Role Based Access Contol (RBAC) is a Solaris feature that allows unprivileged users to carry out privileged commands. The usual method for doing this is to create a role that can carry out a range of privileged commands and allow specific users to su to that role. There are four files that make up RBAC configuration. These are:

 /etc/user_attr - contains roles and users for those roles
 /etc/security/exec_attr - contains commands
 /etc/security/prof_attr - contains profiles (which are a way of grouping commands together)
 /etc/security/auth_attr - contains built in solaris authorisations (just added to confuse the innocent!)

To set up a role and allow a user to assume that role, do the following:

 1. Edit /etc/security/exec_attr adding any commands your role may want to
    execute, e.g.
    Apache Management:suser:cmd:::/usr/local/bin/apachectl:uid=0
    (Note: for some commands, uid=0 is required, for others euid=0 is OK. I'm
    not sure how to verify whether you can get away with euid other than to
    test the command)
 2. Edit /etc/security/prof_attr to create a profile e.g.
    Apache Management:::Controlling Apache
 3. Use roleadd to add a role, e.g.
    roleadd -m -d /home/apacherl -c "Apache Administrator" -s /usr/bin/pfksh
    -P "Apache Management",All apacherl
    (Note: All is required with the -P flag so that the role can execute
    commands normally executable by users).
    The /etc/user_attr file should now look like:
    apacherl::::type=role;profiles=Apache Management,All
 4. You now need to specify which users can su to the role. For existing
    users do:
    usermod -R apacherl fbloggs
    For new users do:
    useradd -m -d /home/jbloggs -c "Some User" -s /usr/bin/ksh -R apacherl
 5. You may need to restart nscd if the role doesn't take affect ( /etc/
    init.d/nscd stop/start)

Users fbloggs and jbloggs should now be able to su to role apacherl from where they can run the apachectl as though they were root (useful if apache is listening on the usual ports 80 & 443 ).

Recent Changes