Some of us in the Solaris Security Engineering group been asked a few times recently questions like “so how many customers actually use Solaris RBAC ?”
The answer we give is usually variant of “For Solaris 10 onwards 100% of users use RBAC”.
Surely that is wrong and we can’t guarantee 100% of users of Solaris 10 and Solaris 11 are or will be using RBAC can we ? We don’t have data to back that up because we don’t even know who all the users of Solaris actually are.
It actually is correct we don’t need data on usage to back it up. The reason being you can’t turn RBAC off in Solaris 10 onwards it is always in use in parts of the system that 100% of users of Solaris always use.
The kernel always checks Solaris’s fine grained privileges (82 distinct privileges in Solaris 11 Express), even if the process is running “as root”. So 100% of Solaris systems make RBAC privilege checks.
SMF always checks RBAC authoriations for any enable/disable operation and any change to or viewing of a property on a service – even if you are running ‘svcadm/svccfg’ as root. Also SMF itself uses RBAC to set the privileges of services (sometimes defined in RBAC profiles sometimes defined directly in the method credential of the service definition). Solaris doesn’t run with out SMF so 100% of Solaris systems are using RBAC authorisation checks.
Several other parts of Solaris 10 also make authorisation checks, and in Solaris 11 there will be a increased number of those in some of the core administration utilities giving us the ability to have more fine grained control and enhanced separation of duty for some common administration tasks. I’ll post more on this when Solaris 11 is released.
In ZFS the operations performed by the zfs(1M) command first check if the user has an ‘allow’ delegation and then check privilege – again even if the user is root.
So 100% of Solaris users really do use RBAC – there is no means to turn it off – and this applies even if you use sudo rather than using a profile shell (eg /usr/bin/pfksh) or pfexec directly.