Adapted from an example from the document Role Based Access Control and Secure Shell—A Closer Look At Two Solaris™ Operating Environment Security Features, written by Thomas M Chalfant, Product Technical Support, Americas, Enterprise Server Group, ©Sun Microsystems, Inc. Part of Sun BluePrints™ OnLine—June 2003, www.sun.com/blueprints
This example shows the setup for allowing a user called auser
to assume a role called pwadm
with an execution profile called PW
,
which allows auser
to
run the /usr/bin/passwd
command.
This command ordinarily
requires a real UID of 0
to lock accounts or to reset passwords of other users.
This is the execution profile definition. This file defines which commands (and user and group IDs) are allowed by this profile:
# grep PW /etc/security/exec_attr PW:suser:cmd:::/usr/bin/passwd:uid=0;gid=1
This is the execution profile description definition. This particular profile contains no authorizations, nor is it based on other profiles (which allows defining one profile as a superset of others):
# grep PW /etc/security/prof_attr PW:::Password Admin:
These are the user and role account definitions. This shows that users and roles both appear as user accounts; note the different shell for the role account:
# egrep "pwadm|auser" /etc/passwd pwadm:x:4321:10::/export/home/pwadm:/bin/pfksh auser:x:1234:10::/export/home/auser:/bin/ksh # egrep "pwadm|auser" /etc/shadow pwadm:Mk1kLHYyvt70v:11268:::::: auser:dlkKBkbI8lLkj:11268::::::
These are the role and profile assignments definition. These show the assignment of roles to users and profiles to roles:
# grep pwadm /etc/user_attr pwadm::::type=role;profiles=PW auser::::type=normal;roles=pwadm
Now try it out:
# /etc/init.d/nscd stop # /etc/init.d/nscd start
Now log in as auser
and try to lock buser
's
account:
$ ssh auser@solarisbox auser@solarisbox's password: Last login: Mon Jun 23 11:22:33 2003 from 10.0.0.123 Sun Microsystems Inc. SunOS 5.9 Generic May 2002 $ id uid=1234(auser) gid=10(staff) $ passwd -l buser Permission denied $ su - pwadm Password: $ id uid=4321(pwadm) gid=10(staff) $ passwd -l buser $