Putting it all together


Let's say that we want our new hire to be able to add user's to the system.


A normal user cannot run the useradd command.


$ /usr/sbin/useradd
UX: /usr/sbin/useradd: ERROR: Permission denied.


Add the following to the end of the /etc/security/exec_attr file:


useradd:suser:cmd:::/usr/sbin/useradd:uid=0


This tells the system that anyone with the "useradd" profile will be allowed to run /usr/sbin/useradd with an id of zero (root).


Next we need to create the profile:


Now, update the /etc/security/prof_attr file as follows:


useradd:::Allow users to run the useradd command:


In the example above, useradd is being used as a tag. useradd must appear in both the /etc/security/exec_attr file and /etc/security/prof_attr file.


This is how the databases correlate with one another.


Once this is complete, create the following role:


roleadd -m -d /export/home/creatusr -c "Allow users to create other users" \
-s /usr/bin/pfsh -P useradd,All creatusr


Changes to /etc/passwd:


creatusr:x:103:1:Allow users to create other users:/export/home/creatusr:/usr/bin/pfsh


Changes to /etc/user_attr:


creatusr::::type=role;profiles=useradd,All


From this we can see the creatusr account was created, it has a home directory assigned to it, it use the bourne profile shell, and it has the profile groups All and useradd attached to it and it's a role account.


Then you can set the password for the creatusr account:


passwd creatusr


Now we need to create an account for the new hire.


useradd -d /export/home/newhire -m -R creatusr newhire


Changes to /etc/passwd:


newhire:x:104:1::/export/home/newhire:/bin/sh


Changes to /etc/exec_attr


newhire::::type=normal;roles=creatusr


From this we can see that a normal user account named newhire has been created and it has access to one role: creatusr.


Create a passwd for newhire


passwd newhire


Now we're ready to test this setup. Do this with the following commands:


logon as newhire


$ echo $0
/bin/sh


$ id
uid=104(newhire) gid=1(other)


$ /usr/sbin/useradd
UX: /usr/sbin/useradd: ERROR: Permission denied.


$ su - creatusr
Password:


$ echo $0
-pfsh


$ /usr/sbin/useradd
UX: /usr/sbin/useradd: ERROR: invalid syntax.
usage: useradd [-u uid [-o] | -g group | -G group[[,group]...] |-d dir | -b base_dir |


/usr/sbin/useradd no longer says permission denied. Since we only gave access to the useradd command, running usermod still results in permission denied.


We could add another line in /etc/security/exec_attr to give permission to any other commands that we want to for this role.


Inform the newhire account holder of the role account named creatusr, the password, and what it's used for.


Next Section: Example One - RBAC without su - 7 of 7

This Web Site Copyright © 1997 - 2008
by Alan Pae - All Rights Reserved