Building RBAC Rights Profiles
Copyright 2006, Sun Microsystems, Inc
| Table of Contents | Overview | BestPractice Synopsis | |
Advice CaseHistory References | |||
| Category | Software.RBAC | ||
| Owner | SAC | ||
| Author | Gary Winiger | ||
| Changes | Gary.Winiger@Sun.COM | ||
| Authority | SAC | ||
| Policy Version | 1.0 | ||
| Status | DRAFT 2006/01/16 | ||
| Effective | Solaris 2.10 | ||
| HOWTO guide for adding RBAC Rights Profiles | |||
Advice
You might need to build a Rights Profile from scratch if there is not already one that seems appropriate. First check the current ON gate .../usr/src/lib/libsecdb/prof_attr.txt prof_attr(4) contains the names of the current Rights Profiles, see the short description and the contents of the matching .../usr/src/lib/libsecdb/exec_attr.txt (exec_attr(4)) entries to see if it is a match for your needs. If it is, your can add to it. Generally you would not add authorizations to existing Rights Profiles unless you are adding authorizations in the same family. I.e., if new Audit authorizations are added to solaris.audit.*, then they would be candidates to add to the "Audit Control" profile. See http://sac.eng/cgi-bin/bp.cgi?NAME=RBAC.bp for guidance about suid programs and authorizations.
Authorizations should be assigned to Rights Profiles in prof_attr(4) an auths
list and the Rights Profile assigned to a user via the profs= list in user_attr(4), rather than the obsolete use of auths= in user_attr(4). If you need to build a Rights Profile from scratch, here's a suggestion on how to proceed.
Adding a new Rights Profile which contains commands to ON
- Pick a Rights Profile Name that doesn't conflict with a current name. Note there is more than one place that profiles are found. ON profiles are in ..../usr/src/lib/libsecdb/prof_attr.txt. Be aware that other gates may also deliver prof_attr entries. In the admin gate profiles are in.../src/bundled/app/drm/rbac/security/prof_attr.../src/bundled/app/wbem/solaris/rbac/security/prof_attr.../src/bundled/app/webmgt/webconsole/conf/prof_attr
The the CDE gate profiles are in.../cdesrc/cde1/rbac/security/prof_attr
For this example, name the Rights Profile "Xx Yy Zz" - Add a line (alphabetically would be nice ;-) to prof_attr that reads:Xx Yy Zz:::Short Description:help=RtXxYyZz.html
- For Solaris 10 and later releases, for each CLI in the Rights Profile add to .../lib/libsecdb/exec_attr line(s) that read:Xx Yy Zz:solaris:cmd:::<full path to command>:<attributes>
such that the <attributes> take on the least privileged values needed to do the function, choose from privs=<privilege set>, limitprivs=<privilege set>, euid=<uid>, egid=<gid>, uid=<uid>, gid=<gid> (see privileges(5), exec_attr(4)).
For systems prior to Solaris 10 only, for each CLI in the Rights Profile add to .../lib/libsecdb/exec_attr line(s) that read:Xx Yy Zz:suser:cmd:::<full path to command>:<attributes>
such that the <attributes> take on the least privileged value needed to do the function, choose from euid=<uid>, egid=<gid>, uid=<uid>, gid=<gid> (see exec_attr(4)). - Create a simple HTML help file in .../lib/libsecdb/help/profiles. The file name for this example is RtXxYyZz.html. Update the Makefile. Use an existing help file for the HTML syntax and describe help for the profile that you've just created.
- Update the help file packages SUNWcsu, SUNW0on. in SUNWcsu/prototype_comf none usr/lib/help/profiles/locale/C/RtXxYyZz.html 444 root bin
in SUNW0on/prototype_comf none usr/lib/help/profiles/locale/RtXxYyZz.html 444 root bin
N.B. The difference between the paths ("C" -vs- none).
- Pick a Rights Profile Name that doesn't conflict with a current name. Note there is more than one place that profiles are found. ON profiles are in ..../usr/src/lib/libsecdb/prof_attr.txt. Be aware that other gates may also deliver prof_attr entries. In the admin gate profiles are in
Adding commands to an existing Rights Profile to ON:
- Pick an existing Rights Profile which matches the commands to be added. For this example call it "Xx Yy Zz"
- For Solaris 10 and later releases, for each CLI in the Rights Profile add to .../lib/libsecdb/exec_attr line(s) that read:Xx Yy Zz:solaris:cmd:::<full path to command>:<attributes>
such that the <attributes> take on the least privileged values needed to do the function, choose from privs=<privilege set>, limitprivs=<privilege set>, euid=<uid>, egid=<gid>, uid=<uid>, gid=<gid> (see privileges(5), exec_attr(4)).
For systems prior to Solaris 10 only, for each CLI in the Rights Profile add to .../lib/libsecdb/exec_attr line(s) that read:Xx Yy Zz:suser:cmd:::<full path to command>:<attributes>
such that the <attributes> take on the least privileged value needed to do the function, choose from euid=<uid>, egid=<gid>, uid=<uid>, gid=<gid> (see exec_attr(4)).
Adding a new Rights Profile to other gates
- Do pretty much the same steps with local sources for prof_attr and exec_attr.
If this is the first Rights Profile for this gate, the prof_attr and exec_attr files should use the rbac class action script and deliver into /etc/security/{prof,exec}_attr. I.e., in prototype_com:e rbac etc/security/prof_attr 644 root sys
HTML help files should be delivered by the ``usr'' and ``globalization'' (G11N) packages (as equivalent to SUNWcsu, SUNW0on)
in SUNW``usr''/prototype_comf none usr/lib/help/profiles/locale/C/RtXxYyZz.html 444 root bin
in SUNW0``G11N''/prototype_comf none usr/lib/help/profiles/locale/C/RtXxYyZz.html 444 root bin
- Do pretty much the same steps with local sources for prof_attr and exec_attr.
CaseHistory
| Case | Type | Name |
|---|---|---|
| PSARC/1997/332 | OnePager | Execution Profiles for Restricted Environments |
| PSARC/2002/188 | OnePager | Least Privilege for Solaris |
References
RBAC in the Solaris[tm] Operating Environment - White Paper
Authorization Infrastructure in Solaris - Developer Connection
on 2009/10/26 12:07