solaris 9 student guide part 2 sa299 phần 6 ppsx

Figure 11-13 Solaris Management Console 2.1 – Users Window To access RBAC features, perform the following steps: 1.. Log in as root, as shown in the Log In: User Name Window inFigure 11-

Trang 1

Figure 11-6 shows one relationship between the

/etc/security/prof_attrand the/etc/user_attrdatabases The

Printer Managementprofile, which is defined in the

/etc/security/prof_attrdatabase, is assigned to thesysadminrole inthe /etc/user_attrdatabase

Figure 11-6 User and Profile Association

Figure 11-7 shows the relationship between the

/etc/security/prof_attrand the/etc/security/auth_attr

databases The Printer Managementprofile is defined in the

/etc/security/prof_attrdatabase as having all authorizations,beginning with the solaris.admin.printer.string, assigned to it.These authorizations are defined in the/etc/security/auth_attr

database

From the /etc/security/prof_attr database:

Printer Management:::Manage printers, daemons,\

Printer Management:::Manage printers, daemons, spooling: \

help=RtPrntAdmin.html;auths=solaris.admin.printer.read, \

solaris.admin.printer.modify,solaris.admin.printer.delete

From the /etc/security/auth_attr database:

solaris.admin.printer.modify:::Update Printer Information:: \

help=AuthPrinterModify.html

solaris.admin.printer.delete:::Delete Printer Information:: \

help=AuthPrinterDelete.html

solaris.admin.printer.:::Printer Information::help=AuthPrinterHeader.html

Trang 2

The /etc/security/exec_attr Database

The /etc/security/exec_attrdatabase holds the execution attributes

An execution attribute associated with a profile is a command or a scriptthat contains a command with options (because the only way to addoptions to a command is by using a script) Only the users and rolesassigned to this profile can run the command with special securityattributes Special security attributes refer to attributes, such as UID,EUID, GID, and EGID, that can be added to a process when the command

is run The definitions of the execution attributes are stored in the

/etc/security/exec_attrdatabase Figure 11-8 shows the

/etc/security/exec_attrdatabase

Figure 11-8 The exec_attrDatabase

The fields in the /etc/security/exec_attrdatabase are separated bycolons:

name:policy:type:res1:res2:id:attr

where:

exec_attr Privileges

auth_attr Authorization

prof_attr Profiles

user_attr Users Roles

name The name of the profile Profile names are case sensitive

policy The security policy associated with this entry Thesuser

(superuser policy model) is the only valid policy entry

type The type of entity whose attributes are specified The

only valid type iscmd (command)

Trang 3

The following example is part of a /etc/security/exec_attrdatabasewith some typical values:

id A string identifying the entity You can use the asterisk

(*) wildcard Commands should have the full path or apath with a wildcard To specify arguments, write ascript with the arguments, and point theid to the script

attr An optional list of key-value pairs that describes the

security attributes to apply to the entity when executed.You can specify zero or more keys The list of valid keywords depends on the policy being enforced There arefour valid keys:euid,uid,egid, andgid

• euid anduid – Contain a single user name or anumeric user ID Commands designated witheuid

run with the effective UID indicated, which is similar

to setting thesetuid bit on an executable file

Commands designated withuid run with both thereal and effective UIDs set to the UID you specify

• egid andgid – Contain a single group name ornumeric group ID Commands designated withegid

run with the effective GID indicated, which is similar

to setting thesetgid bit on an executable file

Commands designated withgid run with both thereal and effective GIDs set to the GID you specify

Trang 4

/etc/security/exec_attrand /etc/security/prof_attrdatabases

Figure 11-9 Profile and Execution Association

The Printer Managementprofile lists execution attributes (orcommands) with the appropriate security attributes assigned in the

/etc/security/exec_attrdatabase

Printer Management:::Manage printers, daemons,

spooling:help=RtPrntAdmin.html;auths=solaris.admin.printer.read,solaris.a dmin.printer.modify,solaris.admin.printer.delete

From the /etc/security/exec_attr database:

Trang 5

The /etc/security/auth_attr Database

An authorization is an RBAC feature that grants access to restrictedfunctions It identifies, by a unique string, what is being authorized, aswell as who created the authorization

You cannot create new authorizations However, system programmers cancreate and assign authorizations to applications

Certain privileged programs check authorizations to determine whetherusers can execute restricted functionality For example, the

solaris.jobs.adminauthorization is required for a user to edit anotheruser’s crontabfile

All authorizations are stored in the/etc/security/auth_attrdatabase.You can assign authorizations directly to users or roles in the

/etc/user_attrdatabase You can also assign authorizations to rightsprofiles, which are assigned to roles

Figure 11-10 shows the /etc/security/auth_attrdatabase

Figure 11-10 The auth_attrDatabase

prof_attr Profiles

auth_attr Authorization user_attr

Users

Roles

exec_attr Privileges

Trang 6

The fields in the /etc/security/auth_attrdatabase are separated bycolons, as follows:

authname:res1:res2:short_desc:long_desc:attr

where:

authname A unique character string that identifies the authorization in the

prefix.suffix[.]format Authorizations for the Solaris OE use

solaris as a prefix All other authorizations use a prefix thatbegins with the reverse-order Internet domain name of theorganization that creates the authorization (for example,

com.xyzcompany) The suffix indicates what is being authorized,typically the functional area and operation

When there is no suffix (that is, theauthname consists of a prefix,

a functional area, and ends with a period), theauthnameserves as

a heading for use by applications in their GUI rather than as anauthorization Theauthname solaris.printmgr is an example

of a heading

Whenauthname ends with the wordgrant, theauthname serves

as a grant authorization and lets the user delegate relatedauthorizations (that is, authorizations with the same prefix andfunctional area) to other users Theauthname

solaris.printmgr.grant is an example of a grantauthorization It gives the user the right to delegate suchauthorizations assolaris.printmgr.admin and

solaris.printmgr.nobanner to other users

short_desc A concise name for the authorization that is suitable for

displaying in user interfaces

long_desc A long description This field identifies the purpose of the

authorization, the applications in which it is used, and the type ofuser who wants to use it The long description can be displayed inthe help text of an application

attr An optional list of key-value pairs that describes the attributes of

an authorization There can be zero or more keys For example,the keywordhelp identifies a help file

Trang 7

The following is an example of an/etc/security/auth_attrdatabase,with some typical values:

Note – The solaris.device.entry is defined as a heading, because itends in a dot (.) Headings are used by the GUI to organize families ofauthorizations

/etc/security/auth_attrand the/etc/user_attrdatabases The

solaris.system.dateauthorization, which is defined in the

/etc/security/auth_attrdatabase, is assigned to the userjohndoeinthe /etc/user_attrdatabase

Figure 11-11 User, Role, and Authorization Association

Trang 8

Relationships Between the Four RBAC Databases

Figure 11-12 shows how the fields of the four databases are related

Figure 11-12 Relationship Between the Four RBAC Databases

solaris.system.date:::Set Date & Time::help=SysDate.html

From the /etc/user_attr database:

sysadmin::::type=role;profiles=Device Management,Filesystem

Management,Printer Management,All

johndoe::::type=normal;auths=solaris.system.date;roles=sysadmin

Printer Management:::Manage printers, daemons,

spooling:help=RtPrntAdmin.html;auths=solaris.admin.printer.read,solaris.a dmin.printer.modify,solaris.admin.printer.delete

From the /etc/security/exec_attr database:

Trang 9

The /etc/security/policy.conf File

The /etc/security/policy.conffile lets you grant specific rightsprofiles and authorizations to all users The two types of entries in the fileconsist of key-value pairs, as follows:

● AUTHS_GRANTED=authorizations, whereauthorizationsrefers toone or more authorizations

● PROFS_GRANTED=right_profiles, whereright_profilesrefers toone or more rights profiles

Some typical values from an /etc/security/policy.conffile areshown in the following example

PROFS_GRANTED=Basic Solaris User

The solaris.device.cdrwauthorization provides access to thecdrw

command

# grep ’solaris.device.cdrw’ /etc/security/auth_attr

solaris.device.cdrw:::CD-R/RW Recording Authorizations::help=DevCDRW.html

Trang 10

The Basic Solaris Userprofile grants users access to all listedauthorizations The profiles=Allfield grants unrestricted access to allSolaris OE commands that have not been restricted by a definition in apreviously listed authorization.

# grep ’Basic Solaris User’ /etc/security/prof_attr

Basic Solaris User:::Automatically assigned rights:

help=RtDefault.html

Trang 11

Managing RBAC

You can configure RBAC features using the Solaris Management Console

or the command line

Managing RBAC Using the Solaris Management

Console

The Solaris Management Console 2.1 in the Solaris 9 OE enables you toconfigure RBAC features using a GUI console The GUI provides apoint-and-click method of configuring RBAC rights and roles The GUIwizards prompt you for any necessary configuration parameters

Note – Using the GUI assumes knowledge of the underlying

dependencies that are built into the RBAC feature

Fundamentals of Managing RBAC

To set up privileged access using the RBAC GUI, follow these steps:

1 Build the user accounts that will be assigned the RBAC rights

Note – Step 1 is not required if the designated rights and roles are being

made available to existing users

2 Build the rights profiles needed to support the superuser accessrequirements

3 Build the role that will provide access to the rights profiles fordesignated users

Trang 12

The following example grants an ordinary user access to administrativerights for package commands that require superuser access:

Figure 11-13 shows that access to the RBAC features begins with theSolaris Management Console

Figure 11-13 Solaris Management Console 2.1 – Users Window

To access RBAC features, perform the following steps:

1 Select Management Tools

2 Click This Computer

3 Click System Configuration

4 Double-click the Users icon

Trang 13

5 Log in as root, as shown in the Log In: User Name Window inFigure 11-14.

Figure 11-14 Log In: User Name Window

From this login, you have the necessary permissions to set up users,work with name services, and assign rights and roles to other users

Note – After other users have been granted the necessary access

permissions, you can log in with those user login names on subsequentsessions

Trang 14

After you log in, the View pane displays the set of tools used toperform traditional user administration tasks and the RBAC tasks, asshown in Figure 11-15.

Figure 11-15 Solaris Management Console 2.1 – Users Tools

WindowTable 11-4 defines the tools in the Users toolbox

Table 11-4 Users Tools

User Accounts Add (or modify) user accounts in several ways:

individually, in multiples, or starting from atemplate

User Templates Create a template If you need to create multiple

users with similar attributes, you can first create atemplate for that type of user

Rights Configure a named collection that includes three

components: commands, authorizations, andother previously created rights

Trang 15

6 Double-click the User Accounts icon to select the User Accountsfunctions.

The existing users appear in the View pane, as shown in

Mailing Lists Add a new mailing list You can also use this tool

to view, add, or delete recipients in a mailing list

Table 11-4 Users Tools (Continued)

Trang 16

Building User Accounts

You can build a new user account that will be assigned access to all thepackage administration commands Perform the following steps:

1 Select Add User from the Action menu, as shown in Figure 11-17

Figure 11-17 Action Menu – Add User

2 Select With Wizard from the Add User submenu

Trang 17

Note – The Add User Wizard works the same as the useraddcommandand earlier GUI tools, such as AdminTool.

The Add User Wizard – Step 1 window appears, as shown in

Figure 11-18

Figure 11-18 Add User Wizard – Step 1 Window

3 Enter the following information:

4 Click Next to continue

The user ID number is the user’s unique numerical ID for the

User Name The login name for this user account Enteruser1as

the user name

Full Name A descriptive entry identifying the owner of this

account EnterRBAC user1 as the full name

Description Similar to the full name, this field further identifies

the owner of this account This entry populates the

gecos field in the/etc/passwd file EnterAddeduser for RBAC as the description

Trang 18

5 Accept the default user ID number, as shown in the Add UserWizard – Step 2 window in Figure 11-19.

Trang 19

There are two password options in the Add User Wizard – Step 3window, as shown in Figure 11-20 With the first option, the newuser will be prompted to set the password when logging in for thefirst time Alternatively, with the second option, you can

immediately assign the account password

7 Enter and confirm123passas the password, as shown in

Figure 11-20

Trang 20

Group membership allows this user to share access permissions withother users within the same group, as shown in the Add UserWizard – Step 4 window in Figure 11-21 You can add this user toadditional groups’ common characteristics after account creation.Each user can belong to 15 additional groups that are also known assecondary groups.

9 When prompted with a choice for the new user’s primary groupmembership, accept the default group assignment, as shown inFigure 11-21

Trang 21

The home directory path defines where this user’s personal files arestored, as shown in the Add User Wizard – Step 5 window in

Figure 11-22 When the account is created, the new user name

appends to the home directory path that is defined in this field Forexample, if this user is nameduser1, then the home directory

becomes/export/home/user1

11 Enter the name of the directory in which the user’s home directorywill be created (/export/home), as shown in Figure 11-22

Trang 22

When you create a new user account, it is customary to also create amail account, as shown in the Add User Wizard – Step 6 window inFigure 11-23 You provide the user with a mailbox that is a file on themail server (also known as the inbox) that holds all newly receivedmail.

13 Click Next to accept the defaults, as shown in Figure 11-23

Trang 23

14 Check each field for inadvertent errors, as shown in the Add UserWizard – Step 7 window in Figure 11-24 If you see any errors, stepback through the windows to correct them, and then step forwardagain to the confirmation window.

Figure 11-24 Add User Wizard – Review Window

15 When you are satisfied with the field inputs, click Finish to completebuilding the new user account

Trang 24

After the new account is created, you are returned to the SolarisManagement Console Window, which displays the new account, asshown in Figure 11-25.

Figure 11-25 Solaris Management Console 2.1 – User Accounts

Window

To test the user account, perform the following steps:

1 Log in with the user name that was just created

Note – The host name in this example is sys44, and the user name is

Trang 25

2 Execute a few commands to verify that the new account functions ascreated.

specialized commands within this account Use thepkginfo

(package information) command and thepkgrm(package removal)command These examples use theSUNWpppgpackage

VENDOR: Sun Microsystems, Inc

DESC: Optional GNU utilities for use with PPP

PSTAMP: crash20020212184313

INSTDATE: Feb 28 2002 08:32

HOTLINE: Please contact your local service provider

STATUS: completely installed

FILES: 12 installed pathnames

Trang 26

Note – Thepkginfocommand is stored in the/usr/bindirectory, which

is in the default PATHvariable for regular user accounts Thepkgrmisstored in the /usr/sbindirectory, which is not in the defaultPATHforregular user accounts You can modify thePATHvariable to include thecommand’s path, or you can enter the absolute path of the command onthe command line

Building Rights Profiles

The Solaris 9 OE includes many default sets of rights These rights profilesinclude the sets of tasks that system administrators are required to

perform In a large enterprise, you might have separate administrators foreach of these rights, whereas, in a smaller company, a single administratorcould be responsible for one or more of these task categories

As a primary administrator, you must decide between two scenarioswhen using profiles:

● The default collections of task sets fit your Information Technology(IT) organization; in which case, you can move directly to creatingroles for your users to assume when these task sets are required

● A task set collection must be defined to further subdivide the defaulttask sets In this case, you must first create new rights profiles beforecreating roles

In the earlier example,user1required access permissions to the full set ofpackage administration commands You can create a rights profile calledPackage Administration to add to the default rights profiles supplied withthe Solaris 9 OE release

Trang 27

To add or build a rights profile, perform the following steps:

1 Double-click on Rights in the Navigation pane

The View pane of the Solaris Management Console displays some ofthe categories for these collections of system administrator tasks, asshown in the Solaris Management Console 2.1 – Rights window inFigure 11-26

Figure 11-26 Solaris Management Console 2.1 – Rights Window

Trang 28

2 Select Add Right from the Action menu, as shown in Figure 11-27.

Figure 11-27 Action Menu – Add Right

Trang 29

The Add Right window – General tab appears As shown in

Figure 11-28, the window contains four tabs Each tab configures one

or more aspects of a rights profile

Figure 11-28 Add Right Window – General Tab

3 Select the General tab, and fill in the fields as follows:

Name The name that identifies the rights profile in the

rights window This name corresponds to the lineentry in the/etc/security/prof_attr database.Description This description is also presented in the

/etc/security/prof_attr database as adefinition of the rights profile

Trang 30

4 Select the Commands tab, as shown in Figure 11-29, and select thecommands that your rights profile will include as follows:

Figure 11-29 Add Right Window – Commands Tab

a For each command that you want the rights profile to be able torun, select it, and click Add

The command moves to the Commands Permitted list

b Click Set Security Attributes

Trang 31

The Set Security Attributes window, as shown in Figure 11-30,

appears This window also appears when you double-click any ofthe commands in the Permitted Commands field

Figure 11-30 Set Security Attributes Window

c Define the security attributes for each permitted command; youmust assign the UID, EUID, GID, and EGID permissions

Note – The online man pages do not always define the required execution

permissions However, the /etc/security/exec_attrdatabase is agood source for the proper execution permissions for most commands

5 Search the /etc/security/exec_attrdatabase for thepkgrm

command, and set the ownership accordingly

6 Click Apply

7 Click Close to continue

Trang 32

The View pane in the Solaris Management Console is updated toinclude the Package Administrator rights profile, as shown inFigure 11-31.

Figure 11-31 Solaris Management Console 2.1 – Rights Window

8 If you need to make modifications to this rights profile, double-clickthe newly created Package Administrator entry to return to therights creation windows

After the rights profile is completed, it can be assigned to either anexisting user or to a role

Note – A user must be running a profile shell to execute the commands in

an assigned rights profile

Trang 33

Building the Role

Administrative roles run administrator shells, also known as profile shells Because of the profile shell, you cannot log in to a role account You must

log in as a regular user, and then assume the role by using the su

command

To build an administration role, complete the following steps:

1 To display existing roles, double-click Administrative Roles in theNavigation pane, as shown in Figure 11-32

Figure 11-32 Solaris Management Console 2.1 – Administrative

Roles Window

Note – By default, the Solaris 9 OE does not have any roles defined.

Trang 34

2 To create a role, select Add Administrative Role from the Actionmenu, as shown in Figure 11-33.

Figure 11-33 Action Menu – Add Administrative Role

Trang 35

The Add Administrative Role – Step 1 window appears, as shown inFigure 11-34.

Figure 11-34 Add Administrative Role – Step 1 Window

3 Complete the fields in Figure 11-34 as follows:

Role Name This is the name that you use to assume a specific

role with thesu command This name identifiesentries in the/etc/passwdand/etc/shadowfilesand in the/etc/user_attr database

Full Name This is an optional entry If used, make this value

unique to this role

Description This should clearly state the intent of this role

This entry populates thegcos field in the

Trang 36

4 Click Next to continue.

The Add Administrative Role – Step 2 window appears, as shown inFigure 11-35

The role password follows the same characteristics as a regular useraccount password A password must consist of between 6 and

15 characters (case-sensitive letters, numbers, and special characters).Only the first 6 characters are used during authentication, but 15 areavailable for those users who want longer passwords

5 Enter and confirm the password

Trang 37

7 To build the administrative rights for this role, click the PackageAdministrator rights profile in the left column, as shown in the AddAdministrative Role – Step 3 window in Figure 11-36.

8 Click Add

The rights are added to the Granted Rights in the right column

Note – The help that is available on this screen is derived from the help

files that are indicated in the Right Properties: Package Administrationwindow

Trang 38

The Add Administrative Role – Step 4 window enables you to definethe server and directory locations for the administrative role’s homedirectory, as shown in Figure 11-37.

10 Click Next to accept the default values, which creates a homedirectory based on the role name

Trang 39

In Add Administrative Role – Step 5 window, you can provideaccess for this administrative role to a specific list of users, as shown

in Figure 11-38 These are the users that will be allowed to assumethis role with thesucommand

Figure 11-38 Add Administrative Role Window – Assign Users

11 Perform one of the following steps:

● To add a user, enter a valid user name, and click Add

● To delete a user, click on the user’s name in the lower box, andclick Delete

Trang 40

13 Check each field in the Add Administrative Role – Review windowfor inadvertent errors If you discover any errors, step back throughthe windows to correct them, and then step forward again to thisconfirmation window, as shown in Figure 11-39.

Figure 11-39 Add Administrative Role Window – Review

14 When you are satisfied with the field inputs, click Finish to completebuilding the new role account

Định dạng
Số trang	86
Dung lượng	1,14 MB