Wednesday, 24 July 2013

Role-Based Access Control (RBAC) is a inbuilt security feature in Solaris which can be assigned to roles, such as system administrators, network administrators or operator to individual users. In the RBAC, Superuser will creates one or more roles. The roles that are based on privileges profiles. Superuser then assigns that roles to the required users who are trusted to perform the tasks of the role. 
       Role is special identity for running privileged applications or commands that can be assumed by assigned users only. Rights Profiles is a collection of privileges that can be assigned to a role or user. (Primary Administrator, System Administrator, Printer Management etc.,). Authorizations is a permission that you can assign to a role or to a user.

RBAC FilesDescritptions
/etc/user_attr The extended user attributes database, which associates users and roles with authorizations and right profiles in addition to the /etc/passwd, /etc/group, and /etc/shadow files
/etc/security/prof_attr The rights profile attributes database, which defines profiles, lists the profile’s assigned authorizations and any nested rights profiles, and identifies the associated help files.
/etc/security/exec_attr The execution attributed database, which defines the privileged commands and scripts assigned to a profile.
/etc/security/auth_attr The authorization attributes database, which defines authorizations and their attributes. This database also identifies the associated help file.
/etc/security/policy.conf File provides system default authorizations for users.

Profile Shells is a special type of shell that enables access to the privileged applications that are assigned to the profile. The profile shells are pfsh, pfksh, and pfcsh.

RBAC Commands

CommandsDescriptions
authsDisplays authorizations for a user
makedbmMakes a dbm file
nscdIdentifies the name service. Useful for caching the 4 RBAC DB details
pam_rolesIdentifies the role account management module for password authentication module (PAM)
pfexecIdentifies the profile shells used to execute commands with attributes specifies in exec_attr
policy.confIdentifies the config file for the security policy. Lists granted authorization
profilesDisplays profiles for a specified user
rolesDisplays roles granted to a user
roleaddAdds a role account to the system
rolemodModifies the role’s account info in the system
roledelDeletes a role’s account from the system

Let we can see RBAC database syntax and brief description

/etc/user_attr Database :-
Syntax :- user:qualifier(reserved):res1(reserved):res2(reserved):attr
Examples :-
role1::::type=role;profiles=uadd,init
oraadm::::type=normal;roles=role1
Attributes
Descriptions
user
The name of the user or role as specified in the passwd database.
qualifier
Reserved for future use.  
res1
Reserved for future use.  
res2
Reserved for future use.  
attr
An optional list of semicolon separated (;) key value pairs that describe the security attributes to be applied when the user runs commands.
type
Can be normal or role. A role is assumed after the user has logged in
profiles
Specifies a list of profile names chosen from the /etc/security/prof_attr Database
roles
Specifies a list of role names defined in the same /etc/user_attr Database. Roles are indicated by setting the type value to role. Roles cannot be assigned to other roles

/etc/security/prof_attr Database :-
Syntax :- profname:res1:res2:desc(description):attr
Examples :-
uadd:::Profile for user admin
init:::Profile for init process
The following table describes these fields.
Attributes
Descriptions
profname
The name of the rights profile. Rights profile names are case-sensitive
res1
Reserved for future use.  
res2
Reserved for future use.  
desc
A long description
attr
An optional list of semicolon separated (;) key value pairs that describe the security attributes to be applied when the user runs commands.

/etc/security/exec_attr Database :-
Syntax :- name:policy:type:res1:res2:id:attr
Examples :-
uadd:suser:cmd:::/usr/sbin/useradd:euid=0
uadd:suser:cmd:::/usr/sbin/usermod:euid-0
init:suser:cmd:::/usr/sbin/init:euid=0
init:suser:cmd:::/usr/sbin/shutdown:euid=0
The following table describes these fields.
Attributes
Descriptions
name
Name of the profile
policy
The security policy associated with this entry. The suser (superuser policy model) is the only valid policy entry.
type
The type of entity. Whose attributes are specified. The only valid type is cmd
id
a string identifying the entity. Command should have full path or a path with wildcard
attr
euid and uid   |   egid and gid

Now we are ready to provide the RBAC permission for user. Let we can start.... 
In below example, we are going to create the UserAdmin Role  who can execute only command useradd, usermod , another SystemAdmin Role who can execute only command init, shutdown with root privileges

Our Action Plan is
Create Profile --> Privilege to profile --> Creating Role --> Role to profile --> Role to user

Step 1 : Create Profile
We need to add the below line in /etc/security/prof_attr
bash-3.00# tail -2 /etc/security/prof_attr
uadd:::Profile for user admin
init:::Profile for init process
bash-3.00#
Step 2 : Privilege to profile
We need to add the below line in /etc/security/exec_attr
bash-3.00# tail -4 /etc/security/exec_attr
uadd:suser:cmd:::/usr/sbin/useradd:euid=0
uadd:suser:cmd:::/usr/sbin/usermod:euid-0
init:suser:cmd:::/usr/sbin/init:euid=0
init:suser:cmd:::/usr/sbin/shutdown:euid=0
bash-3.00#
Step 3 : Creating Role
We need to create a Role account by using ":roleadd" command and set passwd.
bash-3.00# roleadd -d /export/home/userrole -m userrole
64 blocks
bash-3.00#
bash-3.00# passwd userrole
New Password:
Re-enter new Password:
passwd: password successfully changed for userrole
bash-3.00#
bash-3.00# roleadd -d /export/home/admrole -m admrole
64 blocks
bash-3.00#
bash-3.00# passwd admrole
New Password:
Re-enter new Password:
passwd: password successfully changed for admrole
bash-3.00#
bash-3.00# egrep -i "userrole|admrole" /etc/passwd
userrole:x:105:1::/export/home/userrole:/bin/pfsh
admrole:x:106:1::/export/home/admrole:/bin/pfsh
bash-3.00#
Step 4 : Role to Profile
We need to assign the roles to the respective user profiles by using "rolemod" command
bash-3.00# rolemod -P uadd userrole
bash-3.00# rolemod -P init admrole
bash-3.00#
Step 5 : Adding role to user
Now we have to add the predefined role to existing users
bash-3.00# usermod -R userrole oraadm
bash-3.00#
bash-3.00# usermod -R admrole usradm
bash-3.00#
Now we can verify those entries on /etc/user_attr
bash-3.00# tail -4 /etc/user_attr
userrole::::type=role;profiles=uadd
admrole::::type=role;profiles=init
oraadm::::type=normal;roles=userrole
usradm::::type=normal;roles=admrole
bash-3.00#
Now we have successfully added the predefined role to existing users. Now they can able to execute those commands with root privileges. Let we can try....
bash-3.00# su - oraadm
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
$
$ roles
userrole
$ 
$ /usr/sbin/useradd raj
UX: /usr/sbin/useradd: ERROR: Permission denied.
$
$ su - userrole
Password:
$
$ id
uid=105(userrole) gid=1(other)
$ profiles
uadd
Basic Solaris User
All
$
$ /usr/sbin/useradd raj
$
$
I have logged as normal user (oraadm) and tried to execute useradd command, but got error as "permission denied". Then I switched as role account (userrole) profile and tried the same and Its worked fine.

I hope you understand RBAC configuration. Thanks for reading this article.