Oracle Solaris 11.2 Authenticated Rights Profiles


Roles are implemented in Oracle Solaris as shared accounts, which require authentication prior to use. When an authorized user successfully assumes a role, the actions of the role are attributed to the user in the audit trail, but the user's authorizations, rights profiles, and home directory are replaced by those of the role. Alternatively, administrative rights profiles can be assigned directly to users, so that they don't need to assume roles. Such users can enable profile-based execution by starting a profile shell, e.g pfbash, which sets the process flag PRIV_PFEXEC. While this is more convenient, it presents the risk that users may not realize they are using their rights, or that someone else could abuse those rights if they leave their terminal unlocked.

Oracle Solaris 11.2 has a new feature, authenticated rights profiles, which mitigates that risk, while maintaining the convenience of profile-based execution. A new keyword, auth_profiles, can be used to specify which of a user's rights profiles require re-authentication prior to use. Unlike role assumption which is initiated explicitly, the re-authentication challenge for these authenticated profiles occurs automatically, via a new PAM service called pfexec. For example, if a user is running with profile-based execution enabled and attempts to execute a command matching one of her authenticated rights profiles, a re-authentication challenge is issued, which explains why privilege escalation is required. The user then has the option to re-authenticate and run the command with the attributes specified in the profile, or to bypass the challenge, and run the command with default attributes

If the user is successfully authenticated the new process associated with the command is marked with the flag, PRIV_PFEXEC_AUTH, so that any rights specified in the user's set of authenticated rights profiles are effective for this process and its children. In addition, after a successful re-authentication, a grace period, defaulting to 5 minutes, enables automatic re-authentication for any process associated within the terminal session, unless overridden by other time-based restrictions.

For desktop programs, which are not associated with a terminal, re-authentication challenges are issued via a desktop dialog using the X11 $DISPLAY variable. In this case, the grace period for re-authentication is associated with the $DISPLAY variable, so that it applies to applications started via desktop icons.

Although the authorizations that are specified via normal profiles are implicitly effective, those in authenticated rights profiles are ignored unless the PRIV_PFEXEC_AUTH flag is set. However, a re-authentication challenge may be issued by a privileged process if a required authorization is assigned via an authenticated rights profile. In this case the explanation for the challenge identifies the relevant authorization. Since the challenge uses the same pfexec PAM service, it is subject to the same grace period policy as command-based challenges.

Providing Feedback about the State of Profile-based Execution

As an aid to the user, the state of profile-based execution can be conveyed via the shell prompt. In the following example the last character of the prompt reflects the current status. An appended $ indicates normal execution, % indicates profile-based execution, and # indicates that authenticated profiles are effective. This fragment could be inserted into the user's ~/.bashrc file. Alternatively, the prompts could be color-coded.

if [ -z "$LOGIN_SHELL" ]; then
x=$(ppriv $$|grep flags|grep -w PRIV_PFEXEC)
if [ $? = 1 ]; then
PS1="\u@\h[\#]\$ "
echo "$x"|grep -qw PRIV_PFEXEC_AUTH
if [ $? = 0 ]; then
PS1="\u@\h[\#]# "
PS1="\u@\h[\#]% "

Assigning Authenticated Rights Profiles

The following example demonstrates how to create a customized rights profile and assign it to a user. The Test profile grants the right to run the Print Manager as root. The program /usr/bin/xterm is also added since it will be used in a later exercise.

gfaden@solaris:~$ su -
root@solaris# profiles -p Test
profiles:Test> set desc="Test Profile"
profiles:Test> add cmd=/usr/bin/system-config-printer profiles:Test:system-config-printer> set uid=root profiles:Test:system-config-printer> end profiles:Test> add cmd=/usr/bin/xterm profiles:Test:xterm> end
profiles:Test> exit

Next, the test account is created and assigned the Test profile:

root@solaris# useradd -m -K auth_profiles=Test test
root@solaris# passwd test
New Password:
Re-enter new Password:

The previous shell script is copied into ~test/.bashrc, and the ownership it set to test. The Administrator Message Edit profile is also added since it will be used later.

root@solaris# usermod -K auth_profiles+="Administrator Message Edit" test"

The previous steps can also done graphically by selecting System->Administration->User Manager. When the dialog appears, click on the lock icon in upper right corner and assume the root role. After creating the test account, use the Advanced Settings to assign the authenticated profiles using the following dialog:

These assignments can be verified using the -x option which shows the profiles and authorizations that require authentication. Without the -x option, only regular profiles and authorizations are shown:

gfaden@solaris:~$ profiles test test:
Basic Solaris User
Basic Solaris User
gfaden@solaris:~$ profiles -lx test test:
Administrator Message Edit
Administrator Message Edit
/usr/bin/xterm /usr/bin/system-config-printer

Re-authentication Challenges on the Desktop

Authenticated rights profiles apply to both GUIs and command line programs. The re-authentication functionality can be shown by logging in to the GNOME desktop as the test user. After selecting System->Administration->Print Manager, the following dialog appears:

If the challenge is accepted by entering test's password, then the Print Manager runs as root. This allows creating a New printer, using this dialog:

However, if the challenge is Canceled, the following dialog appears:

If Yes is selected, the Print Manager runs as the test user. In this case, selecting New results in yet another authentication dialog.

This dialog is requesting the user to assume the root role. By default, this requires the root password. However, the following command changes the policy to require the user's password:

root@solaris# rolemod -K roleauth=user root

Access Time Restrictions

The re-authentication grace period can be changed on a per-user basis by creating a customized PAM configuration file. The following procedure sets a 1 minute grace period for the test user:

root@solaris# cd /etc/security/pam_policy
root@solaris# cp unix unix-test
root@solaris# vi unix-test

The existing entry assumes the default value specified in the pam_tty_tickets(4) man page.

pfexec auth sufficient

An explicit timeout value can be appended as follows:

pfexec auth sufficient timeout=1

After updating the unix-test file, the policy can be applied to the test user as follows:

root@solaris# usermod -K pam_policy=unix-test test

It is also possible to restrict the days and times when re-authentication is permitted using the access_times property. The following example specifies that the test user can only re-authenticate on weekdays between 8 am and 5 pm:

root@solaris# usermod -K access_times={pfexec}:Wk0800-1700 test

If the user selects the Print Manager after 5 pm, re-authentication will fail, and the following dialog will be displayed:

Re-athenticating to Edit a Restricted File

A Terminal window is used to start pfedit, which is an authorization-aware wrapper for editing restricted files. The profile shell pfbash is used to enable profile-based execution. This state is reflected in the new

shell prompt suffix. The following example shows the re-authentication challenge that is issued when attempting to edit /etc/motd:

test@solaris[20]$ pfbash
test@solaris[21]% pfedit /etc/motd
Reauthentication by test is required to use authorization:
solaris.admin.edit/etc/motd Password:

After successfully authenticating, the editor specified by $EDITOR is launched using a temporary file. When that editor exits, pfedit writes the changes back to the original file, and generates an audit record including the differences.

Passing the Authentication State to Child Processes

An xterm window can be used to demonstrate how subsequent re-authentication can be bypassed. The profiles command can be used to verify that xterm is included in an authenticated rights profile that is assigned to test:

test@solaris[22]% profiles -lxc xterm test name=Test
test@solaris[22]% xterm&

Assuming the timer has expired for the current Terminal the following prompt will appear:

Re-authentication by test is required to use profile: Test

After successful re-authentication, a new xterm window appears, and the shell prompt suffix changes to # indicating that the authentication state has been inherited from xterm. In addition, the following command can be used to verify that both process flags are set for all processes started from this xterm>window:

test@solaris[22]# ppriv $$
485931: bash
E: basic
E: basic
P: basic
L: all

Post a Comment:
  • HTML Syntax: NOT allowed

This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.


« November 2015