OpenSolaris

1. Community: Architecture Process and Tools
   1. Announcements
   2. Leaders
   3. Observers
   4. Projects
   5. Glossary
   6. FAQ
      1. What is an ARC Review?
      2. Planning for the Architectural Review
      3. How to succeed with an Architectural review
      4. Announcing the Systems Architecture Process
      5. Use of the OpenSolaris aliases
      6. ARC Fast-Track Sponsor Duties
      7. ARC Fasttrack Handbook
      8. What sort of changes need ARC approval?
      9. How do I publish/request an existing Sun ARC Case?
         1. Request Tracking Table
      10. When should developers interact with the ARC?
      11. General Principles for Requiring Changes to Projects
   7. ARC Handbook
      1. Goals
      2. ARC Process Proposal
         1. Details: ARC Self-Review Process
         2. Details: ARC Fasttrack Process
         3. Details: ARC Full-Review
      3. Reference: Sun's current internal ARC process
      4. Responsibilities
         1. Members
      5. 10 Questions
      6. Template for ARC Project creation
      7. Template for ARC Opinion
      8. Template for interface "contract"
      9. Introduction to the ARC message for project teams
      10. Chartering a Consolidation
   8. ARC Policies
      1. Release Taxonomy
      2. Interface Taxonomy
      3. Packaging rules for system extensions (Shared and sharable components)
      4. Library and Shared Object Requirements
      5. FMA Event Protocol
      6. Recommended Installation Locations for Solaris-compatible Software Components
      7. Install Time Security
      8. Network Install-Time Security
      9. Secure - By Default
      10. Audit Policy
      11. Plugable Authentication Modules
      12. Service Management Facility (SMF) usage
      13. Obsolete and the EOF process
   9. ARC Best Practices
      1. Architecture = Components + Interfaces
      2. Hardware Platform Dependencies
      3. Operating System Compatibility
      4. Inter-Project Compatibility
      5. Device Drivers
      6. Internationalization (I18n)
      7. Standards Conformance
      8. Namespace Management and Conventions
      9. Command Lines and arguments
      10. Environment Variables
      11. Signals
      12. Configuration Files
      13. Libraries
      14. Changes to interfaces
      15. Performance
      16. Security Questions
      17. When to use setuid -vs- RBAC roles and profiles
      18. Adding RBAC Authorizations
      19. Building RBAC Rights Profiles
      20. Reusable Passwords In Command Line Arguments and Environment Variables
      21. Storing Reusable Passwords on a Filesystem
      22. Administrative and Security Precedents and Policies
      23. ARC Alias Usage Guidelines
   10. Files
   11. Discussions
   12. Testing area for automated scripts
       1. OpenSolaris Users
       2. OpenSolaris Developers
       3. OpenSolaris Distros
   13. SourceUtils
   14. allclasses-noframe
   15. overview-tree
   16. Caselog

When to use setuid -vs- RBAC roles and profiles

Copyright 2006, Sun Microsystems, Inc

Table of Contents Overview BestPractice Synopsis Advice CaseHistory References Category Software.RBAC Owner SAC Author Gary Winiger Changes Gary.Winiger@Sun.COM Authority SAC Policy Version 1.0 Status DRAFT 2001/03/01 Effective Solaris 2.8 When to use setuid -vs- roles and profiles
	Advice If a program must be run by all users and it requires special attributes (uid/gid or in the future privileges) they will need to be "forced" on that program's executable (suid, sgid today). If a program is to be run by only selected users and it requires special attributes, from Solaris 8 forward, there are two ways for this restriction to be accomplished. The program can itself verify the user is an appropriate user of the program, or the user can be granted the program with the required attributes. The tradeoff comes in whether the program has reason to enforce multiple policies or if there is but a single policy. If the program enforces multiple policies, it probably should have the special attributes "forced" on the program file. It should then interpret authorizations granted to the user (chkauthattr(3secdb)) executing the program to determine which policies are approved for the user. Making such decisions must be auditable for the Solaris BSM configuration. If there is just a single policy, the program should be placed into a rights profile (prof_attr(4)) (or a new one created for the program) with the appropriate special attributes (exec_attr(4)) (euid, ruid/euid, egid, rgid/egid today) and the profile assigned to the users who should have be able to effectively run this program. On a per-machine basis, profiles and authorizations (auth_attr(4)) can be granted to all users of a machine in the local policy.conf(4) without having to grant them to individual users, or selectively to individual users in user_attr(4) and prof_attr(4) local or name space (nsswitch.conf(4)) databases. While authorizations can be granted in either user_attr or prof_attr, it is preferred that they be granted in prof_attr and that the profile be granted to the user through user_attr (or for all users of a machine through policy.conf). The profile level of abstraction makes for easier updates of authorizations and commands in a changing environment. Programs with "forced" attributes should bracket the user of these attributes around their needed use. Today, for example, a suid program should set its effective uid to its real at the beginning of main and then only set the effective to the saved around any code that requires the suid ID to succeed. CaseHistory Case Type Name PSARC/1997/332 OnePager Execution Profiles for Restricted Environments References RBAC Whitepaper Authorization Infrastructure in Solaris - Developer Connection