Monday Jan 28, 2013

Using Solaris profiles to run with limited privilege

Solaris has had Role Based Access Controls since the Solaris 8 timeframe (circa 2000). With each release, it has been improved with additional profiles and capabilities.  In Solaris 11, we took a step further and converted the "root" user in to a role.  The goal of these enhanced security features is to ensure that an administrator can perform his assigned functions with the minimum privileges required and reduce the number of personnel required to access the root role.  Glenn Faden, security architect for Solaris engineering has blogged about these topics extensively (also see Glenn Brunette's blog).

Here's a simple use case for why you might need to use Solaris profiles and how to use them. 

Let's imagine that you are a basic Solaris user, but you have been asked to be the Auditing Administrator.  The first thing you might to is check to see if you have permissions to run the auditing tools.

test@solaris11:~$ pfexec auditconfig -getflags
auditon(2) failed.
error: Not owner(1)

Perhaps this is because you don't have the proper profile configured.  Check your current profiles.

test@solaris11:~$ profiles
          Basic Solaris User
          All

Without the "Audit Configuration" profile, you can't execute this command.  Here is what the Audit Configuration profile looks like when you enter profiles -all.  It allows you to execute the auditconfig command with the correct authorizations.

Audit Configuration
auths=solaris.smf.value.audit
          /usr/sbin/auditconfig      privs=sys_audit

You ask the senior administrator to add the Audit configuration profile to your list.  Pay close attention to the "+" sign, quote and upper case letters.  The "+" sign means to add this profile to your existing profiles.  Leave it off and it will replace existing profiles.

sudo usermod -P +"Audit Configuration" test

Now, you can try again.  You profile has been updated and the command is successful.

test@solaris11:~$ profiles
          Audit Configuration
          Basic Solaris User
          All

test@solaris11:~$ pfexec auditconfig -getflags
active user default audit flags = ex,xa,ps,ua,as,ss,ap,lo,ft(0x80575080,0x80575080)
configured user default audit flags = ex,xa,ps,ua,as,ss,ap,lo,ft(0x80575080,0x80575080)

Note that the pfexec command is required to execute this command with your profiles in effect.  To avoid typing "pfexec" in front of every command, you can simply run pfbash or ask the administrator to make your default shell /usr/bin/pfbash instead of standard bash.

sudo usermod -s /usr/bin/pfbash test

There are many different profiles available in Solaris 11 to include ZFS administration, SMF administration, File system administration and more.  Type profiles -all to see the entire list.

About

Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).

Search

Categories
Archives
« January 2013 »
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
29
30
31
  
       
Today