Setting up RBAC Manually
Role Based Access Contol (RBAC) is a Solaris feature that allows unprivileged users to carry out privileged commands. The usual method for doing this is to create a role that can carry out a range of privileged commands and allow specific users to su to that role. There are four files that make up RBAC configuration. These are:
/etc/user_attr - contains roles and users for those roles
/etc/security/exec_attr - contains commands
/etc/security/prof_attr - contains profiles (which are a way of grouping commands together)
/etc/security/auth_attr - contains built in solaris authorisations (just added to confuse the innocent!)
To set up a role and allow a user to assume that role, do the following:
Edit /etc/security/exec_attr adding any commands your role may want to execute, e.g.
(Note: for some commands, uid=0 is required, for others euid=0 is OK. I’m not sure how to verify whether you can get away with euid other than to test the command)
Edit /etc/security/prof_attr to create a profile e.g.
Apache Management:::Controlling Apache
Use roleadd to add a role, e.g.
roleadd -m -d /home/apacherl -c “Apache Administrator” -s /usr/bin/pfksh -P “Apache Management”,All apacherl
(Note: All is required with the -P flag so that the role can execute commands normally executable by users).
The /etc/user_attr file should now look like:
root::::type=normal…etc apacherl::::type=role;profiles=Apache Management,All
You now need to specify which users can su to the role. For existing users do:
usermod -R apacherl fbloggs
For new users do:
useradd -m -d /home/jbloggs -c “Some User” -s /usr/bin/ksh -R apacherl jbloggs
You may need to restart nscd if the role doesn’t take affect ( /etc/init.d/nscd stop/start )
Users fbloggs and jbloggs should now be able to su to role apacherl from where they can run the apachectl as though they were root (useful if apache is listening on the usual ports 80 & 443 ).