Solaris Role Based Access Control (RBAC)

Setting Up a Password Administration Role

Adapted from an example from the document Role Based Access Control and Secure Shell—A Closer Look At Two Solaris™ Operating Environment Security Features, written by Thomas M Chalfant, Product Technical Support, Americas, Enterprise Server Group, ©Sun Microsystems, Inc.  Part of Sun BluePrints™ OnLine—June 2003,

This example shows the setup for allowing a user called auser to assume a role called pwadm with an execution profile called PW, which allows auser to run the /usr/bin/passwd command.  This command ordinarily requires a real UID of 0 to lock accounts or to reset passwords of other users.

This is the execution profile definition.  This file defines which commands (and user and group IDs) are allowed by this profile:

   # grep PW /etc/security/exec_attr

This is the execution profile description definition.  This particular profile contains no authorizations, nor is it based on other profiles (which allows defining one profile as a superset of others):

   # grep PW /etc/security/prof_attr
   PW:::Password Admin:

These are the user and role account definitions.  This shows that users and roles both appear as user accounts; note the different shell for the role account:

   # egrep "pwadm|auser" /etc/passwd
   # egrep "pwadm|auser" /etc/shadow

These are the role and profile assignments definition.  These show the assignment of roles to users and profiles to roles:

   # grep pwadm /etc/user_attr

Now try it out:

   # /etc/init.d/nscd stop
   # /etc/init.d/nscd start

Now log in as auser and try to lock buser's account:

   $ ssh auser@solarisbox
   auser@solarisbox's password:
   Last login: Mon Jun 23 11:22:33 2003 from
   Sun Microsystems Inc. SunOS 5.9 Generic May 2002
   $ id
   uid=1234(auser) gid=10(staff)
   $ passwd -l buser
   Permission denied
   $ su - pwadm
   $ id
   uid=4321(pwadm) gid=10(staff)
   $ passwd -l buser