Give a user root privliages RBAC

[robert3975]

Version Sun OS 5.8

Background

We have over 200 users on this box, and I was wanting to give our helpdesk a access to create add and delete users.
So I wrote a menu with options for add user, del user ect
It works fine however you must be a root user! NB I can point a user to only access theis app and log them out after.

Problem
I'm really nervous about tampering with the security (P45) etc.... I can't use sudo, but can use su however I do not want to give the root password + no windows rubbish. Also there has been no sysadm users setup there is only root etc/user_attr I'm assuming that it is using all other users as standard. Futhermore if logon as root and vi the user_attr it is read only which indicates a command needed.

Q1. If I create a standard user is the command to change there role smrole or rolemod? And does this write to the user_attr?

Could someone give an example and explain as I'm really unsure?

Big Thanks to anyone who can help!

 

[bfitzmai]

Rob,
Didn't forget you. I just can't get RBAC to work with Solaris 8. I even created a new profile with just the commands you need. When I bring up Solaris Management Console, I see all the proper information. Don't give up hope yet, it hasn't defeated me yet!!!

 

[robert3975]

PLEASE PLEASE can someone help me .......... Ive fallen and can't get up! Seriously can help on this or pointers would be great!!!

 

[MikeLacey]

Rob,

You said earlier that you can't use sudo - that would obviously be the best and most widely used way of doing it...

Is the reason you can't use it a corporate one?

Mike

"Deliver me from that bane of civilised life; teddy bear envy."

Want to get great answers to your Tek-Tips questions? Have a look at faq219-2884

 

[Sekhar]

By default, RBAC files are open to public, which is a security concern.

I prefer using sudo and recommend it.

Chandra.

 

[robert3975]

dear Chandra, Mike

I would really love to use sudo but can't in this Solaris version.

The reason is that it doesn't exist!! if you do a man on sudo it doesn't like it, also in Unix the sudo file usually hangs around the /etc/ and I can happliy tell you it is not there!!

So if canyone know how to clone root or make a cut down version I'm all ears!!

NB you can't put the uid to 0 is it tells you where to go!!

 

[bfitzmai]

Sudo is freeware, not part of the OS. You can download it at

http://www.sunfreeware.com/

 

[Mike042]

Hi robert3975,

I was looking for something in my Solaris 8 Sys Admin 2 course notes yesterday when I came across a worked example of creating an RBAC user (Role-Based Access Control). We don't actually use this concept at the site where I work, so I couldn't answer any questions about RBAC, but I do remember doing this on the course and seeing it work.

Here is the scenario and what we did:
Create the user "james" with role "butler". Once james assumes the role he will be allowed to shutdown the system and run the snoop command.

Files modified:
/etc/passwd
/etc/group
RBAC Database files used/modified:
/etc/user_attr
/etc/security/prof_attr
/etc/security/exec_attr
/etc/security/auth_attr

Procedure.
1. Create the new user with the useradd command:
useradd -u 1001 -g 10 -d /export/home/james -m -s /usr/bin/ksh james

2. Set password for the user:
passwd james

Test steps 1 & 2
cat /etc/passwd
cat /etc/shadow
ls -al /export/home/james

3. Create the role (butler) using the roleadd command and set the password:
roleadd -u 1002 -g 10 -d /export/home/butler -m butler
passwd butler

Test step 3
cat /etc/passwd
cat /etc/user_attr
(see the following line at the end)
butler::::type=role;profiles=All
cat /etc/shadow

4. Create the profile for the role to use:
vi /etc/security/prof_attr
(add the following lines at the end)
Shut:::Able to shutdown the system:
Snoop:::Able to use the snoop command:

5. Assign the commands to execute to the profile:
vi /etc/security/exec_attr
(add the following lines at the end)
Shut:suser:cmd:::/usr/sbin/shutdown:uid=0
Snoop:suser:cmd:::/usr/sbin/snoop:uid=0

NB: ensure the names in /etc/security/prof_attr and /etc/security/exec_attr are the same

6. Update the role:
rolemod -P Shut,Snoop,All butler

Test step 6
cat /etc/user_attr
(see the following line at the end)
butler::::type=role;profiles=Shut,Snoop,All

7. Assign the role to the user:
usermod -R butler james

Test step 7
cat /etc/user_attr
(see the following lines at the end)
butler::::type=role;profiles=Shut,Snoop,All
james::::type=normal;roles=butler

8. Test the role works:
As root, su - james (shouldn't need a password from root)
try using the shutdown and snoop commands (should not have the permissions)
Then, su - butler (should need the password)
try using the shutdown and snoop commands (should now work)


So it looks like you need just the one role:- to create accounts (using useradd), modify accounts (using usermod) and delete accounts (using userdel). Personally I wouldn't allow anyone else to delete accounts, just in case they type root instead of olduser (just to see what would happen) !!

I hope it works for you as it did for me on the course.

Mike

 

[robert3975]

Cheers Mike I'll give this a bash!! hmm never thought of deleting root! but my helpdesk team are pretty good as them can create /delete or chge pwd on our dg/ux box I think I should be ok.

However if I use sudo will this stop them deleting root?