's capabilities can be diminished by dividing those capabilities into several packages and assigning them separately to individuals sharing administrative responsibilities.

RBAC thus enables separation of powers, controlled delegation of privileged operations to other users, and a variable degree of access control. It includes the following features:

RBAC relies on four databases to provide users access to privileged operations:

The /etc/user_attr database supplements the passwd and shadow databases. It contains extended user attributes such as authorizations and execution profiles. It also allows roles to be assigned to a user.

A role is a special type of user account that is intended for performing a set of administrative tasks. It is like a normal user account in most respects except that it has a special shell pfksh and users can gain access to it only through the su command; it is not accessible for normal logins. From a role account, a user can access commands with special attributes, typically root user ID, that are not available to users in normal accounts.

The fields in the user_attr database are separated by colons:

                                        user:qualifier:res1:res2:attr

attr is a list of semicolon-separated (;) key-value pairs that describe the security attributes to be applied when the user runs commands. There are four valid keys: auths, profiles, roles, and type.

Authorizations

An authorization is a user right that grants access to a restricted function. It is a unique string that identifies what is being authorized as well as who created the authorization.

Authorizations are checked by certain privileged programs to determine whether users can execute restricted functionality. For example, the solaris.jobs.admin  authorization is required for one user to edit another user's crontab file.

All authorizations are stored in the auth_attr database. Authorizations may be assigned directly to users (or roles) in which case they are entered in the user_attr database. Authorizations can also be assigned to execution profiles which in turn are assigned to users.

The fields in the auth_attr database are separated by colons:

Profiles

profname:res1:res2:desc:attr

An optional list of key-value pairs separated by semicolons (;) that describe the security attributes to apply to the object upon execution. Zero or more keys may be specified. There are two valid keys, help  and auths.

The keyword help  identifies a help file in HTML. Help files can be accessed from the index.html file in the /usr/lib/help/auths/locale/C directory.

auths  specifies a comma-separated list of authorization names chosen from those names defined in the auth_attr(4) database. Authorization names may be specified using the asterisk (*) character as a wildcard.

Attributes

An execution attribute associated with a profile is a command (with any special security attributes) that can be run by those users or roles to whom the profile is assigned. Special security attributes refer to such attributes as UID, EUID, GID, EGID that can be added to a process when the command is run.

The definitions of the execution attributes are stored in the exec_attr database.

The fields in the exec_attr database are separated by colons:

name:policy:type:res1:res2:id:attr

The type of entity whose attributes are specified. Currently, the only valid type is cmd  (command).

attr An optional list of semicolon (;) separated key-value pairs that describe the security attributes to apply to the entity upon execution. Zero or more keys may be specified. The list of valid key words depends on the policy being enforced. There are four valid keys: euid, uid, egid, and gid.

euid  and uid  contain a single user name or a numeric user ID. Commands designated with euid  run with the effective UID indicated, which is similar to setting the setuid  bit on an executable file. Commands designated with uid  run with both the real and effective UIDs.

egid  and gid  contain a single group name or numeric group ID. Commands designated with egid  run with the effective GID indicated, which is similar to setting the setgid  bit on an executable file. Commands designated with gid  run with both the real and effective GIDs.

How to assume role:

To assume a role, use the su command. You cannot log in to a role. For example:

%su my-role Password: my-role-password #

Command Description
auths(1) Display authorizations for a user.
makedbm(1M) Make a dbm  file.
nscd(1M) Name service cache daemon, useful for caching the user_attr, prof_attr, and exec_attr databases.
pam_roles(5) Role account management module for PAM. Checks for the authorization to assume role.
pfexec(1) Profile shells, used by profile shells to execute commands with attributes specified in the exec_attr database.
policy.conf(4) Configuration file for security policy. Lists granted authorizations.
profiles(1) Display profiles for a specified user.
roles(1) Display roles granted to a user.
roleadd(1M) Add a role account on the system.
roledel(1M) Delete a role's account from the system.
rolemod(1M) Modify a role's account information on the system.
useradd(1M) Add a user account on the system. The -P option assigns a role to a user's account.
userdel(1M) Delete a user's login from the system.
usermod(1M) Modify a user's account information on the system.