Role based access control (RBAC)

This tip is excerpted from John P. Mulligan's Solaris 8 Essential Reference published by New Riders.

Role based access control (RBAC)
By John P. Mulligan

This tip is excerpted from John P. Mulligan's Solaris 8 Essential Reference published by New Riders.


Role Based Access Control (RBAC) is a new security feature in Solaris 8. RBAC allows administrators to create "roles" for users. A role can have specific privileges including setUID to applications. Authorizations are stored in the /etc/auth_attr file. Authorizations are checked using the user_attr, prof_attr, and policy.conf files. The main commands used to manage the RBAC system are: roleadd, roledel, and roles.

roleadd - /usr/bin/roleadd
Add a new role to the system. The /etc/passwd, /etc/shadow, and /etc/user_attr files are modified. Option arguments are limited to 512 characters.
Option	Description
-b basedir	Set the base directory for the system for use if the -d option 
                is not given.
-c comment	Set a short text description of the role, placed in /etc/passwd.
-d homedir	Set the home directory of the new role.
-D	        If this option is used with no other options, the default 
                values for group, base directory, skeleton directory, shell, 
                inactivity limit, and expire date are shown. If this option is 
                given with the -g, -b, or -f options, the default values of the 
                respective options are changed.
-e expire	Set the expiration date for the role.
-f days	        Set the number of days of inactivity for a role before it 
                is invalidated.
-g group	Set the primary group for a role.
-G group	Set the supplementary group for the role.
-k skeletondir	Use the skeleton information in the specified directory when
                creating the new role.
-m	        Create a new home directory for the role if one does not exist.
-o	        Allow duplicate UIDs.
-s shell	Set the role's login shell.
-u uid	        Set the UID of the role.
roledel - /usr/bin/roledel
This command is used to delete roles from the RBAC system.
Option	Description
-r	Remove the role's home directory along with the role. All files in the 
        directory are permanently deleted.
rolemod - /usr/bin/rolemod
The rolemod utility is used to modify a role used in the RBAC system. All option arguments must be less than 512 characters.
Option     Description
-A auth     User the specified authorization. Multiple authorizations can be 
            specified as a comma delimited list.
-c comment  Set a comment to be stored in the /etc/password file with the 
            user's entry.
-d homedir  Set the role's home directory.
-e expire   Set a role expiration date using any format in /etc/datemsk.
-f days     Set a maximum number of days of inactivity. After this number of 
            days has been exceeded, the login is invalidated.
-g group    Set the role's primary group membership. The group can be 
            specified as a group ID or the group name.
-l login    Change the login name for the role to the one specified.
-m          Move the role's current home directory to the directory specified  
            by the -d option.
-o          Allow duplicate UIDs.
-p profile  Replace any existing profile settings with the specified profile.
-s shell    Set the shell for the role. The shell must be specified with its 
            full path.
-uid        Change the role UID to the one specified.
roles - /usr/bin/roles
The roles utility shows the granted roles of the given user or users. Multiple users can be checked at a time by giving multiple usernames (separated by spaces) on the command line. If no username is specified, the roles of the user executing the command are shown. All output is sent to standard output. Valid roles are stored in the /etc/user_attr file.

To learn more about Solaris 8 Essential Reference, or to buy the book, go here.

Did you like this tip? Think you can do better? Send us an email to let us know your thoughts or to submit a tip of your own.


This was first published in May 2001

Dig deeper on Web Authentication and Access Control

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close