You are on page 1of 3

1.

RBAC Prole
/etc/security/prof_attr
User Management:::Manage users, groups, home
directory:auths=solaris.profmgr.read,solaris.admin.usermgr.write,solaris.admin.userm
gr.read,solaris.admin.usermgr.manage ;help=RtUserMngmnt.html
User Security:::Manage passwords,
clearances:auths=solaris.role.*,solaris.profmgr.*,solaris.label.range,solaris.admin.use
rmgr.*;help=RtUserSecurity.html
2. RBAC Command
/etc/security/exec_attr
User Management:solaris:cmd:::/usr/sbin/groupadd:uid=0
User Management:solaris:cmd:::/usr/sbin/groupdel:uid=0
User Management:solaris:cmd:::/usr/sbin/groupmod:uid=0
User Management:solaris:cmd:::/usr/sbin/roleadd:euid=0
User Management:solaris:cmd:::/usr/sbin/roledel:euid=0
User Management:solaris:cmd:::/usr/sbin/rolemod:euid=0
User Management:solaris:cmd:::/usr/sbin/useradd:euid=0
User Management:solaris:cmd:::/usr/sbin/userdel:euid=0
User Management:solaris:cmd:::/usr/sbin/usermod:euid=0
User Management:suser:cmd:::/usr/sbin/grpck:euid=0
User Management:suser:cmd:::/usr/sbin/pwck:euid=0
User Security:solaris:act:::SDTscgui;*;*;*;0:uid=0
User Security:solaris:cmd:::/usr/sbin/passmgmt:uid=0
User Security:suser:cmd:::/usr/bin/passwd:uid=0
User Security:suser:cmd:::/usr/sbin/pwck:euid=0
User Security:suser:cmd:::/usr/sbin/pwconv:euid=0
3. Add a role
Adding a role is nice and easy:
# roleadd -c "User Administration Role" -m -d /export/home/r_uadm r_uadm
We also need to give the role a password:
# passwd r_uadm
4. add a profile to the role
# rolemod -P "User Management","User Security" r_uadm
# grep r_uadm /etc/user_attr
r_uadm::::type=role;profiles=User Management,User Security
5. add a user account for IDM admin
# useradd -c "IDM Administrator" -d /export/home/idmadmin -m idmadmin
# passwd idmadmin
Finally well add the role to our user account:
# usermod -R r_uadm idmadmin
And just look in /etc/user_attr to make sure the changes have been
made:
# grep r_uadm /etc/user_attr
r_uadm::::type=role;profiles=User Management,User Security
idmadmin::::type=normal;roles=r_uadm
result:
-bash-3.00$ roles
r_uadm
-bash-3.00$ /usr/sbin/useradd -d /export/home/test -m test
UX: /usr/sbin/useradd: ERROR: Permission denied.
-bash-3.00$ profiles
Basic Solaris User
All
-bash-3.00$ su r_uadm
Password:
$ profiles
User Management
User Security
Basic Solaris User
All
$ /usr/sbin/useradd -d /export/home/test -m test
cpio: Cannot open file "/export/home/test/.profile", errno 13, Permission denied
cpio: Cannot open file "/export/home/test/local.cshrc", errno 13, Permission
denied
cpio: Cannot open file "/export/home/test/local.login", errno 13, Permission
denied
cpio: Cannot open file "/export/home/test/local.profile", errno 13, Permission
denied
0 blocks
4 error(s)
UX: /usr/sbin/useradd: ERROR: Unable to copy skeleton directory into home
directory: No such file or directory.
rm: Unable to remove directory /export/home/test: Permission denied
-- solution:
Change the "exec_attr" entry for useradd/userdel from "euid=0" to "uid=0"

You might also like