rbac and root control of root access

[tgossard]

Hello,

I would like to create accounts for myself and other sysadmins on our Sun Systems that are equal to root.

We have several sysamins in our shop and would like for security reasons to track who is doing what. The problem is that if more than one person has access to root then when root does something you don't know who was behind that root. We wish to create accounts such as aroot, broot, so on as assign that account to be accessed by only one admin. Those accounts must have full root access. I'm sure RBAC can do this but I'm not sure how to do it. I have determined how to make root a role and can then prevent people from becoming root but the rest is a mystery. I do need to use the command line to do this as several of our systems are V100s and do not have graphic cards to access SMC.

Thank you
Thomas Gossard

 

[grega]

A root user (superuser) has a user id of 0. Therefore to create additional superuser logins, specify that they have a user id of 0.

No idea what RBAC/SMC is. Use the useradd command to add users. This also allows you to specify a user ID.

Greg.

 

[mrjazz]

Hi,

I would NOT recommend to create multiple accounts with the same UID, especially not UID 0.

You can run into problems because you don't have a correct mapping between ownership and access rights any more (as far as I know if there are multiple accounts with the same UID, most commands will use the first account in the passwd file that has the correct uid and will ignore the following entries with the same UID).

If multiple people need root access you should definitely install the "sudo" package!!! With sudo you can handle your problem easily without creating "pseudo" root accounts.

See also the discussion in thread80-283382 (it has a link to the sudo main page as well).

Hope that helps

mrjazz

 

[Shidlowsky]

You can also create a group with the needed privileges, then create one account for each person who needs the access, making them a member of the group.

 

[Annihilannic]

Having seen RBAC in action I'd also recommend you go with sudo, which is much more convenient to manage. Annihilannic.

 

[nabrantes]

Hi,

I'm not going to explain how RBAC works, but, you do not create user accounts but roles..

One of the main diferences is that a role can only be acessed with "su".


To work with roles you should check the folowing files:

/etc/user_attr
/etc/passwd (not needed use rol* commands)
/etc/security/auth_attr
/etc/security/exec_attr
"one more wich I can recall rigth now"

You should also check for rolemod,roleadd,roledel commands.

Sudo its its ok but not suported by Sun also RBAC comes in by default, and you don't specify wich solaris we're talking about but at least for Solaris 9 with Directory 5.1 (default again) works with RBAC classes wich is very interesting and handy.

Check the files and commands you should lose sometime but not that much and you allready profiles created by default also.

Best Regards

ps greg: RBAC - Role Based Access Control; SMC - Sun management Center, both defaulted since Solaris 8.