OpenSolaris

1. Community: Security
   1. Announcements
   2. News
   3. Blogs
   4. Discussions
   5. Community Projects
      1. Pluggable Authentication Module
      2. Trusted Extensions
         1. History
         2. Trusted Extensions Developer Guide
         3. Installing the Solaris Trusted Extensions Software on a Laptop Computer
         4. Experimental Java Classes for Trusted Extensions Labeling APIs
      3. Secure By Default
         1. Secure by Default Design
      4. Privilege Debugging
      5. RBAC - Role Based Access Control
      6. Auditing
      7. Basic File Privs
      8. Kerberos
      9. Java
      10. SSH
      11. Cryptographic Framework
   6. Library
      1. HOWTO Documents
         1. Privilege Bracketing
      2. Username length
   7. Presentations
   8. Events
   9. Leaders
   10. Observers
   11. Files
   12. Contributor Grants

What is RBAC ?

Role-based access control allows system administrators to delegate the administrative control of parts of the system to users. Users can be given the ability to run commands with additional privilege in two ways. Either by assigning a profile directly to the user, in which case no additional authentication is required. Or by creating a role. It can also be used to build restrictive environments for users by removing their ability to run commands they would normally be allowed to.

OpenSolaris UserGroup RBAC presenation

Why use RBAC vs sudo (for Solaris)

(Note this may not apply to all OpenSolaris distributions)

• RBAC is built into Solaris (since S8) and supported by Sun.
• RBAC is documented, patched, updated and integrated throughout Solaris
• RBAC is supported by the Solaris Management Console and WebMin GUI's
• RBAC is integrated with SMF in Solaris 10.
• RBAC is evaluated along with the rest of the OS during Common Criteria evaluations. Sudo is not included in the evaluation.
• RBAC actions are audited by the same CC evaluated audit facility used through Solaris
• RBAC offers roles as well as the pfexec command which provides a similar capability to sudo.

Why use sudo rather than RBAC

• Cross platform
• Support for control of CLI arguments (see TODO list below)
• Support for setting per command environment (see TODO list below)

What about sudo & privileges ?

Having sudo be privilege aware would be great for OpenSolaris as well. This would probably be done by adding new keywords to the sudoers grammar so that you can specify the privileges that the command should run with. It would be very cool if someone could implement this and contribute it back to the main sudo branch.

RBAC Best Practices for OpenSolaris developers

The following best practice documents for using RBAC in developing other parts of OpenSolaris can be found in the ARC community:

• When to use setuid vs RBAC roles

• Adding New authorisations to OpenSolaris

• Bulding RBAC Rights Profiles

RBAC TODO List

The following is a list of mini projects or RFEs that we know we need to implement in the OpenSolaris RBAC framework to get parity with sudo or to fill a customer need.

Please help us out by implementing one of these:

• Control of environment variables: 6227888

Ability to set and clear any environment variable for a specific entry in exec_attr(4).

• Control of command line args: 5097247

Restrict which arguments to a command get the additional privilege, For example run passwd(1) but only with a user name not with any of the password aging options.

• Netgroups integration 4986798

For all of the RBAC databases that make up a profile definition and assignment of it to a user (execattr, profattr, userattr) control which hosts it is valid on using netgroups. The currently unused "qualifier" field in userattr(4) is intended for this as is one of the reserved fields in prof_attr(4).

History of RBAC in Solaris

The main stream Solaris first got RBAC in Solaris 8. In Solaris 9 new profiles were added but no new core functionality from the framework. In Solaris 10 RBAC was integrated with least privilege, SMF and SMC.

Trusted Solaris (now replaced by Trusted Extensions) had an RBAC system in all of its releases going back to the SunOS 4.1.3 based versions. The implementation was slighly different but the basic concepts are the same.