Solaris tip of the week: Use RBAC to grant fine-grained security privilege to non-privileged user
From the rbac man page, role based access control (RBAC) is "an alternative to the all-or-nothing security model of traditional superuser-based systems. With RBAC, an administrator can assign privileged functions to specific user accounts (or special accounts called roles)."
Example: grant read access of a privileged file to a non-root user
jayd@opensolaris:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
Use the ppriv command to display the required privilege set:
jayd@opensolaris:~$ ppriv -D -e cat /etc/shadow
cat[14397]: missing privilege "file_dac_read" (euid = 101, syscall = 225) needed at zfs_zaccess+0x1fa
To enable 'cat /etc/shadow' I can grant the 'file_dac_read' privilege to user jayd (this must be executed as root).
# usermod -s /usr/bin/pfsh -K defaultpriv=basic,file_dac_read jayd
The usermod command updates the privilege set for user 'jayd' by adding an entry to the /etc/user_attr file.
jayd::::type=normal;defaultpriv=basic,file_dac_read;profiles=Primary Administrator;roles=root
Note also that you can specify a default privilege profile shell for the user (pfsh, pfcsh, pfksh) as the default shell. If you prefer to stick with your non-profile shell of choice, you can always launch one of these profile shells to execute your command.
Non-profile shell:
jayd@opensolaris:~$ echo $SHELL
/bin/bash
jayd@opensolaris:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
Profile shell:
jayd@opensolaris:~$ /bin/pfsh
$ cat /etc/shadow
root:xxxxxxxx:13817::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
...
This will add read permission to all "privileged" files. How would one grant "fine-grained" privilege to read just (say) /etc/shadow using RBAC?
Posted by Wayne on September 25, 2008 at 11:58 PM EDT #
Well done,
I have the same request to delegate PS and KILL command for some IT staff who don't need full root privilege.
How can I do it on Solaris 9.
thanks.
SY
Posted by Serge on October 01, 2008 at 07:17 AM EDT #
i need to unlock the privilages of the non-privilaged user..
Posted by Saravanan M on October 04, 2008 at 05:03 AM EDT #
Wayne, one way to do this would be to create a custom script that executes the specfic command only - say 'cat /etc/shadow'.
Create a file /usr/local/bin/readshadow.sh, containing:
#!/bin/sh
cat /etc/shadow
exit 0
To grant this privilege to a user, create a custom profile containing this command:
echo "READSHADOW:::profile for read /etc/shadow:" >> /etc/security/prof_attr
echo "READSHADOW:suser:cmd:::/usr/local/bin/readshadow.sh:euid=0" >> /etc/security/exec_attr
finally, add this privilege to the user's profile:
# grep jayd /etc/user_attr
jayd::::type=normal;defaultpriv=basic;profiles=READSHADOW
Now from a shell:
$ /usr/local/bin/readshadow.sh
bash: /usr/local/bin/readshadow.sh: Permission denied
$ pfsh
$ /usr/local/bin/readshadow.sh
root:XXXX ...
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
etc ...
Posted by Jay Danielsen on October 17, 2008 at 03:11 PM EDT #
Serge, you can create a custom privilege containing the set of commands granted to your IT staff as follows:
First, create a custom profile containing this text:
echo "ITSTAFF:::Custom command set for IT Staff:" >> /etc/security/prof_attr
Next add the list of commands to the profile as follows:
echo "ITSTAFF:suser:cmd:::/usr/bin/kill:euid=0
ITSTAFF:suser:cmd:::/usr/bin/ps:euid=0" >> /etc/security/exec_attr
Finally, add the profile to your IT Staff user accounts:
# grep jayd /etc/user_attr
jayd::::type=normal;defaultpriv=basic;profiles=ITSTAFF
To test:
jayd $ pfsh
$ kill -9 [privileged process]
Posted by Jay Danielsen on October 17, 2008 at 03:17 PM EDT #
Saravanan, not sure what information you are looking for. Can you be more explicit ?
Regards,
Jay
Posted by Jay Danielsen on October 17, 2008 at 03:18 PM EDT #
I suppose if it's command, we should set euid=0
but if it's shellscript, we should set uid=0 instead.
echo "READSHADOW:suser:cmd:::/usr/local/bin/readshadow.sh:uid=0" >> /etc/security/exec_attr
Posted by hide on November 02, 2008 at 09:14 PM EST #
Great tip, Thanks. exactly what i was trying to figure out.
Posted by Merritt on October 29, 2009 at 08:58 AM EDT #