YakShaving: Shawn Ferry's Weblog
v. intr. [MIT AI Lab, after 2000: orig. probably from a Ren & Stimpy episode.] Any seemingly pointless activity which is actually necessary to solve a problem which solves a problem which, several levels of recursion later, solves the real problem you're working on.
Archives
« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today

 Subscribe

Search

Links

 

blogs.sun.com
Weblog
About
Login
 

Today's Page Hits: 83

Locations of visitors to this page
All | Apple | Boring & Healthy | Food | Lame | Music | Sun | Yakshaving
« CEC: Dtrace Approach... | Main | Comment Spam »
20061006 Friday October 06, 2006
CEC: RBAC Demystified

Brian Bianquart and Darren Moffat

Role Based Access Control

What is a Role: An account on the system

Cannot directly login
Could be root (or any user)

What is a Privilege: An attribute of a process

Checked by Kernel

Authorization: given to users directly or through profile

...Cutting back on following/outlineing until I see something that I am less sure is readily available online and in docs...

One exec_attr table can be used across Solaris 8 and 9, Trusted Solaris (8) and Solaris 10

Here we have a graphic I have never seen before...took a picture but it will probably be lame.
I think maybe hand drawings scanned and added to the slides.

A picture of an RBAC slide

Q: Can we make it such that user and role profiles can be modified while the user is logged in or the role is in use.
A: Yes, that is a bug fixed in update 3...changes may not take effect until next login, but you will be able to make the change.

Standard RBAC example:

Execute with elevated privileges...Start Apache as a regular user on port 80
(As opposed to start as root and drop privs)

I think I was hoping for more in depth technical details, still time yet we will see

/usr/bin/pfexec is the closest thing to sudo only without authentication (yet)

pfexec will use the first profile found....that is the ALL role should be last, otherwise don't bother to define other profiles.

SMF demo: Allow a user to change the running state of a service but not the boot state
e.g.
ALLOWED: svcadm enable/disable -t
DISALOWED: svcadm enable/disable (no -t)

DO NOT MODIFY SYSTEM SUPPLIED PROFILES
File a bug if you think it should be changed
OR
Create your own profiles

Privileges

Kernel no longer only checks for UID==0
48+ privileges checked instead

Now privilege sets, next how the privileges flow not really going to note that down...I know it is well documented I have read it.

Note: Dark Red on black...hard to see, shouldn't do colors that evaluate to black

Use ppriv -D to debug privilege access. (Yes this is commonly known)

ACLs

Solaris 10 NFSv4/ZFS ACLs now match those as implemented in Windows NT/XP=

More info 

There is a RBAC and SUDO comparison slide
Strengths and weaknesses on both sides the most common requested deltas are being addressed.
Authentication and Netgroups are on/near the top of the list.

security-discuss@opensloaris.org  and Sun blueprints

Technorati Tags: , ,


Oct 06 2006, 02:42:17 PM EST Permalink

Comments:

Post a Comment:

Comments are closed for this entry.
Blog Information Profile for YakShaving