Tille - I can see you, read those man pages!   Tille's Site

Setting up RBAC in 10 steps

In the below example, we create a role that can change the X server settings, such as monitor resolution and depth, using the /usr/sbin/m64config command. As you will notice, this has way too much permissions on a standard installation, so we first remove the SUID bit and the execute permissions for everyone.

  1. Create a role that can execute this task:

    roleadd -u 666 -g 10 -m -d /export/home/m64user m64user
    
  2. This will add a line in /etc/passwd. Role accounts use profile shells. Normal shells are not aware of roles. Set the password for this account.

  3. Create the profile for this account adding a line to /etc/security/prof_attr:

    Xadm:::Can change X settings:
    
  4. Add this profile to the role:

    rolemod -P Xadm,All m64user
    

    The All profile is there to make SMC output consistent.

  5. Add or create a user that can access this role:

    usermod -R m64user username
    

    or

    useradd -u 777 -g 10 -m -d /export/home/username -s /bin/bash -R m64user username
    

    Set the password for this user if you added a new account.

  6. Check /etc/user_attr.

  7. Give the profile the right to execute m64config, editing /etc/security/exec_attr:

    Xadm:suser:cmd:::/usr/sbin/m64config:uid=0
    

    Read man exec_attr for the details.

    NOTE: commands you put in exec_attr can not take options or arguments. If a command needs options or arguments, write a script and put that scriptname in exec_attr.

  8. Test the new role: log in as the user who is assigned the role, then try to execute the command m64config. This should now be no longer allowed.

  9. Issue the roles and profiles commands as this user. This should point you to the m64user account.

  10. Log into the m64user account. You should now have the right to execute m64config.

Home
© 1995-2010 Machtelt Garrels - tille - Powered by vIm - Best viewed with your eyes - Validated by W3C - Last update 20100511