Re: (mis)using RBAC...
From: Darren J Moffat (Darren.Moffat_at_Sun.COM)
To: Jonathan Katz <email@example.com> Date: Thu, 14 Apr 2005 14:12:09 -0700
On Tue, 2005-04-12 at 12:19, Jonathan Katz wrote:
> 3) I then added the role to my account on the server in /etc/user_attr:
> jkatz::::type=normal;profiles=Web Administration,Basic Solaris User
Correction you added the profile to your account. You haven't
yet created a role.
A role is a shared account that has its own uid/gid/home dir
etc. The only real difference between a role and an normal user
account is that roles can not directly login to the system - the
pam_roles.so.1 module enforces this.
My general guidance is if you would normally have a shared
account a role is the correct way to do this. For example the
oracle account would IMO always be a role.
root is best though of (and can actually be) a role - ie it isn't
a real person.
> 4) Finally, I changed my shell to /bin/pfcsh. Now, with my regular
> user account I can start and restart our webservers.
> My questions are, is this a normal practice (are there other people
> doing it) and is it supported? What unintended consequences am I
> missing? I understand that if a user's account is compromised, the
> webserver services can be stopped and started at-will. I also
> understand that our sysadmin group will be restricted to using
> pfcsh/pfksh/pfsh and cannot use bash or tcsh (although we can still
> leave those set, type 'exec pfsh' and then do what we need to do as
> the Profile.)
Or they can do this:
tcsh% pfexec /opt/app/iplanet/https-myserver/start
It really depends on what you are trying to achieve wither roles
or direct profile assignment is best. To take a different example,
I would assign the Printer Management profile directly to users
rather than making lp a role and giving users the ability to become
the lp user.
In order to address your particular example, is the web content
intended to be updatable by the same people that can restart the
server ? If so maybe the content (but NOT the server binaries)
should be owned by a role and the role given the ability to
restart the service. The actions would then be:
jkatz% su webservd
webservd% vi index.html
Now having said all of that..... if this is just about restarting
services then there is a better way in Solaris 10 via SMF. Each
SMF service can have associated with it an RBAC authorisation that
allows a user the ability to restart the service, you don't need
pfexec or pf*sh to do this since svc.startd checks the authorisations
and the user just needs to run svcadm(1m).
See: service_bundle(4), smf_security(5), svcadm(1m)
-- Darren J Moffat