Re: (mis)using RBAC...
From: Glenn M. Brunette, Jr. (Glenn.Brunette_at_Sun.COM)
Date: 04/15/05
- Previous message: Glenn M. Brunette, Jr.: "Re: (mis)using RBAC..."
- In reply to: Robert Archer: "RE: (mis)using RBAC..."
- Next in thread: benjamin brumaire: "Re: (mis)using RBAC..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 15 Apr 2005 11:47:49 -0400 To: Robert Archer <Robert.Archer@unisa.edu.au>
Robert,
sudo will not help you on Solaris 10 with the introduction
of process rights management since sudo has not yet been
updated to have knowledge of the Solaris 10 privilege model.
BTW - for an example illustrating how to use RBAC with roles
and privileges, see article:
Automating Solaris 10 File Integrity Checks
http://www.sun.com/blueprints/0305/819-2259.pdf
I also have a few new articles on this topic coming up that
specifically use Apache as its example. They will likely
be published in May and June and will focus on how to start
services (using Solaris 10 SMF) with less privilege and also
how to restrict access to Solaris 10 SMF functions using
RBAC. In the meantime, you can also find some additional
Solaris 10 security examples on my blog:
http://blogs.sun.com/gbrunett/
I am planning on publishing a new Solaris 10 security example
today or Monday.
g
Robert Archer wrote:
> To answer a question that you didn't ask, sudo is an excellent
> alternative to su(1m), with the ability to selectively allocate root
> commands to users.
>
> It is also much simpler than RBAC for the scenario you've described.
> Here's an example sudoers file:
>
> User_Alias WEBADMIN = user1,user2,user3
> WEBADMIN ALL = (root)
> /opt/app/iplanet/https-myserver/start, \
> /opt/app/iplanet/https-myserver/stop
>
> And an example usage:
>
> host> id
> uid=1001(user1)
> host> sudo /opt/app/iplanet/https-myserver/start
> Password:
> [ . . . command runs . . . ]
>
> By default, sudo prompts for the user's own password. This means that
> you can lock the root password in a safe, and only get it out for
> single-user mode. You can also configure it to prompt for the target
> user's password, or no password at all (on a per-command basis).
>
> Sudo requires no special shells or any other changes to your user's
> environment. It's available on the Companion Software CD since Solaris
> 8.
>
> -----Original Message-----
> From: Jonathan Katz [mailto:jonathan.katz@gmail.com]
> Sent: Wednesday, 13 April 2005 4:50 AM
> To: focus-sun@securityfocus.com
> Subject: (mis)using RBAC...
>
> All,
>
> I was recently charged with setting up RBAC so that the group I work
> with will 'su to root' less often.
>
> The first project I've picked is to either establish a role and/or
> profile that will allow a normal user to start and stop our
> webservers. Here is what I came up with, bypassing the concept of a
> 'role'...
>
> 1) I created a profile called "Web Administration"
> in /etc/security/prof_attr
> Web Administration:::Role for restarting webservers::
>
> 2) I gave the profile the ability to run the start and stop webserver
> scripts as root:
> in /etc/security/exec_attr
> Web
> Administration:suser:cmd:::/opt/app/iplanet/https-myserver/start:uid=0
> Web
> Administration:suser:cmd:::/opt/app/iplanet/https-myserver/stop:uid=0
>
> 3) I then added the role to my account on the server in /etc/user_attr:
> jkatz::::type=normal;profiles=Web Administration,Basic Solaris User
>
> 4) Finally, I changed my shell to /bin/pfcsh. Now, with my regular
> user account I can start and restart our webservers.
>
> My questions are, is this a normal practice (are there other people
> doing it) and is it supported? What unintended consequences am I
> missing? I understand that if a user's account is compromised, the
> webserver services can be stopped and started at-will. I also
> understand that our sysadmin group will be restricted to using
> pfcsh/pfksh/pfsh and cannot use bash or tcsh (although we can still
> leave those set, type 'exec pfsh' and then do what we need to do as
> the Profile.)
>
> Thanks!
>
-- Glenn M. Brunette, Jr. Distinguished Engineer, Chief Security Architect Client Solutions, Global Data Center Practice CTO Sun Microsystems, Inc.
- Previous message: Glenn M. Brunette, Jr.: "Re: (mis)using RBAC..."
- In reply to: Robert Archer: "RE: (mis)using RBAC..."
- Next in thread: benjamin brumaire: "Re: (mis)using RBAC..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
