Role is special identity for running privileged applications or commands that can be assumed by assigned users only. Rights Profiles is a collection of privileges that can be assigned to a role or user. (Primary Administrator, System Administrator, Printer Management etc.,). Authorizations is a permission that you can assign to a role or to a user.
Profile Shells is a special type of shell that enables access to the privileged applications that are assigned to the profile. The profile shells are pfsh, pfksh, and pfcsh.
RBAC Commands
| RBAC Files | Descritptions |
|---|---|
| /etc/user_attr | The extended user attributes database, which associates users and roles with authorizations and right profiles in addition to the /etc/passwd, /etc/group, and /etc/shadow files |
| /etc/security/prof_attr | The rights profile attributes database, which defines profiles, lists the profile’s assigned authorizations and any nested rights profiles, and identifies the associated help files. |
| /etc/security/exec_attr | The execution attributed database, which defines the privileged commands and scripts assigned to a profile. |
| /etc/security/auth_attr | The authorization attributes database, which defines authorizations and their attributes. This database also identifies the associated help file. |
| /etc/security/policy.conf | File provides system default authorizations for users. |
Profile Shells is a special type of shell that enables access to the privileged applications that are assigned to the profile. The profile shells are pfsh, pfksh, and pfcsh.
RBAC Commands
| Commands | Descriptions |
|---|---|
| auths | Displays authorizations for a user |
| makedbm | Makes a dbm file |
| nscd | Identifies the name service. Useful for caching the 4 RBAC DB details |
| pam_roles | Identifies the role account management module for password authentication module (PAM) |
| pfexec | Identifies the profile shells used to execute commands with attributes specifies in exec_attr |
| policy.conf | Identifies the config file for the security policy. Lists granted authorization |
| profiles | Displays profiles for a specified user |
| roles | Displays roles granted to a user |
| roleadd | Adds a role account to the system |
| rolemod | Modifies the role’s account info in the system |
| roledel | Deletes a role’s account from the system |
Let we can see RBAC database syntax and brief description
/etc/user_attr Database :-
Syntax :- user:qualifier(reserved):res1(reserved):res2(reserved):attr
Examples :-
role1::::type=role;profiles=uadd,init oraadm::::type=normal;roles=role1
Attributes
|
Descriptions
|
user
|
The name of the user or role as specified in the passwd database.
|
qualifier
|
Reserved for future use.
|
res1
|
Reserved for future use.
|
res2
|
Reserved for future use.
|
attr
|
An optional list of semicolon separated (;) key value pairs that describe the security attributes to be applied when the user runs commands.
|
type
|
Can be normal or role. A role is assumed after the user has logged in
|
profiles
|
Specifies a list of profile names chosen from the /etc/security/prof_attr Database
|
roles
|
Specifies a list of role names defined in the same /etc/user_attr Database. Roles are indicated by setting the type value to role. Roles cannot be assigned to other roles
|
/etc/security/prof_attr Database :-
Syntax :- profname:res1:res2:desc(description):attr
Examples :-
uadd:::Profile for user admin init:::Profile for init processThe following table describes these fields.
Attributes
|
Descriptions
|
profname
|
The name of the rights profile. Rights profile names are case-sensitive
|
res1
|
Reserved for future use.
|
res2
|
Reserved for future use.
|
desc
|
A long description
|
attr
|
An optional list of semicolon separated (;) key value pairs that describe the security attributes to be applied when the user runs commands.
|
/etc/security/exec_attr Database :-
Syntax :- name:policy:type:res1:res2:id:attr
Examples :-
uadd:suser:cmd:::/usr/sbin/useradd:euid=0 uadd:suser:cmd:::/usr/sbin/usermod:euid-0 init:suser:cmd:::/usr/sbin/init:euid=0 init:suser:cmd:::/usr/sbin/shutdown:euid=0The following table describes these fields.
Attributes
|
Descriptions
|
name
|
Name of the profile
|
policy
|
The security policy associated with this entry. The suser (superuser policy model) is the only valid policy entry.
|
type
|
The type of entity. Whose attributes are specified. The only valid type is cmd
|
id
|
a string identifying the entity. Command should have full path or a path with wildcard
|
attr
|
euid and uid | egid and gid
|
Now we are ready to provide the RBAC permission for user. Let we can start....
In below example, we are going to create the UserAdmin Role who can execute only command useradd, usermod , another SystemAdmin Role who can execute only command init, shutdown with root privileges
Our Action Plan is
Create Profile --> Privilege to profile --> Creating Role --> Role to profile --> Role to user
Step 1 : Create Profile
We need to add the below line in /etc/security/prof_attr
bash-3.00# tail -2 /etc/security/prof_attr uadd:::Profile for user admin init:::Profile for init process bash-3.00#Step 2 : Privilege to profile
We need to add the below line in /etc/security/exec_attr
bash-3.00# tail -4 /etc/security/exec_attr uadd:suser:cmd:::/usr/sbin/useradd:euid=0 uadd:suser:cmd:::/usr/sbin/usermod:euid-0 init:suser:cmd:::/usr/sbin/init:euid=0 init:suser:cmd:::/usr/sbin/shutdown:euid=0 bash-3.00#
We need to create a Role account by using ":roleadd" command and set passwd.
bash-3.00# roleadd -d /export/home/userrole -m userrole 64 blocks bash-3.00# bash-3.00# passwd userrole New Password: Re-enter new Password: passwd: password successfully changed for userrole bash-3.00#
bash-3.00# roleadd -d /export/home/admrole -m admrole 64 blocks bash-3.00# bash-3.00# passwd admrole New Password: Re-enter new Password: passwd: password successfully changed for admrole bash-3.00#
bash-3.00# egrep -i "userrole|admrole" /etc/passwd userrole:x:105:1::/export/home/userrole:/bin/pfsh admrole:x:106:1::/export/home/admrole:/bin/pfsh bash-3.00#Step 4 : Role to Profile
bash-3.00# rolemod -P uadd userrole bash-3.00# rolemod -P init admrole bash-3.00#Step 5 : Adding role to user
Now we have to add the predefined role to existing users
bash-3.00# usermod -R userrole oraadm bash-3.00# bash-3.00# usermod -R admrole usradm bash-3.00#Now we can verify those entries on /etc/user_attr
bash-3.00# tail -4 /etc/user_attr userrole::::type=role;profiles=uadd admrole::::type=role;profiles=init oraadm::::type=normal;roles=userrole usradm::::type=normal;roles=admrole bash-3.00#
bash-3.00# su - oraadm Oracle Corporation SunOS 5.10 Generic Patch January 2005 $ $ roles userrole $ $ /usr/sbin/useradd raj UX: /usr/sbin/useradd: ERROR: Permission denied. $ $ su - userrole Password: $ $ id uid=105(userrole) gid=1(other) $ profiles uadd Basic Solaris User All $ $ /usr/sbin/useradd raj $ $I have logged as normal user (oraadm) and tried to execute useradd command, but got error as "permission denied". Then I switched as role account (userrole) profile and tried the same and Its worked fine.
No comments:
Post a Comment