OpenSolaris

1. Community: Architecture Process and Tools
   1. Announcements
   2. Leaders
   3. Observers
   4. Projects
   5. Glossary
   6. FAQ
      1. What is an ARC Review?
      2. Planning for the Architectural Review
      3. How to succeed with an Architectural review
      4. Announcing the Systems Architecture Process
      5. Use of the OpenSolaris aliases
      6. ARC Fast-Track Sponsor Duties
      7. ARC Fasttrack Handbook
      8. What sort of changes need ARC approval?
      9. How do I publish/request an existing Sun ARC Case?
         1. Request Tracking Table
      10. When should developers interact with the ARC?
      11. General Principles for Requiring Changes to Projects
   7. ARC Handbook
      1. Goals
      2. ARC Process Proposal
         1. Details: ARC Self-Review Process
         2. Details: ARC Fasttrack Process
         3. Details: ARC Full-Review
      3. Reference: Sun's current internal ARC process
      4. Responsibilities
         1. Members
      5. 10 Questions
      6. Template for ARC Project creation
      7. Template for ARC Opinion
      8. Template for interface "contract"
      9. Introduction to the ARC message for project teams
      10. Chartering a Consolidation
   8. ARC Policies
      1. Release Taxonomy
      2. Interface Taxonomy
      3. Packaging rules for system extensions (Shared and sharable components)
      4. Library and Shared Object Requirements
      5. FMA Event Protocol
      6. Recommended Installation Locations for Solaris-compatible Software Components
      7. Install Time Security
      8. Network Install-Time Security
      9. Secure - By Default
      10. Audit Policy
      11. Plugable Authentication Modules
      12. Service Management Facility (SMF) usage
      13. Obsolete and the EOF process
   9. ARC Best Practices
      1. Architecture = Components + Interfaces
      2. Hardware Platform Dependencies
      3. Operating System Compatibility
      4. Inter-Project Compatibility
      5. Device Drivers
      6. Internationalization (I18n)
      7. Standards Conformance
      8. Namespace Management and Conventions
      9. Command Lines and arguments
      10. Environment Variables
      11. Signals
      12. Configuration Files
      13. Libraries
      14. Changes to interfaces
      15. Performance
      16. Security Questions
      17. When to use setuid -vs- RBAC roles and profiles
      18. Adding RBAC Authorizations
      19. Building RBAC Rights Profiles
      20. Reusable Passwords In Command Line Arguments and Environment Variables
      21. Storing Reusable Passwords on a Filesystem
      22. Administrative and Security Precedents and Policies
      23. ARC Alias Usage Guidelines
   10. Files
   11. Discussions
   12. Testing area for automated scripts
       1. OpenSolaris Users
       2. OpenSolaris Developers
       3. OpenSolaris Distros
   13. SourceUtils
   14. allclasses-noframe
   15. overview-tree
   16. Caselog

Building RBAC Rights Profiles

Copyright 2006, Sun Microsystems, Inc

Table of Contents Overview BestPractice Synopsis Advice CaseHistory References Category Software.RBAC Owner SAC Author Gary Winiger Changes Gary.Winiger@Sun.COM Authority SAC Policy Version 1.0 Status DRAFT 2006/01/16 Effective Solaris 2.10 HOWTO guide for adding RBAC Rights Profiles
	Advice You might need to build a Rights Profile from scratch if there is not already one that seems appropriate. First check the current ON gate .../usr/src/lib/libsecdb/prof_attr.txt prof_attr(4) contains the names of the current Rights Profiles, see the short description and the contents of the matching .../usr/src/lib/libsecdb/exec_attr.txt (exec_attr(4)) entries to see if it is a match for your needs. If it is, your can add to it. Generally you would not add authorizations to existing Rights Profiles unless you are adding authorizations in the same family. I.e., if new Audit authorizations are added to solaris.audit.*, then they would be candidates to add to the "Audit Control" profile. See http://sac.eng/cgi-bin/bp.cgi?NAME=RBAC.bp for guidance about suid programs and authorizations. Authorizations should be assigned to Rights Profiles in prof_attr(4) an auths= list and the Rights Profile assigned to a user via the profs= list in user_attr(4), rather than the obsolete use of auths= in user_attr(4). If you need to build a Rights Profile from scratch, here's a suggestion on how to proceed. Adding a new Rights Profile which contains commands to ON Pick a Rights Profile Name that doesn't conflict with a current name. Note there is more than one place that profiles are found. ON profiles are in ..../usr/src/lib/libsecdb/prof_attr.txt. Be aware that other gates may also deliver prof_attr entries. In the admin gate profiles are in .../src/bundled/app/drm/rbac/security/prof_attr .../src/bundled/app/wbem/solaris/rbac/security/prof_attr .../src/bundled/app/webmgt/webconsole/conf/prof_attr The the CDE gate profiles are in .../cdesrc/cde1/rbac/security/prof_attr For this example, name the Rights Profile "Xx Yy Zz" Add a line (alphabetically would be nice ;-) to prof_attr that reads: Xx Yy Zz:::Short Description:help=RtXxYyZz.html For Solaris 10 and later releases, for each CLI in the Rights Profile add to .../lib/libsecdb/exec_attr line(s) that read: Xx Yy Zz:solaris:cmd:::<full path to command>:<attributes> such that the <attributes> take on the least privileged values needed to do the function, choose from privs=<privilege set>, limitprivs=<privilege set>, euid=<uid>, egid=<gid>, uid=<uid>, gid=<gid> (see privileges(5), exec_attr(4)). For systems prior to Solaris 10 only, for each CLI in the Rights Profile add to .../lib/libsecdb/exec_attr line(s) that read: Xx Yy Zz:suser:cmd:::<full path to command>:<attributes> such that the <attributes> take on the least privileged value needed to do the function, choose from euid=<uid>, egid=<gid>, uid=<uid>, gid=<gid> (see exec_attr(4)). Create a simple HTML help file in .../lib/libsecdb/help/profiles. The file name for this example is RtXxYyZz.html. Update the Makefile. Use an existing help file for the HTML syntax and describe help for the profile that you've just created. Update the help file packages SUNWcsu, SUNW0on. in SUNWcsu/prototype_com f none usr/lib/help/profiles/locale/C/RtXxYyZz.html 444 root bin in SUNW0on/prototype_com f none usr/lib/help/profiles/locale/RtXxYyZz.html 444 root bin N.B. The difference between the paths ("C" -vs- none). Adding commands to an existing Rights Profile to ON: Pick an existing Rights Profile which matches the commands to be added. For this example call it "Xx Yy Zz" For Solaris 10 and later releases, for each CLI in the Rights Profile add to .../lib/libsecdb/exec_attr line(s) that read: Xx Yy Zz:solaris:cmd:::<full path to command>:<attributes> such that the <attributes> take on the least privileged values needed to do the function, choose from privs=<privilege set>, limitprivs=<privilege set>, euid=<uid>, egid=<gid>, uid=<uid>, gid=<gid> (see privileges(5), exec_attr(4)). For systems prior to Solaris 10 only, for each CLI in the Rights Profile add to .../lib/libsecdb/exec_attr line(s) that read: Xx Yy Zz:suser:cmd:::<full path to command>:<attributes> such that the <attributes> take on the least privileged value needed to do the function, choose from euid=<uid>, egid=<gid>, uid=<uid>, gid=<gid> (see exec_attr(4)). Adding a new Rights Profile to other gates Do pretty much the same steps with local sources for prof_attr and exec_attr. If this is the first Rights Profile for this gate, the prof_attr and exec_attr files should use the rbac class action script and deliver into /etc/security/{prof,exec}_attr. I.e., in prototype_com: e rbac etc/security/prof_attr 644 root sys HTML help files should be delivered by the ``usr'' and ``globalization'' (G11N) packages (as equivalent to SUNWcsu, SUNW0on) in SUNW``usr''/prototype_com f none usr/lib/help/profiles/locale/C/RtXxYyZz.html 444 root bin in SUNW0``G11N''/prototype_com f none usr/lib/help/profiles/locale/C/RtXxYyZz.html 444 root bin CaseHistory Case Type Name PSARC/1997/332 OnePager Execution Profiles for Restricted Environments   PSARC/2002/188 OnePager Least Privilege for Solaris   References RBAC in the Solaris[tm] Operating Environment - White Paper Authorization Infrastructure in Solaris - Developer Connection