RE: (mis)using RBAC...

From: Robert Archer (Robert.Archer_at_unisa.edu.au)
Date: 04/14/05

  • Next message: benjamin brumaire: "Re: (mis)using RBAC..."
    Date: Thu, 14 Apr 2005 10:01:22 +0930
    To: "Jonathan Katz" <jonathan.katz@gmail.com>, <focus-sun@securityfocus.com>
    
    

    To answer a question that you didn't ask, sudo is an excellent
    alternative to su(1m), with the ability to selectively allocate root
    commands to users.

    It is also much simpler than RBAC for the scenario you've described.
    Here's an example sudoers file:

            User_Alias WEBADMIN = user1,user2,user3
            WEBADMIN ALL = (root)
    /opt/app/iplanet/https-myserver/start, \
                            /opt/app/iplanet/https-myserver/stop

    And an example usage:

            host> id
            uid=1001(user1)
            host> sudo /opt/app/iplanet/https-myserver/start
            Password:
            [ . . . command runs . . . ]

    By default, sudo prompts for the user's own password. This means that
    you can lock the root password in a safe, and only get it out for
    single-user mode. You can also configure it to prompt for the target
    user's password, or no password at all (on a per-command basis).

    Sudo requires no special shells or any other changes to your user's
    environment. It's available on the Companion Software CD since Solaris
    8.

    -----Original Message-----
    From: Jonathan Katz [mailto:jonathan.katz@gmail.com]
    Sent: Wednesday, 13 April 2005 4:50 AM
    To: focus-sun@securityfocus.com
    Subject: (mis)using RBAC...

    All,

    I was recently charged with setting up RBAC so that the group I work
    with will 'su to root' less often.

    The first project I've picked is to either establish a role and/or
    profile that will allow a normal user to start and stop our
    webservers. Here is what I came up with, bypassing the concept of a
    'role'...

    1) I created a profile called "Web Administration"
    in /etc/security/prof_attr
    Web Administration:::Role for restarting webservers::

    2) I gave the profile the ability to run the start and stop webserver
    scripts as root:
    in /etc/security/exec_attr
    Web
    Administration:suser:cmd:::/opt/app/iplanet/https-myserver/start:uid=0
    Web
    Administration:suser:cmd:::/opt/app/iplanet/https-myserver/stop:uid=0

    3) I then added the role to my account on the server in /etc/user_attr:
    jkatz::::type=normal;profiles=Web Administration,Basic Solaris User

    4) Finally, I changed my shell to /bin/pfcsh. Now, with my regular
    user account I can start and restart our webservers.

    My questions are, is this a normal practice (are there other people
    doing it) and is it supported? What unintended consequences am I
    missing? I understand that if a user's account is compromised, the
    webserver services can be stopped and started at-will. I also
    understand that our sysadmin group will be restricted to using
    pfcsh/pfksh/pfsh and cannot use bash or tcsh (although we can still
    leave those set, type 'exec pfsh' and then do what we need to do as
    the Profile.)

    Thanks!

    -- 
    -Jon
    Jonathan Katz -- J. Random BOFH
    

  • Next message: benjamin brumaire: "Re: (mis)using RBAC..."

    Relevant Pages

    • (mis)using RBAC...
      ... with will 'su to root' less often. ... I created a profile called "Web Administration" ... Web Administration:::Role for restarting webservers:: ... user account I can start and restart our webservers. ...
      (Focus-SUN)
    • Re: (mis)using RBAC...
      ... sudo will not help you on Solaris 10 with the introduction ... updated to have knowledge of the Solaris 10 privilege model. ... with the ability to selectively allocate root ... > user account I can start and restart our webservers. ...
      (Focus-SUN)
    • Re: Card Reader
      ... Running your script ... instead of sudo is worthless because your script *can't do ... And of course it doesn't ask for a root password, ... >> That's just more bullshit Bryan, and you might as well leave ...
      (rec.photo.digital)
    • Re: hi all..
      ... And with sudo, I certainly wouldn't because they already have root. ... If you somehow had access to my account right now, ... install an effective key logger without root. ...
      (Fedora)
    • Re: hi all..
      ... compromise security to achieve it - such as very insecure sudo defaults ... that essentially make any admin group user password a root password. ... IE someone gets your user account password, they can do more than just ...
      (Fedora)