Setting up RBAC Manually

Role Based Access Contol (RBAC) is a Solaris feature that allows unprivileged users to carry out privileged commands. The usual method for doing this is to create a role that can carry out a range of privileged commands and allow specific users to su to that role. There are four files that make up RBAC configuration. These are:

To set up a role and allow a user to assume that role, do the following:

  1. Edit /etc/security/exec_attr adding any commands your role may want to execute, e.g.

    Apache Management:suser:cmd:::/usr/local/bin/apachectl:uid=0

    (Note: for some commands, uid=0 is required, for others euid=0 is OK. I’m not sure how to verify whether you can get away with euid other than to test the command)

  2. Edit /etc/security/prof_attr to create a profile e.g.

    Apache Management:::Controlling Apache

  3. Use roleadd to add a role, e.g.

    roleadd -m -d /home/apacherl -c “Apache Administrator” -s /usr/bin/pfksh -P “Apache Management”,All apacherl

    (Note: All is required with the -P flag so that the role can execute commands normally executable by users).

    The /etc/user_attr file should now look like:

    root::::type=normal…etc apacherl::::type=role;profiles=Apache Management,All

  4. You now need to specify which users can su to the role. For existing users do:

    usermod -R apacherl fbloggs

    For new users do:

    useradd -m -d /home/jbloggs -c “Some User” -s /usr/bin/ksh -R apacherl jbloggs

  5. You may need to restart nscd if the role doesn’t take affect ( /etc/init.d/nscd stop/start )

Users fbloggs and jbloggs should now be able to su to role apacherl from where they can run the apachectl as though they were root (useful if apache is listening on the usual ports 80 & 443 ).