What’s new in User Rights Management

Author: Glenn Faden

Per-user Security Attributes 

Way back in Solaris 8 we introduced an extensible database, user_attr(4), where we could maintain the security attributes of each user. Originally the database included just three properties: roles, auths, and profiles. These were exposed as the options -R, -A, and -P on the useradd(1M) man page. Since then we have been adding new properties in each Solaris release, while preserving backward compatibility in both the file /etc/user_attr and the corresponding LDAP schema. To avoid dealing with an alphabet full of new options, we standardized on the -K option, which can be used to set the values of any property.

Some of the more recently added properties are:

audit_flags

Specifies per-user audit preselection flags as colon-separated always-audit-flags and never-audit-flags. As in, audit_flags=always-audit-flags:never-audit-flags. See audit_flags(5).

pam_policy

Specifies the PAM policy to apply to a user. pam_policy must be either an absolute pathname to a pam.conf(4)-formatted file or the name of a pam.conf-formatted file located in /etc/security/pam_policy.

roleauth

Specifies whether the assigned role requires a role password or the password of the user who is assuming the role. Valid values are role and user. If roleauth is not specified, roleauth=role is implied.

and two previously existing properties now take more fine-grained values:

Authorization names can be specified using an object, such as solaris.admin.edit/etc/motd, which grants permission to edit the file /etc/motd.

defaultpriv

An Extended Policy can be specified that qualifies the objects for which the privileges are granted. See privileges(5).

Practical Examples

I’ve developed three hands-on labs that demonstrate how to take advantage of some of these new features.

• The first lab demonstrates how to apply Extended Policy applies to individual privileges.
• The second lab demonstrates how fine-grained user authorizations can be applied to managing services.
• The third lab demonstrates how authentication policies can be customized for specific users.

Give them a try and use the comments field to let me know what you think.