Introducing RBAC Fundamentals

jacky.lee

Introducing RBAC Fundamentals
In conventional
UNIX systems
, the root user (also referred to as the superuser) is the most powerful user, with the ability to read and write to any file, run all programs, and send kill signals to any process. Anyone who can become superuser can modify a site’s firewall, alter the
audit trail
, and read confidential records.
In systems implementing RBAC, individual users can be assigned to roles, such as
system administrator
, network administrator, or operator. Roles are associated with rights profiles. The rights profiles list the rights to run specific commands and
applications
with escalated privileges.
Roles can also be assigned authorizations. An authorization grants access to restricted functions in RBAC compliant applications. RBAC compliant applications are linked to libsecdb so they can be checked for privileges.
As well as roles, individual users may also be granted rights profiles and authorizations to specific applications. The authorizations, roles, rights profiles, and privileged commands are defined in four files.

The /etc/user_attr file
The /etc/security/prof_attr file
The /etc/security/policy.conf file
The /etc/security/exec_attr file

The user_attr File
The /etc/user_attr file contains user and role information that supplements the /etc/passwd and /etc/shadow files. The /etc/user_attr file lists the rights profiles and authorizations associated with users and roles.
When creating a new user account with no rights profiles, authorizations or roles, nothing is added to the file:
# useradd -m -d /export/home/chris chris
64 blocks
# grep chris /etc/user_attr
#
As each of the RBAC features are explained, the automatic modifications to this file are shown.
A role is a special identity, similar to a user account, for running privileged applications or commands that can be assumed by assigned users only.
While no predefined roles are shipped with the
Solaris 10 OS
, predefined rights profiles, or collections of privileges, can be associated with roles. To define a role, you assign the rights profiles to the role, as shown in the image.

It is not possible to login as a role. A role can only be used by switching the user to the role with the su command. The roles command lists the roles a user has been assigned:
# roles root
No roles
# roles chris
No roles
Note: You can also set up the root user as a role through a manual process. This approach prevents users from logging in directly as the root user. Therefore, they must log in as themselves first, and then use the su command to assume the role.
A rights profile, is a collection of rights that can be assigned to a user, as shown in the image. The rights are commands or scripts which are run with special security attributes.

Many examples of rights profiles are shipped with the Solaris 10 OS. The rights profile names and descriptions are defined in the /etc/security/prof_attr file. New rights profiles can be created by editing this file or using the
Solaris Management
Console (SMC). This example shows a few lines from that file.
# cat /etc/security/prof_attr
(output omitted)
All:::Execute any command as the user or role:help=RtAll.html
Log Management:::Manage log files:help=RtLogMngmnt.html
Media Backup:::
Backup files
and file systems:help=RtMediaBkup.html
Media Restore:::Restore files and file systems from
        backups:help=RtMediaRestore.html
(output omitted)
Each line starts with the rights profile name. The middle fields are not used and the last two fields are a comment and a pointer to a help file. Help files are written in
Hypertext Markup Language
(HTML) and they can be customized if required. These HTML help files exist in the /usr/lib/help/auths/locale/C directory.
The rights profiles assigned to a user can be listed with the profiles command or through the Solaris Management Console. This example shows the default profiles assigned to every new user account:
# profiles chris
Basic
Solaris
User
All
Every account has the All rights profile. It allows any command to be executed but with special security attributes. Other rights profiles given to all new user accounts are defined in the /etc/security/policy.conf file. The Basic Solaris User rights profile is listed in this file:
# grep ‘PROFS’ /etc/security/policy.conf
PROFS_GRANTED=Basic Solaris User
Rights profiles can be assigned to a user account with the usermod command or the Solaris Management Console (SMC). This example shows the
Printer
Management rights profile being assigned to the chris user account.
# usermod -P “Printer Management” chris
# profiles chris
Printer Management
Basic Solaris User
All
This automatically updates the /etc/user_attr file as shown below:
# grep chris /etc/user_attr
chris::::type=normal;profiles=Printer Management
The new line for the user chris shows the new profile assignment. The file uses colons (:) to separate the fields on each line. The first field is the user name as it appears in the /etc/passwd and /etc/shadow files. The middle fields are reserved for future use, and the last field is a list of semicolon-separated (;) key-value pairs that describe the security attributes to be applied when the user runs commands.
The contents of a rights profile can be examined from the command line with the -l option of the profiles command or in the Solaris Management Console (SMC).
# profiles -l chris
      Printer Management:
          /etc/init.d/lp    euid=0, uid=0
          /usr/bin/cancel    euid=lp, uid=lp
          /usr/bin/lpset    egid=14
          /usr/bin/lpstat    euid=0
          /usr/lib/lp/local/accept    uid=lp
          /usr/lib/lp/local/lpadmin    uid=lp, gid=8
          /usr/lib/lp/lpsched    uid=0
          /usr/sbin/accept    euid=lp, uid=lp
          /usr/sbin/lpadmin    egid=14, uid=lp, gid=8
          /usr/sbin/lpfilter    euid=lp, uid=lp
          /usr/sbin/lpforms    euid=lp
          /usr/sbin/lpmove    euid=lp
          /usr/sbin/lpshut    euid=lp
          /usr/sbin/lpusers    euid=lp
          /usr/ucb/lpq    euid=0
          /usr/ucb/lprm    euid=0
      All:
          *
The individual commands in the rights profile can be seen, along with the special security attributes with which they are executed.
This example shows the user chris being able to enable and disable a printer.
The /etc/security/exec_attr File
The /etc/security/exec_attr file holds the execution attributes. An execution attribute is associated with a rights profile name.
An execution attribute can be a command with no options or a script that contains a command with options. The only way to add options to a command is by using a script. You can use the (*) wildcard. Commands should have the full path.
Special security attributes refer to attributes, such as UID, EUID, GID, and EGID, that can be added to a process when the command is run. Only the users and roles assigned access to this rights profile can run the command with special security attributes.
The commands and special security attributes for the Printer Management rights profile are listed below:
# grep ‘Printer Management’ /etc/security/exec_attr
Printer Management:suser:cmd:::/etc/init.d/lp:euid=0;uid=0
Printer Management:suser:cmd:::/usr/bin/cancel:euid=lp;uid=lp
Printer Management:suser:cmd:::/usr/bin/lpset:egid=14
Printer Management:suser:cmd:::/usr/bin/lpstat:euid=0
Printer Management:suser:cmd:::/usr/lib/lp/local/accept:uid=lp
Printer Management:suser:cmd:::/usr/lib/lp/local/lpadmin:uid=lp;gid=8
Printer Management:suser:cmd:::/usr/lib/lp/lpsched:uid=0
Printer Management:suser:cmd:::/usr/sbin/accept:euid=lp;uid=lp
Printer Management:suser:cmd:::/usr/sbin/lpadmin:egid=14;uid=lp;gid=8
Printer Management:suser:cmd:::/usr/sbin/lpfilter:euid=lp;uid=lp
Printer Management:suser:cmd:::/usr/sbin/lpforms:euid=lp
Printer Management:suser:cmd:::/usr/sbin/lpmove:euid=lp
Printer Management:suser:cmd:::/usr/sbin/lpshut:euid=lp
Printer Management:suser:cmd:::/usr/sbin/lpusers:euid=lp
Printer Management:suser:cmd:::/usr/ucb/lpq:euid=0
Printer Management:suser:cmd:::/usr/ucb/lprm:euid=0
The previous section described how to add rights profiles to user accounts. If a large number of user accounts require the same configuration and management of rights profiles, it can be easier to assign the rights profiles to a role and give the users access to the role. The image shows the assignment of rights profiles to a role called level1 and giving the user john account access to the role:

Creating a Role
The roleadd command creates a role entry in the /etc/passwd, /etc/shadow, and /etc/user_attr files. Some common options include:
roleadd Command Options
Option
Description
-c comment
A text string that provides a short description of the role.
-d dir
Specifies the home directory of the new role.
-m
Creates the new role’s home directory if it does not already exist.
-P profile
Assigns rights profiles to the role. Use commas (,) to separate multiple rights profiles.
# roleadd -m -d /export/home/level1 -c “Level One Support”
-P “Printer Management,Media Backup,Media Restore” level1
64 blocks
# passwd level1
New Password: level1
Re-enter new Password: level1
passwd: password successfully changed for level1
In this example, the roleadd command creates a new role called level1, builds the home directory, and assigns the role with rights profiles of Printer Management, Media Backup, and Media Restore. The role can not be used until a password is applied to it.
Note: The installation of the Solaris 10 OS has the Printer Management, Media Backup, and Media Restore rights profiles already defined in the /etc/security/exec_attr file and the /etc/security/prof_attr file.
The changes to the /etc/passwd, /etc/shadow, and /etc/user_attr files are shown below:
# grep level1 /etc/passwd
level1:x:102:1:Level One Support:/export/home/level1:/bin/pfsh# grep level1 /etc/shadow
level1:CUs8aQ64vTrZ.:12713::::::# grep level1 /etc/user_attr
level1::::type=role;profiles=Printer Management,Media Backup,Media Restore
The type of this account is role (type=role) and includes the rights profiles Printer Management, Media Backup, and Media Restore.
Modifying a Role
To modify the login information of a role on a system, use the rolemod command. The rolemod command changes the definition of the specified role and makes the appropriate login-related changes to the system file and file system. The fields in the rolemod command are:
rolemod Command Options
Option
Description
-e expire
Specifies the expiration date for a role.
-l new_logname
Specifies the new login name for the role.
-P profile
Specifies one or more comma-separated rights profiles, as defined in the /etc/security/prof_attr file.
-s shell
Specifies the full path name of the program that is used as the role’s shell when logging in.
These shells are special versions of the Bourne shell (sh), C shell (csh), and Korn shell (ksh).
This example modifies the role’s rights profiles.
# rolemod -P profile1,profile2 -s /usr/bin/pfksh level1
In this example, the rolemod command assigns the profile1 and profile2 profiles and the /usr/bin/pfksh profile shell to the role named level1.
Purpose of the Profile Shells
A profile shell is a special type of shell that enables access to the privileged rights that are assigned to the rights profile. The standard UNIX shells can not be used, as they are not aware of the RBAC files, and do not consult them.
When the user executes a command, the profile shell searches the role’s rights profiles and associated rights. If the same command appears in more than one profile, the profile shell uses the first matching entry. The profile shell executes the command with the attributes specified in the RBAC configuration files.
The profile shells are pfsh, pfcsh, and pfksh. These profile shells correspond to Bourne shell (sh), C shell (csh), and Korn shell (ksh), respectively.
A user can have access to many roles. The useradd command or Solaris Management Console (SMC) can be used to define which roles a new user has access to. The example shows the useradd command being used with the -R option to define roles:
# useradd -m -d /export/home/paul -R level1 paul
64 blocks
# passwd paul
New Password: paul
Re-enter new Password: paul
passwd: password successfully changed for paul
The roles command lists the roles a user account has access to:
# roles paul
level1
The association between the paul user account and the level1 role is defined automatically in the /etc/user_attr file:
# grep paul /etc/user_attr
paul::::type=normal;roles=level1
To add roles to an existing user account, use the usermod command or the Solaris Management Console (SMC). This example shows access to the level1 role being given to chris with the usermod command:
# usermod -R level1 chris
To remove all role access from a user account, use the usermod command or the Solaris Management Console (SMC). This example uses usermod to remove all role access from the chris account:
# usermod -R “” chris
As it is not possible to log in to a role account, log in as a regular user first. The roles command shows the roles available to your account.
$ id
uid=103(paul) gid=1(other)
$ roles
level1
Switch the user to the role account with the su command.
$ su level1
Password: level1
$ id
uid=102(level1) gid=1(other)
The level1 role has the two default rights profiles and was configured with three extra rights profiles.
$ profiles
Printer Management
Media Backup
Media Restore
Basic Solaris User
All
The Printer Management rights profile has a right which allows the cancel command to be run as the lp user.
$ lpstat -t
scheduler is running
system default destination: laser
system for _default: host1 (as printer laser)
device for laser: /dev/null
_default accepting requests since Fri Oct 22 13:59:24 2004
laser accepting requests since Fri Oct 22 13:59:24 2004
printer laser disabled since Fri Oct 22 13:59:34 2004. available.
        Changing Toner
laser-8                 root               479   Oct 22 14:12
$ cancel laser-8
laser-8: cancelled

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u1/36549/showart_468981.html