Role Based Access Control - April 2008 - Solaris Express Developer Edition January 2008

Rights can be granted either by using an authorization, a profile group, or a privilege. This is where things may get a little confusing.

RBAC works in the following manner:

You create a role user account. You assign to the role user account an authorization group, a profile group, or you grant the role system privileges, or any combination of those three. If you're using a privileged application it will check the role account to make sure that it has the proper authorizations. If you're running a command from the command line the role needs to have a profile group defined for it. The profile group database then checks the /etc/security/exec_attr file to determine which commands that profile is allowed to run, and the user/group id that the program will run as. The program then runs as that user/group id.

There are priviliged applications and then there are system privileges. Do not confuse these two terms. Privileged applications have RBAC authorizations baked into them by using the RBAC API calls. System privileges are used to grant access to system calls that go through the kernel. They do not use RBAC API's but allow access to kernel API's.

Privileged applications include the Solaris Management Console utility, at, atq, batch, crontab, allocate, deallocate, and list_devices.

Applications that use system privileges include: kerberos commands, ifconfig, routeadm, snoop, chmod, chgrp, mount, kill and others

System privileges include system calls such as execve(). Everyone has basic system privileges. To see what these are use:

ppriv -vl basic

For more information on system privileges:

man add_drv
man devfsadm
man getdevpolicy
man getppriv
man ppriv
man privileges
man update_drv

To debug system privileges use ppriv or truss. ppriv -lv sends to standard out a list of all system privileges.

The /etc/security/auth_attr file is used to grant access to normal system-type commands such as changing the date and time or for printer management. When defining a custom role you may or may not need to update this file. These are applications that are created using the RBAC API calls. The Solaris Management Console is a great example of an application that uses authorizations.

Based on whether you are authorized or not the application will grant or deny you access to certain parts of the program. Authorizations can be thought of as an on/off switch. If you are authorized you are granted access otherwise you are denied access.

The /etc/security/prof_attr file contains profile groups. A tag in this file may match tags in the exec_attr file or in the /etc/security/auth_attr file. The /etc/security/exec_attr file is where the actual commands that the user can run are stored. Profile groups can also be used to group authorizations in one place. If a privileged application needs to run a command from the command line then that command will be referenced in /etc/security/exec_attr which has a tag which matches an entry in /etc/security/prof_attr file as you will see later on.

System privileges are granted by entries in either /etc/user_attr or /etc/passwd. The system privileges associated with either file will determine what kernel privileges that the role or user has been granted.

Next Section: Delimiters - 3 of 7