Role based access control (RBAC)
By John P. Mulligan
This tip is excerpted from John P. Mulligan's Solaris 8 Essential Reference published by New Riders.
Role Based Access Control (RBAC) is a new security feature in Solaris 8. RBAC allows administrators to create "roles" for users. A role can have specific privileges including setUID to applications. Authorizations are stored in the /etc/auth_attr file. Authorizations are checked using the user_attr, prof_attr, and policy.conf files. The main commands used to manage the RBAC system are: roleadd, roledel, and roles.
- roleadd - /usr/bin/roleadd
- Add a new role to the system. The /etc/passwd, /etc/shadow, and /etc/user_attr files are modified. Option arguments are limited to 512 characters.
Option Description -b basedir Set the base directory for the system for use if the -d option is not given. -c comment Set a short text description of the role, placed in /etc/passwd. -d homedir Set the home directory of the new role. -D If this option is used with no other options, the default values for group, base directory, skeleton directory, shell, inactivity limit, and expire date are shown. If this option is given with the -g, -b, or -f options, the default values of the respective options are changed. -e expire Set the expiration date for the role. -f days Set the number of days of inactivity for a role before it is invalidated. -g group Set the primary group for a role. -G group Set the supplementary group for the role. -k skeletondir Use the skeleton information in the specified directory when creating the new role. -m Create a new home directory for the role if one does not exist. -o Allow duplicate UIDs. -s shell Set the role's login shell. -u uid Set the UID of the role.
- roledel - /usr/bin/roledel
- This command is used to delete roles from the RBAC system.
Option Description -r Remove the role's home directory along with the role. All files in the directory are permanently deleted.
- rolemod - /usr/bin/rolemod
- The rolemod utility is used to modify a role used in the RBAC system. All option arguments must be less than 512 characters.
Option Description -A auth User the specified authorization. Multiple authorizations can be specified as a comma delimited list. -c comment Set a comment to be stored in the /etc/password file with the user's entry. -d homedir Set the role's home directory. -e expire Set a role expiration date using any format in /etc/datemsk. -f days Set a maximum number of days of inactivity. After this number of days has been exceeded, the login is invalidated. -g group Set the role's primary group membership. The group can be specified as a group ID or the group name. -l login Change the login name for the role to the one specified. -m Move the role's current home directory to the directory specified by the -d option. -o Allow duplicate UIDs. -p profile Replace any existing profile settings with the specified profile. -s shell Set the shell for the role. The shell must be specified with its full path. -uid Change the role UID to the one specified.
- roles - /usr/bin/roles
- The roles utility shows the granted roles of the given user or users. Multiple users can be checked at a time by giving multiple usernames (separated by spaces) on the command line. If no username is specified, the roles of the user executing the command are shown. All output is sent to standard output. Valid roles are stored in the /etc/user_attr file.
Did you like this tip? Think you can do better? Send us an email to let us know your thoughts or to submit a tip of your own.