By Glenn Faden-Oracle on Apr 29, 2014
Roles are implemented in Oracle Solaris as shared accounts, which require authentication prior to use. When an authorized user successfully assumes a role, the actions of the role are attributed to the user in the audit trail, but the user's authorizations, rights profiles, and home directory are replaced by those of the role. Alternatively, administrative rights profiles can be assigned directly to users, so that they don't need to assume roles. Such users can enable profile-based execution by starting a profile shell, e.g pfbash, which sets the process flag PRIV_PFEXEC. While this is more convenient, it presents the risk that users may not realize they are using their rights, or that someone else could abuse those rights if they leave their terminal unlocked.
Oracle Solaris 11.2 has a new feature, authenticated rights profiles, which mitigates that risk, while maintaining the convenience of profile-based execution. A new keyword, auth_profiles, can be used to specify which of a user's rights profiles require re-authentication prior to use. Unlike role assumption which is initiated explicitly, the re-authentication challenge for these authenticated profiles occurs automatically, via a new PAM service called pfexec. For example, if a user is running with profile-based execution enabled and attempts to execute a command matching one of her authenticated rights profiles, a re-authentication challenge is issued, which explains why privilege escalation is required. The user then has the option to re-authenticate and run the command with the attributes specified in the profile, or to bypass the challenge, and run the command with default attributes
If the user is successfully authenticated the new process associated with the command is marked with the flag, PRIV_PFEXEC_AUTH, so that any rights specified in the user's set of authenticated rights profiles are effective for this process and its children. In addition, after a successful re-authentication, a grace period, defaulting to 5 minutes, enables automatic re-authentication for any process associated within the terminal session, unless overridden by other time-based restrictions.
For desktop programs, which are not associated with a terminal, re-authentication challenges are issued via a desktop dialog using the X11 $DISPLAY variable. In this case, the grace period for re-authentication is associated with the $DISPLAY variable, so that it applies to applications started via desktop icons.
Although the authorizations that are specified via normal profiles are implicitly effective, those in authenticated rights profiles are ignored unless the PRIV_PFEXEC_AUTH flag is set. However, a re-authentication challenge may be issued by a privileged process if a required authorization is assigned via an authenticated rights profile. In this case the explanation for the challenge identifies the relevant authorization. Since the challenge uses the same pfexec PAM service, it is subject to the same grace period policy as command-based challenges.
Providing Feedback about the State of Profile-based Execution
As an aid to the user, the state of profile-based execution can be conveyed via the shell prompt. In the following example the last character of the prompt reflects the current status. An appended $ indicates normal execution, % indicates profile-based execution, and # indicates that authenticated profiles are effective. This fragment could be inserted into the user's ~/.bashrc file. Alternatively, the prompts could be color-coded.
if [ -z "$LOGIN_SHELL" ]; then
x=$(ppriv $$|grep flags|grep -w PRIV_PFEXEC)
if [ $? = 1 ]; then
echo "$x"|grep -qw PRIV_PFEXEC_AUTH
if [ $? = 0 ]; then
Assigning Authenticated Rights Profiles
The following example demonstrates how to create a customized rights profile and assign it to a user. The Test profile grants the right to run the Print Manager as root. The program /usr/bin/xterm is also added since it will be used in a later exercise.
root@solaris# profiles -p Test
profiles:Test> set desc="Test Profile"
profiles:Test> add cmd=/usr/bin/system-config-printer profiles:Test:system-config-printer> set uid=root profiles:Test:system-config-printer> end profiles:Test> add cmd=/usr/bin/xterm profiles:Test:xterm> end
Next, the test account is created and assigned the Test profile:
root@solaris# passwd test
Re-enter new Password:
The previous shell script is copied into ~test/.bashrc, and the ownership it set to test. The Administrator Message Edit profile is also added since it will be used later.
The previous steps can also done graphically by selecting System->Administration->User Manager. When the dialog appears, click on the lock icon in upper right corner and assume the root role. After creating the test account, use the Advanced Settings to assign the authenticated profiles using the following dialog:
These assignments can be verified using the -x option which shows the profiles and authorizations that require authentication. Without the -x option, only regular profiles and authorizations are shown:
Basic Solaris User
Basic Solaris User
gfaden@solaris:~$ profiles -lx test test:
Administrator Message Edit
Administrator Message Edit
Re-authentication Challenges on the Desktop
Authenticated rights profiles apply to both GUIs and command line programs. The re-authentication functionality can be shown by logging in to the GNOME desktop as the test user. After selecting System->Administration->Print Manager, the following dialog appears:
If the challenge is accepted by entering test's password, then the Print Manager runs as root. This allows creating a New printer, using this dialog:
However, if the challenge is Canceled, the following dialog appears:
If Yes is selected, the Print Manager runs as the test user. In this case, selecting New results in yet another authentication dialog.
This dialog is requesting the user to assume the root role. By default, this requires the root password. However, the following command changes the policy to require the user's password:
Access Time Restrictions
The re-authentication grace period can be changed on a per-user basis by creating a customized PAM configuration file. The following procedure sets a 1 minute grace period for the test user:
root@solaris# cp unix unix-test
root@solaris# vi unix-test
The existing entry assumes the default value specified in the pam_tty_tickets(4) man page.
An explicit timeout value can be appended as follows:
After updating the unix-test file, the policy can be applied to the test user as follows:
It is also possible to restrict the days and times when re-authentication is permitted using the access_times property. The following example specifies that the test user can only re-authenticate on weekdays between 8 am and 5 pm:
If the user selects the Print Manager after 5 pm, re-authentication will fail, and the following dialog will be displayed:
Re-athenticating to Edit a Restricted File
A Terminal window is used to start pfedit, which is an authorization-aware wrapper for editing restricted files. The profile shell pfbash is used to enable profile-based execution. This state is reflected in the new
shell prompt suffix. The following example shows the re-authentication challenge that is issued when attempting to edit /etc/motd:
test@solaris% pfedit /etc/motd
Reauthentication by test is required to use authorization:
After successfully authenticating, the editor specified by $EDITOR is launched using a temporary file. When that editor exits, pfedit writes the changes back to the original file, and generates an audit record including the differences.
Passing the Authentication State to Child Processes
An xterm window can be used to demonstrate how subsequent re-authentication can be bypassed. The profiles command can be used to verify that xterm is included in an authenticated rights profile that is assigned to test:
Assuming the timer has expired for the current Terminal the following prompt will appear:
After successful re-authentication, a new xterm window appears, and the shell prompt suffix changes to # indicating that the authentication state has been inherited from xterm. In addition, the following command can be used to verify that both process flags are set for all processes started from this xterm>window:
flags = PRIV_PFEXEC|PRIV_PFEXEC_AUTH