Adding RBAC Authorizations
Copyright 2006, Sun Microsystems, Inc
| Table of Contents | Overview | BestPractice Synopsis | |
Advice CaseHistory References | |||
| Category | Software.RBAC | ||
| Owner | SAC | ||
| Author | Gary Winiger | ||
| Changes | Gary.Winiger@Sun.COM | ||
| Authority | SAC | ||
| Policy Version | 1.0 | ||
| Status | DRAFT 2006/06/22 | ||
| Effective | Solaris 2.10 | ||
| HOWTO guide for adding RBAC authorizations | |||
Advice
You might need to add new authorizations to be used by a new command, a modified command, a new smf(5) manifest, or a modified smf(5) manifest. See auth_attr(4) and /etc/security/auth_attr.
Adding a new authorization from ON
- Review the existing authorizations to determine if there is already a hierarchy into which this authorization would fall. Determine the authorization name within this hiearchy. If there is no existing category, create a category. For example solaris.foo. and solaris.foo.bar. for the solaris.foo.bar.baz authorization.
- modify $SRC/lib/libsecdb/auth_attr.txt
- Create a simple HTML help file in $SRC/lib/libsecdb/help/auths. Update the Makefile. Use an existing help file for the HTML syntax and describe help for the profile that you've just created.
- Update the help file packages SUNWcsu, SUNW0on.
in SUNWcsu/prototype_comf none usr/lib/help/auths/locale/C/<authhelp>.html 444 root bin
in SUNW0on/prototype_comf none usr/lib/help/auths/locale/<authhelp>.html 444 root bin
N.B. The difference between the paths ("C" -vs- none). - If authorizations are to be added to an existing Rights Profile, modify the $SRC/lib/libsecdb/prof_attr.txt line for the existing profile with the addition of the authorization to the attribute field auths= keyword. Be aware that other gates may also deliver prof_attr entries. In the admin gate profiles are in.../src/bundled/app/drm/rbac/security/prof_attr.../src/bundled/app/wbem/solaris/rbac/security/prof_attr.../src/bundled/app/webmgt/webconsole/conf/prof_attr
The the CDE gate profiles are in.../cdesrc/cde1/rbac/security/prof_attr
If a new Rights Profile is needed, follow the directions for creating and delivering a new Rights Profile (without adding commands to exec_attr).
Adding a new authorization from other consolidations:
- as above.
- Modify an existing source or create a new source that will deliver auth_attr into the consolidation's /etc/security/auth_attr. See 2 above for source structuring. The package that delivers auth_attr should do so through the i.rbac class action script. That script is delivered by ON and should not be delivered by any other consolidation. The package prototype line should read:e rbac etc/security/auth_attr 644 root sys
- as above
- as above
- If authorizations are to be added to an existing Rights profile, the ON profiles are in ..../usr/src/lib/libsecdb/prof_attr.txt Be aware that other gates may also deliver prof_attr entries. In the admin gate profiles are in.../src/bundled/app/drm/rbac/security/prof_attr.../src/bundled/app/wbem/solaris/rbac/security/prof_attr.../src/bundled/app/webmgt/webconsole/conf/prof_attr
The the CDE gate profiles are in.../cdesrc/cde1/rbac/security/prof_attr
The consolidation's /etc/security/prof_attr should contain a line for the existing profile with the addition of the authorization to the attribute field auths= keyword.
If a new Rights Profile is needed, follow the directions for creating and delivering a new Rights Profile (without adding commands to exec_attr).
CaseHistory
| Case | Type | Name |
|---|---|---|
| PSARC/1997/332 | OnePager | Execution Profiles for Restricted Environments |
| PSARC/2002/188 | OnePager | Least Privilege for Solaris |
References
HOWTO guide for SUID -vs- RBAC
HOWTO guide for adding RBAC Rights Profiles
RBAC Whitepaper
Authorization Infrastructure in Solaris - Developer Connection
on 2009/10/26 12:07