Authorizations

jacky.lee

Authorizations
An authorization grants access to restricted functions in RBAC compliant applications. Some applications and commands in the
Solaris
10 OS are written to check the authorizations of the user calling them. You cannot create new authorizations, however, you can create and assign authorizations to new applications.
The predefined authorizations are listed in the authorization attributes configuration file named /etc/security/auth_attr.
# cat /etc/security/auth_attr
(output omitted)
solaris.jobs.:::Job Scheduler::help=JobHeader.html
solaris.jobs.admin:::Manage All Jobs::help=AuthJobsAdmin.html
solaris.jobs.grant:::Delegate Cron & At Administration::help=JobsGrant.html
solaris.jobs.user:::Manage Owned Jobs::help=AuthJobsUser.html
(output omitted)
It identifies, by a unique string, what is being authorized. For example, the crontab command requires the solaris.jobs.admin authorization for a user to edit another user’s crontab file.
A hierarchy of authorizations can be established. The table shows how a hierarchy can be established.
Role and Authorization Relationships
Authorization
Action
solaris.admin.usermgr.read
Provides read but no write access to user configuration files.
solaris.admin.usermgr.readsolaris.admin.usermgr.write
Provides read and write access to user configuration files. Cannot change passwords.
solaris.admin.usermgr.readsolaris.admin.usermgr.writesolaris.admin.usermgr.pswd
Provides read, write, and password access to user configuration files.
Caution: An authorization that ends with the suffix grant permits a user to delegate any assigned authorizations that begin with the same prefix to other users.
For example, a role with the authorizations:
solaris.admin.usermgr.grant
solaris.admin.usermgr.read
Can delegate the solaris.admin.usermgr.read authorization to another user.
A role with the authorizations:
solaris.admin.usermgr.grant
solaris.admin.usermgr.*
Can delegate any of the authorizations with the solaris.admin.usermgr prefix to other users.
Default Authorizations
All users have the Basic Solaris User profile by default.
# profiles chris
Printer Management
Basic Solaris User
All
The Basic Solaris User profile grants users access to all listed authorizations. The profiles=All field grants unrestricted access to all Solaris OS commands that have not been restricted by a definition in a previously listed authorization.
# grep ‘Basic Solaris User’ /etc/security/prof_attr
Basic Solaris User:::Automatically assigned rights:
auths=solaris.profmgr.read,solaris.jobs.users,solaris.mail.mailq,
solaris.admin.usermgr.read,solaris.admin.logsvc.read,
solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,
solaris.admin.diskmgr.read,solaris.admin.procmgr.user,
solaris.compsys.read,solaris.admin.printer.read,
solaris.admin.prodreg.read,solaris.admin.dcmgr.read,
solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read,
solaris.network.hosts.read,solaris.admin.volmgr.read;profiles=All;
help=RtDefault.html
Other default authorizations for every user can be defined in the /etc/security/policy.conf file:
# grep ‘AUTHS’ /etc/security/policy.conf
AUTHS_GRANTED=solaris.device.cdrw
This authorization is in the default /etc/security/policy.conf file as installed with the
Solaris 10 OS
.
Authorizations can be assigned to user accounts. Authorizations can also be assigned to roles or embedded in a rights profile which can be assigned to a user or role.
The image shows the authorization assignment permutations.

The following example shows that a regular user is not permitted to look at another user’s crontab file:
# su - chris
Sun Microsystems Inc.   SunOS 5.10      s10_68  Sep. 20, 2004
$ crontab -l root
crontab: you must be super-user to access another user’s crontab file
$ exit
The authorization to manage other user’s crontab file can be granted to the user from the command line or with the Solaris Management Console (SMC). This example shows the useradd command being used with the -A option to add an authorization:
# usermod -A solaris.jobs.admin chris
The /etc/user_attr user attributes file has been automatically modified with this new information.
# grep chris /etc/user_attr
chris::::type=normal;auths=solaris.jobs.admin;profiles=Printer Management
The chris account, is a normal user account (type=normal), he has had the solaris.jobs.admin authorization and the Printer Management rights profile added previously. Use the auths command to see the authorizations assigned to a user:
# auths chris
solaris.admin.printer.read,solaris.admin.printer.modify,
solaris.admin.printer.delete,solaris.device.cdrw,
solaris.profmgr.read,solaris.jobs.users,solaris.mail.mailq,
solaris.admin.usermgr.read,solaris.admin.logsvc.read,
solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,
solaris.admin.diskmgr.read,solaris.admin.procmgr.user,
solaris.compsys.read,solaris.admin.prodreg.read,
solaris.admin.dcmgr.read,solaris.snmp.read,
solaris.project.read,solaris.admin.patchmgr.read,
solaris.network.hosts.read,solaris.admin.volmgr.read
With this authorization, he can view or modify other user’s crontab files:
# su - chris
Sun Microsystems Inc.   SunOS 5.10      s10_68  Sep. 20, 2004
$ crontab -l root
#ident  “@(#)root       1.21    04/03/23 SMI”
#
# The root crontab should be used to perform accounting data collection.
#
#
(output omitted)
$ exit
If a large number of user accounts require the same configuration and management of authorizations, it can be easier to assign the authorizations to a role and give the users access to the role.
The role can be created with the roleadd command or the Solaris Management Console (SMC). This example uses the -P and -A options of the roleadd command to create a role called level2 with the rights profile Mail Management and the authorization solaris.admin.user.*.
# roleadd -m -d /export/home/level2 -P “Mail Management”
-A “solaris.admin.usermgr.*” level2
64 blocks
# passwd level2
New Password: level2
Re-enter new Password: level2
passwd: password successfully changed for level2# profiles level2
Mail Management
Basic Solaris User
All
# auths level2
solaris.admin.usermgr.*
(output omitted)
A rights profile usually includes a list of commands and special security attributes, the rights, as defined in the /etc/security/exec_attr file.
# grep “^Mail” /etc/security/exec_attr
Mail Management:suser:cmd:::/etc/init.d/sendmail:uid=0;gid=sys
Mail Management:suser:cmd:::/usr/lib/sendmail:uid=0
Mail Management:suser:cmd:::/usr/sbin/editmap:euid=0
Mail Management:suser:cmd:::/usr/sbin/makemap:euid=0
Mail Management:suser:cmd:::/usr/sbin/newaliases:euid=0
It is also possible to include predefined authorizations from the /etc/security/auth_attr file in the rights profile by adding the authorizations to the /etc/security/prof_attr file.
For example, the predefined Cron Management rights profile includes commands and authorizations. The /etc/security/prof_attr file defines the authorizations.
# grep ‘^Cron’ /etc/security/prof_attr
Cron Management:::Manage at and cron jobs:
                auths=solaris.jobs.*;help=RtCronMngmnt.html
The /etc/security/exec_attr defines the commands and special security attributes.
# grep ‘^Cron’ /etc/security/exec_attr Cron Management:suser:cmd:::/etc/init.d/cron:uid=0;gid=sys Cron Management:suser:cmd:::/usr/bin/crontab:euid=0The rights profile can then be given to a user:
# usermod -P “Cron Management” paul
Or a role:
# rolemod -P “Cron Management” level2

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u1/36549/showart_468978.html