Introducing the Component Interaction Within RBAC Figure 11-6 shows one relationship between the /etc/security/prof_attr and the /etc/user_attr databases The Printer Management profile, which is defined in the /etc/security/prof_attr database, is assigned to the sysadmin role in the /etc/user_attr database From the /etc/security/prof_attr database: Printer Management:::Manage printers, daemons,\ spooling:help=RtPrntAdmin.html;auths=solaris.admin.printer.read,\ solaris.admin.printer.modify,solaris.admin.printer.delete From the /etc/user_attr database: root::::type=normal;auth=solaris.*,solaris.grant sysadmin::::type=role;profile=Device Management,Printer Management Figure 11-6 User and Profile Association Figure 11-7 shows the relationship between the /etc/security/prof_attr and the /etc/security/auth_attr databases The Printer Management profile is defined in the /etc/security/prof_attr database as having all authorizations, beginning with the solaris.admin.printer string, assigned to it These authorizations are defined in the /etc/security/auth_attr database From the /etc/security/prof_attr database: Printer Management:::Manage printers, daemons, spooling: \ help=RtPrntAdmin.html;auths=solaris.admin.printer.read, \ solaris.admin.printer.modify,solaris.admin.printer.delete From the /etc/security/auth_attr database: solaris.admin.printer.modify:::Update Printer Information:: \ help=AuthPrinterModify.html solaris.admin.printer.delete:::Delete Printer Information:: \ help=AuthPrinterDelete.html solaris.admin.printer.:::Printer Information::help=AuthPrinterHeader.html solaris.admin.printer.read:::View Printer Information:: \ help=AuthPrinterRead.html Figure 11-7 Profile and Authorization Association Configuring Role-Based Access Control (RBAC) Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A 11-13 Introducing the Component Interaction Within RBAC The /etc/security/exec_attr Database The /etc/security/exec_attr database holds the execution attributes An execution attribute associated with a profile is a command or a script that contains a command with options (because the only way to add options to a command is by using a script) Only the users and roles assigned to this profile can run the command with special security attributes Special security attributes refer to attributes, such as UID, EUID, GID, and EGID, that can be added to a process when the command is run The definitions of the execution attributes are stored in the /etc/security/exec_attr database Figure 11-8 shows the /etc/security/exec_attr database auth_attr Authorization user_attr Users Roles prof_attr exec_attr Profiles Privileges Figure 11-8 The exec_attr Database The fields in the /etc/security/exec_attr database are separated by colons: name:policy:type:res1:res2:id:attr where: name policy The security policy associated with this entry The suser (superuser policy model) is the only valid policy entry type The type of entity whose attributes are specified The only valid type is cmd (command) res1 Reserved for future use res2 11-14 The name of the profile Profile names are case sensitive Reserved for future use Advanced System Administration for the Solaris™ Operating Environment Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A Introducing the Component Interaction Within RBAC id A string identifying the entity You can use the asterisk (*) wildcard Commands should have the full path or a path with a wildcard To specify arguments, write a script with the arguments, and point the id to the script attr An optional list of key-value pairs that describes the security attributes to apply to the entity when executed You can specify zero or more keys The list of valid key words depends on the policy being enforced There are four valid keys: euid, uid, egid, and gid • euid and uid – Contain a single user name or a numeric user ID Commands designated with euid run with the effective UID indicated, which is similar to setting the setuid bit on an executable file Commands designated with uid run with both the real and effective UIDs set to the UID you specify • egid and gid – Contain a single group name or numeric group ID Commands designated with egid run with the effective GID indicated, which is similar to setting the setgid bit on an executable file Commands designated with gid run with both the real and effective GIDs set to the GID you specify The following example is part of a /etc/security/exec_attr database with some typical values: Printer Printer Printer Printer Printer Management:suser:cmd:::/usr/sbin/accept:euid=lp Management:suser:cmd:::/usr/ucb/lpq:euid=0 Management:suser:cmd:::/etc/init.d/lp:euid=0 Management:suser:cmd:::/usr/bin/lpstat:euid=0 Management:suser:cmd:::/usr/lib/lp/lpsched:uid=0 Configuring Role-Based Access Control (RBAC) Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A 11-15 Introducing the Component Interaction Within RBAC Figure 11-9 shows the relationship between the /etc/security/exec_attr and /etc/security/prof_attr databases From the /etc/security/prof_attr database: Printer Management:::Manage printers, daemons, spooling:help=RtPrntAdmin.html;auths=solaris.admin.printer.read,solaris.a dmin.printer.modify,solaris.admin.printer.delete From the Printer Printer Printer Printer Printer Printer Printer Printer Printer Printer Printer Printer Printer Printer Printer Printer Printer Printer /etc/security/exec_attr database: Management:suser:cmd:::/usr/sbin/accept:euid=lp Management:suser:cmd:::/usr/ucb/lpq:euid=0 Management:suser:cmd:::/etc/init.d/lp:euid=0 Management:suser:cmd:::/usr/bin/lpstat:euid=0 Management:suser:cmd:::/usr/lib/lp/lpsched:uid=0 Management:suser:cmd:::/usr/sbin/lpfilter:euid=lp Management:suser:cmd:::/usr/bin/lpset:egid=14 Management:suser:cmd:::/usr/sbin/lpadmin:egid=14 Management:suser:cmd:::/usr/sbin/lpsystem:uid=0 Management:suser:cmd:::/usr/sbin/lpmove:euid=lp Management:suser:cmd:::/usr/sbin/lpshut:euid=lp Management:suser:cmd:::/usr/bin/cancel:euid=0 Management:suser:cmd:::/usr/bin/disable:euid=lp Management:suser:cmd:::/usr/sbin/lpforms:euid=lp Management:suser:cmd:::/usr/sbin/reject:euid=lp Management:suser:cmd:::/usr/ucb/lprm:euid=0 Management:suser:cmd:::/usr/bin/enable:euid=lp Management:suser:cmd:::/usr/sbin/lpusers:euid=lp Figure 11-9 Profile and Execution Association The Printer Management profile lists execution attributes (or commands) with the appropriate security attributes assigned in the /etc/security/exec_attr database 11-16 Advanced System Administration for the Solaris™ Operating Environment Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A Introducing the Component Interaction Within RBAC The /etc/security/auth_attr Database An authorization is an RBAC feature that grants access to restricted functions It identifies, by a unique string, what is being authorized, as well as who created the authorization You cannot create new authorizations However, system programmers can create and assign authorizations to applications Certain privileged programs check authorizations to determine whether users can execute restricted functionality For example, the solaris.jobs.admin authorization is required for a user to edit another user’s crontab file All authorizations are stored in the /etc/security/auth_attr database You can assign authorizations directly to users or roles in the /etc/user_attr database You can also assign authorizations to rights profiles, which are assigned to roles Figure 11-10 shows the /etc/security/auth_attr database auth_attr Authorization user_attr Users Roles prof_attr exec_attr Profiles Privileges Figure 11-10 The auth_attr Database Configuring Role-Based Access Control (RBAC) Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A 11-17 Introducing the Component Interaction Within RBAC The fields in the /etc/security/auth_attr database are separated by colons, as follows: authname:res1:res2:short_desc:long_desc:attr where: authname A unique character string that identifies the authorization in the prefix.suffix[.] format Authorizations for the Solaris OE use solaris as a prefix All other authorizations use a prefix that begins with the reverse-order Internet domain name of the organization that creates the authorization (for example, com.xyzcompany) The suffix indicates what is being authorized, typically the functional area and operation When there is no suffix (that is, the authname consists of a prefix, a functional area, and ends with a period), the authname serves as a heading for use by applications in their GUI rather than as an authorization The authname solaris.printmgr is an example of a heading When authname ends with the word grant, the authname serves as a grant authorization and lets the user delegate related authorizations (that is, authorizations with the same prefix and functional area) to other users The authname solaris.printmgr.grant is an example of a grant authorization It gives the user the right to delegate such authorizations as solaris.printmgr.admin and solaris.printmgr.nobanner to other users res1 res2 Reserved for future use short_desc A concise name for the authorization that is suitable for displaying in user interfaces long_desc A long description This field identifies the purpose of the authorization, the applications in which it is used, and the type of user who wants to use it The long description can be displayed in the help text of an application attr 11-18 Reserved for future use An optional list of key-value pairs that describes the attributes of an authorization There can be zero or more keys For example, the keyword help identifies a help file Advanced System Administration for the Solaris™ Operating Environment Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A Introducing the Component Interaction Within RBAC The following is an example of an /etc/security/auth_attr database, with some typical values: solaris.*:::Primary Administrator::help=PriAdmin.html solaris.grant:::Grant All Rights::help=PriAdmin.html solaris.device.:::Device Allocation::help=DevAllocHeader.html solaris.device.allocate:::Allocate Device::help=DevAllocate.html solaris.device.config:::Configure Device Attributes::help=DevConfig.html solaris.device.grant:::Delegate Device Administration::help=DevGrant.html solaris.device.revoke:::Revoke or Reclaim Device::help=DevRevoke.html Note – The solaris.device entry is defined as a heading, because it ends in a dot (.) Headings are used by the GUI to organize families of authorizations Figure 11-11 shows the relationship between the /etc/security/auth_attr and the /etc/user_attr databases The solaris.system.date authorization, which is defined in the /etc/security/auth_attr database, is assigned to the user johndoe in the /etc/user_attr database From the /etc/security/auth_attr database: solaris.*:::Primary Administrator::help=PriAdmin.html solaris.system.date:::Set Date & Time::help=SysDate.html From the /etc/user_attr database: johndoe::::type=normal;auths=solaris.system.date;roles=sysadmin Figure 11-11 User, Role, and Authorization Association Configuring Role-Based Access Control (RBAC) Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A 11-19 Introducing the Component Interaction Within RBAC Relationships Between the Four RBAC Databases Figure 11-12 shows how the fields of the four databases are related From the /etc/security/auth_attr database: solaris.system.date:::Set Date & Time::help=SysDate.html From the /etc/user_attr database: sysadmin::::type=role;profiles=Device Management,Filesystem Management,Printer Management,All johndoe::::type=normal;auths=solaris.system.date;roles=sysadmin From the /etc/security/prof_attr database: Printer Management:::Manage printers, daemons, spooling:help=RtPrntAdmin.html;auths=solaris.admin.printer.read,solaris.a dmin.printer.modify,solaris.admin.printer.delete From the Printer Printer Printer Printer Printer /etc/security/exec_attr database: Management:suser:cmd:::/usr/sbin/accept:euid=lp Management:suser:cmd:::/usr/ucb/lpq:euid=0 Management:suser:cmd:::/etc/init.d/lp:euid=0 Management:suser:cmd:::/usr/bin/lpstat:euid=0 Management:suser:cmd:::/usr/lib/lp/lpsched:uid=0 Figure 11-12 Relationship Between the Four RBAC Databases 11-20 Advanced System Administration for the Solaris™ Operating Environment Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A Introducing the Component Interaction Within RBAC The /etc/security/policy.conf File The /etc/security/policy.conf file lets you grant specific rights profiles and authorizations to all users The two types of entries in the file consist of key-value pairs, as follows: q AUTHS_GRANTED=authorizations, where authorizations refers to one or more authorizations q PROFS_GRANTED=right_profiles, where right_profiles refers to one or more rights profiles Some typical values from an /etc/security/policy.conf file are shown in the following example # cat policy.conf # # Copyright (c) 1999-2001 by Sun Microsystems, Inc All rights reserved # # /etc/security/policy.conf # # security policy configuration for user attributes see policy.conf(4) # #ident "@(#)policy.conf 1.5 01/03/26 SMI" # AUTHS_GRANTED=solaris.device.cdrw PROFS_GRANTED=Basic Solaris User The solaris.device.cdrw authorization provides access to the cdrw command # grep ’solaris.device.cdrw’ /etc/security/auth_attr solaris.device.cdrw:::CD-R/RW Recording Authorizations::help=DevCDRW.html Configuring Role-Based Access Control (RBAC) Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A 11-21 Introducing the Component Interaction Within RBAC The Basic Solaris User profile grants users access to all listed authorizations The profiles=All field grants unrestricted access to all Solaris OE commands that have not been restricted by a definition in a previously listed authorization # grep ’Basic Solaris User’ /etc/security/prof_attr Basic Solaris User:::Automatically assigned rights: auths=solaris.profmgr.read,solaris.jobs.users,solaris.mail.mailq, solaris.admin.usermgr.read,solaris.admin.logsvc.read, solaris.admin.fsmgr.read,solaris.admin.serialmgr.read, solaris.admin.diskmgr.read,solaris.admin.procmgr.user, solaris.compsys.read,solaris.admin.printer.read, solaris.admin.prodreg.read,solaris.admin.dcmgr.read, solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read, solaris.network.hosts.read,solaris.admin.volmgr.read;profiles=All; help=RtDefault.html 11-22 Advanced System Administration for the Solaris™ Operating Environment Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A Performing Smartcard Administration Double-click Card Readers The Card Readers window appears, as shown in Figure 12-5 Figure 12-5 Card Readers Window 12-8 To add a reader, double-click Add Reader Advanced System Administration for the Solaris™ Operating Environment Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A Performing Smartcard Administration Enabling a Card Reader You must enable a card reader before you can use it The Internal card reader is available with the Sun Blade systems The external card reader is connected to a serial port and has a power connection through the keyboard connector Assuming an external card reader is connected, select Sun SCRI External Card Terminal Reader from the list of supported card readers, as shown in Figure 12-6 Figure 12-6 Add Reader Window Click OK to continue Performing Smartcard Authentication Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A 12-9 Performing Smartcard Administration In the Card Readers: SunCardReader window: a Choose a device port from the Device drop-down menu, as shown in Figure 12-7 b Select an Activation status Figure 12-7 Card Readers: SunCardReader Window Click OK to continue When you select the activation status for the card reader, the Intervention Required window appears, as shown in Figure 12-8 Figure 12-8 Intervention Required Window 12-10 Click Restart OCF Now Advanced System Administration for the Solaris™ Operating Environment Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A Performing Smartcard Administration After you select the restart option for the OCF server, another window appears with the message OCF Server Restarted, as shown in Figure 12-9 Figure 12-9 Informational Message Window Click OK to return to the Smartcard Console window When you enable the card reader, its icon appears in the Card Readers Window’s View pane, as shown in the in Figure 12-10, and the Smartcard reader is successfully enabled Figure 12-10 Card Readers Window – View Pane Performing Smartcard Authentication Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A 12-11 Performing Smartcard Administration Activating Card Services To activate Smartcard services, perform the following steps: From the Navigation pane in the Card Services window, click Card Services The Smartcards known to the server are displayed, as shown in Figure 12-11 Figure 12-11 Card Services Window Double-click one of the Smartcard icons in the View pane For example, click the Sun PayFlex icon The Card Services window launches, as shown in Figure 12-12 on page 12-13 12-12 Advanced System Administration for the Solaris™ Operating Environment Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A Performing Smartcard Administration In the Card Services window, either: q Deactivate the set of services by selecting Deactivate Sun PayFlex services and then clicking OK q Keep the Sun PayFlex services activated by clicking OK to continue The services that are currently supported by the selected card type are displayed, as shown in Figure 12-12 The services are either all on or all off Figure 12-12 Card Services: Sun PayFlex Window Click OK Performing Smartcard Authentication Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A 12-13 Performing Smartcard Administration Adding Support for a New Smartcard The answer-to-reset (ATR) property contains numeric values that identify the Smartcard version When the Smartcard is first inserted into the reader, it is powered-on or reset The Smartcard must respond with a recognized ATR for communications with the server to continue Smartcard manufacturers supply the ATR property When you set up Smartcards, you must identify the ATR on the Smartcard to the OCF server To add support for a new Smartcard, perform the following steps: Insert your PayFlex Smartcard into the card reader Double-click the Smart Cards icon Double-click the PayFlex icon in the View pane, as shown in Figure 12-13 Figure 12-13 Smart Cards Window Note – You must change the ATR on a system if the manufacturer of the Smartcard that you are using issues a new card type with a different ATR 12-14 Advanced System Administration for the Solaris™ Operating Environment Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A Performing Smartcard Administration The Smart Card: PayFlex window appears and displays the known ATRs for that type of card For example, the known PayFlex models are displayed, as shown in Figure 12-14 Figure 12-14 Smart Card: PayFlex Window Because the PayFlex Smartcard currently in use has an ATR that is not known to the default OCF server configuration, you must add this ATR to the ATR list recognized by the server Click Add to add the ATR Performing Smartcard Authentication Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A 12-15 Performing Smartcard Administration The Add ATR window appears, as shown in Figure 12-15 Figure 12-15 Add ATR Window Select the ATR that is highlighted in blue to move the new ATR information into the input field at the top of the window Note – If the ATR does not appear in the Add ATR window, verify that the Smartcard is inserted with the correct side up If the ATR still does not appear, contact the card manufacturer for the ATR number, and manually enter the number 12-16 Click OK to add this ATR to the list of currently known ATRs Advanced System Administration for the Solaris™ Operating Environment Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A Performing Smartcard Administration The new ATR is displayed, as shown in Figure 12-16 Figure 12-16 Answer to Reset (ATR) Numbers for Each Model List Box After the OCF server recognizes the Smartcard, select the activation status Click OK to continue Performing Smartcard Authentication Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A 12-17 Performing Smartcard Administration Loading the Smartcard Applet to a Smartcard The SolarisAuthApplet applet contains the functions needed to store and use a user’s profile information You must load the applet onto all card types supported by Solaris Smartcards To load the Smartcard applet to a Smartcard, perform the following steps: From the SmartCard Console, click the Load Applets icon The View pane displays the available applets, as shown in Figure 12-17 In this example, the SolarisAuthApplet is the only applet supported at this time Figure 12-17 SmartCard Console Window – Load Applets 12-18 Double-click the applet icon Advanced System Administration for the Solaris™ Operating Environment Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A Performing Smartcard Administration The Load Applets window appears, as shown in Figure 12-18 Figure 12-18 Load Applets Window Select the correct SolarisAuth applet for the card currently in the reader Click the arrow to move the applet to the right box, and click Install The Loading Applet to Device window appears, as shown in Figure 12-19 Figure 12-19 Loading Applet to Device Window Click OK to continue loading the applet Note – It might take 30 seconds or more to load the applet During this time, nothing appears on the screen Performing Smartcard Authentication Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A 12-19 Performing Smartcard Administration When the applet is loaded, the Applet Installation Successful window appears, as shown in Figure 12-20 Figure 12-20 Applet Installation Successful Window Note – The Payflex Smartcards not have the capability to delete or reload applets 12-20 Click OK to continue Advanced System Administration for the Solaris™ Operating Environment Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A Performing Smartcard Administration Creating User Information on a Smartcard After the SolarisAuth applet is loaded onto the Smartcard, you configure the Smartcard for the user To create user information on a Smartcard: In the Smartcard Console window, click the Configure Applets icon in the Navigation pane The available Cards and Readers appear, as shown in Figure 12-21 Figure 12-21 Smartcard Console Double-click the PayFlex/SunCardReader icon Performing Smartcard Authentication Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A 12-21 Performing Smartcard Administration The Configure Applets: Payflex window appears, as shown in Figure 12-22 Figure 12-22 Configure Applets: PayFlex Window In the left field, click the applet in the applets list There is only one applet to configure, as shown in Figure 12-22 12-22 Advanced System Administration for the Solaris™ Operating Environment Copyright 2002 Sun Microsystems, Inc All Rights Reserved Enterprise Services, Revision A ... utilities for PPP system sparc 11 .9. 0,REV =20 02. 02. 12. 18.33 / Sun Microsystems, Inc Optional GNU utilities for use with PPP crash20 020 2 121 84313 Feb 28 20 02 08: 32 Please contact your local service... solaris. admin.usermgr.read ,solaris. admin.logsvc.read, solaris. admin.fsmgr.read ,solaris. admin.serialmgr.read, solaris. admin.diskmgr.read ,solaris. admin.procmgr.user, solaris. compsys.read ,solaris. admin.printer.read, solaris. admin.prodreg.read ,solaris. admin.dcmgr.read,... $ date Wed Mar Execute the date command 15: 52: 33 MST 20 02 Change the system time using the date command $ date Wed Mar 15: 52: 33 MST 20 02 $ date 03 061 600 date: Not owner usage: date [-u] mmddHHMM[[cc]yy][.SS]