Role :
A role is a special identity for running privileged applications or commands to assigned users only Profiles : collection of privileges that can be assigned to a role or user.
Authorizations:
permission that you can assign to a role or to a user Administrator Profile Shells - pfsh, pfcsh & pfksh
Important Files used for RBAC:
- /etc/user_attr – Extended user attribute database
- /etc/security/prof_attr - The rights profile attributes database
- /etc/security/exec_attr - The execution attributes database.
- /etc/security/auth_attr - The authorization attributes database.
- /etc/security/policy.conf - provides system default authorizations for users.
Configuration Steps:
- roleadd -u 5000 -g 10 -m -d /export/home/sdown sdown
- vi /etc/security/prof_attr “Shut:::Able to shutdown the system:”
- rolemod -P Shut,All sdown
- useradd -u 4009 -g 10 -m -d /export/home/user9 -s /bin/ksh \-R sdown user9 –p pass
- vi /etc/security/exec_attr “Shut:suser:cmd:::/usr/sbin/shutdown:uid=0”
- If the user need to execute the command without su to role his shells needs to be changed to Administrator Profile Shells - pfsh, pfcsh & pfksh
Demonstration:
- $su user9
- $/usr/sbin/shutdown -i 6 -g 0 “/usr/sbin/shutdown : Only root can run /usr/sbin/shutdown”
- $profiles “Basic Solaris User & All“ $roles “sdown”
- $su sdown
- $/usr/sbin/shutdown -i 6 -g 0
- If it is administrator shell you can give command directly from the user since it gets from role, no need to su “role”.