By Glenn Faden on Jan 11, 2013
Per-user Security Attributes
Way back in Solaris 8 we introduced an extensible database, user_attr(4), where we could maintain the security attributes of each user. Originally the database included just three properties: roles, auths, and profiles. These were exposed as the options -R, -A, and -P on the useradd(1M) man page. Since then we have been adding new properties in each Solaris release, while preserving backward compatibility in both the file /etc/user_attr and the corresponding LDAP schema. To avoid dealing with an alphabet full of new options, we standardized on the -K option, which can be used to set the values of any property.
Some of the more recently added properties are:
Specifies per-user audit preselection flags as colon-separated always-audit-flags and never-audit-flags. As in, audit_flags=always-audit-flags:never-audit-flags. See audit_flags.
Specifies the PAM policy to apply to a user. pam_policy must be either an absolute pathname to a pam.conf(4) -formatted file or the name of a pam.conf-formatted file located in/etc/security/pam_policy.
Specifies whether the assigned role requires a role password or the password of the user who is assuming the role. Valid values are role and user. If roleauth is not specified, roleauth=role is implied.
and two previously existing properties now take more fine-grained values:
Authorization names can be specified using an object, such as solaris.admin.edit/etc/motd, which grants permission to edit the file /etc/motd.
An Extended Policy can be specified that qualifies the objects for which the privileges are granted. See privileges(5).
I've developed three hands-on labs that demonstrate how to take advantage of some of these new features.
- The first lab demonstrates how to apply Extended Policy applies to individual privileges.
- The second lab demonstrates how fine-grained user authorizations can be applied to managing services.
- The third lab demonstrates how authentication policies can be customized for specific users.
Give them a try and use the comments field to let me know what you think.