Role based access control (RBAC)

Role based access control (RBAC)

Role based access control (RBAC)
By John P. Mulligan

This tip is excerpted from John P. Mulligan's Solaris 8 Essential Reference published by New Riders.

Role Based Access Control (RBAC) is a new security feature in Solaris 8. RBAC allows administrators to create "roles" for users. A role can have specific privileges including setUID to applications. Authorizations are stored in the /etc/auth_attr file. Authorizations are checked using the user_attr, prof_attr, and policy.conf files. The main commands used to manage the RBAC system are: roleadd, roledel, and roles.

roleadd - /usr/bin/roleadd
Add a new role to the system. The /etc/passwd, /etc/shadow, and /etc/user_attr files are modified. Option arguments are limited to 512 characters.
Option	Description
-b basedir	Set the base directory for the system for use if the -d option 
                is not given.
-c comment	Set a short text description of the role, placed in /etc/passwd.
-d homedir	Set the home directory of the new role.
-D	        If this option is used with no other options, the default 
                values for group, base directory, skeleton directory, shell, 
                inactivity limit, and

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

 expire date are shown. If this option is 
                given with the -g, -b, or -f options, the default values of the 
                respective options are changed.
-e expire	Set the expiration date for the role.
-f days	        Set the number of days of inactivity for a role before it 
                is invalidated.
-g group	Set the primary group for a role.
-G group	Set the supplementary group for the role.
-k skeletondir	Use the skeleton information in the specified directory when
                creating the new role.
-m	        Create a new home directory for the role if one does not exist.
-o	        Allow duplicate UIDs.
-s shell	Set the role's login shell.
-u uid	        Set the UID of the role.
roledel - /usr/bin/roledel
This command is used to delete roles from the RBAC system.
Option	Description
-r	Remove the role's home directory along with the role. All files in the 
        directory are permanently deleted.
rolemod - /usr/bin/rolemod
The rolemod utility is used to modify a role used in the RBAC system. All option arguments must be less than 512 characters.
Option     Description
-A auth     User the specified authorization. Multiple authorizations can be 
            specified as a comma delimited list.
-c comment  Set a comment to be stored in the /etc/password file with the 
            user's entry.
-d homedir  Set the role's home directory.
-e expire   Set a role expiration date using any format in /etc/datemsk.
-f days     Set a maximum number of days of inactivity. After this number of 
            days has been exceeded, the login is invalidated.
-g group    Set the role's primary group membership. The group can be 
            specified as a group ID or the group name.
-l login    Change the login name for the role to the one specified.
-m          Move the role's current home directory to the directory specified  
            by the -d option.
-o          Allow duplicate UIDs.
-p profile  Replace any existing profile settings with the specified profile.
-s shell    Set the shell for the role. The shell must be specified with its 
            full path.
-uid        Change the role UID to the one specified.
roles - /usr/bin/roles
The roles utility shows the granted roles of the given user or users. Multiple users can be checked at a time by giving multiple usernames (separated by spaces) on the command line. If no username is specified, the roles of the user executing the command are shown. All output is sent to standard output. Valid roles are stored in the /etc/user_attr file.

To learn more about Solaris 8 Essential Reference, or to buy the book, go here.

Did you like this tip? Think you can do better? Send us an email to let us know your thoughts or to submit a tip of your own.


This was first published in May 2001

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top