100% of Solaris users use RBAC

Some of us in the Solaris Security Engineering group been asked a few times recently questions like "so how many customers actually use Solaris RBAC ?"

The answer we give is usually variant of "For Solaris 10 onwards 100% of users use RBAC".

Surely that is wrong and we can't guarantee 100% of users of Solaris 10 and Solaris 11 are or will be using RBAC can we ?  We don't have data to back that up because we don't even know who all the users of Solaris actually are.

It actually is correct we don't need data on usage to back it up.  The reason being you can't turn RBAC off in Solaris 10 onwards it is always in use in parts of the system that 100% of users of Solaris always use.

The kernel always checks Solaris's fine grained privileges (82 distinct privileges in Solaris 11 Express), even if the process is running "as root".  So 100% of Solaris systems make RBAC privilege checks.

SMF always checks RBAC authoriations for any enable/disable operation and any change to or viewing of a property on a service - even if you are running 'svcadm/svccfg' as root.  Also SMF itself uses RBAC to set the privileges of services (sometimes defined in RBAC profiles sometimes defined directly in the method credential of the service definition).  Solaris doesn't run with out SMF so 100% of Solaris systems are using RBAC authorisation checks.

Several other parts of Solaris 10 also make authorisation checks, and in Solaris 11 there will be a increased number of those in some of the core administration utilities giving us the ability to have more fine grained control and enhanced separation of duty for some common administration tasks.   I'll post more on this when Solaris 11 is released.

In ZFS the operations performed by the zfs(1M) command first check if the user has an 'allow' delegation and then check privilege - again even if the user is root.

So 100% of Solaris users really do use RBAC - there is no means to turn it off - and this applies even if you use sudo rather than using a profile shell (eg /usr/bin/pfksh) or pfexec directly.


Perhaps the fairer question would be "how many customers actively use and extend RBAC outside of the default OS configuration"....

Posted by guest1 on August 25, 2011 at 11:04 AM BST #

While it might be the case that I am using RBAC because certain parts of Solaris use it, I would never use it willingly. We have put significant engineering into leveraging sudo for privilege elevation, for two reasons:

1. works on every UNIX
2. easier to use than RBAC.

Posted by UX-admin on August 25, 2011 at 12:34 PM BST #

guest1: Totally agree that is a fairer question but unfortunately it isn't the one that has been getting asked. I'd love to have data to answer that.

UX-admin: The cross platform thing I totally get. As for "easier to use" can you be more specific, if there is something we can do to fix usability I'd love to know. Also what if you could "use" sudo but take more advantage of RBAC "automagically" would that be interesting ?

Posted by Darren Moffat on August 26, 2011 at 10:07 AM BST #

"As for "easier to use" can you be more specific, if there is something we can do to fix usability I'd love to know."

Written like a true engineer (;-)

If I assert that syntax is non-intuitive and confusing, that will not help you much, since you are looking for test cases. That means I have to sit down and create some use cases for you and then say: this is what doesn't make any sense.

I will attempt to do that, but time is always against us, so no promises, but I will try.

"Also what if you could "use" sudo but take more advantage of RBAC "automagically" would that be interesting ?"

As long as we could manipulate sudoers(4) (we do this via SVR4 pkgadd(1M)), and it "just worked" and we never saw or had to deal with RBAC directly, I think that would work.

That seems like a lot of work though. Wouldn't it be cheaper to do what was done with GRUB, take sudo in and extend it to be able to do the kinds of things Solaris needs? I don't know the answer to that question, I'm just asking.

Posted by UX-admin on August 26, 2011 at 01:09 PM BST #

RBAC is really great.
I use it and see no point for keep using sudo anymore.
Furthermore sudo may obfuscate the ability to audit root.

Posted by Carlos Azevedo on November 19, 2011 at 07:42 PM GMT #

Carlos, Glad you like RBAC! In Solaris 11 sudo will generate propertly attributed audit records as well - this code is actually in the upstream community version of sudo I just made sure it was enabled and made a small bug fix to it (that I'm going to pass upstream).

Posted by Darren J Moffat on November 21, 2011 at 05:19 AM GMT #

Post a Comment:
  • HTML Syntax: NOT allowed

Darren Moffat-Oracle


« July 2016