Solaris Role Based Access Control (RBAC)

Setting Up a Password Administration Role

Adapted from an example from the document Role Based Access Control and Secure Shell—A Closer Look At Two Solaris™ Operating Environment Security Features, written by Thomas M Chalfant, Product Technical Support, Americas, Enterprise Server Group, ©Sun Microsystems, Inc.  Part of Sun BluePrints™ OnLine—June 2003, www.sun.com/blueprints

This example shows the setup for allowing a user called auser to assume a role called pwadm with an execution profile called PW, which allows auser to run the /usr/bin/passwd command.  This command ordinarily requires a real UID of 0 to lock accounts or to reset passwords of other users.

This is the execution profile definition.  This file defines which commands (and user and group IDs) are allowed by this profile:

   # grep PW /etc/security/exec_attr
   PW:suser:cmd:::/usr/bin/passwd:uid=0;gid=1

This is the execution profile description definition.  This particular profile contains no authorizations, nor is it based on other profiles (which allows defining one profile as a superset of others):

   # grep PW /etc/security/prof_attr
   PW:::Password Admin:

These are the user and role account definitions.  This shows that users and roles both appear as user accounts; note the different shell for the role account:

   # egrep "pwadm|auser" /etc/passwd
   pwadm:x:4321:10::/export/home/pwadm:/bin/pfksh
   auser:x:1234:10::/export/home/auser:/bin/ksh
   # egrep "pwadm|auser" /etc/shadow
   pwadm:Mk1kLHYyvt70v:11268::::::
   auser:dlkKBkbI8lLkj:11268::::::

These are the role and profile assignments definition.  These show the assignment of roles to users and profiles to roles:

   # grep pwadm /etc/user_attr
   pwadm::::type=role;profiles=PW
   auser::::type=normal;roles=pwadm

Now try it out:

   # /etc/init.d/nscd stop
   # /etc/init.d/nscd start

Now log in as auser and try to lock buser's account:

   $ ssh auser@solarisbox
   auser@solarisbox's password:
   Last login: Mon Jun 23 11:22:33 2003 from 10.0.0.123
   Sun Microsystems Inc. SunOS 5.9 Generic May 2002
   $ id
   uid=1234(auser) gid=10(staff)
   $ passwd -l buser
   Permission denied
   $ su - pwadm
   Password:
   $ id
   uid=4321(pwadm) gid=10(staff)
   $ passwd -l buser
   $