Solaris RBAC – creating limited accounts

30 Apr 2010

Solaris has a feature called RBAC, that allows you to provide role-based security (I believe this is similar to SELinux).

All the documentation and examples I’ve seen explain how to setup up a role that allows a normal user to do a higher privileged command (eg manage log files, manage printers). But I haven’t been able to find an example of how to create a limited account, one that is only allowed to run a fixed number of commands. Here’s how I did it:

(Solaris 10 1009 s10x_u8wos_08a X86)

Create a user foo with a profile shell and Limited profile:


Create the Limited profile:

Limited:::Runner of limited commands:

Create an example script:

/usr/sbin/ifconfig -a

Remove default auths and profile from all users. Note – this is required so that the foo user doesn’t get the “Basic Solaris User” profile, which allows all user level binaries to be run. This however affects other accounts and services, and would require further testing:

# sonia AUTHS_GRANTED=solaris.device.cdrw
# sonia PROFS_GRANTED=Basic Solaris User

(As root), check auths and profile of foo user:

# auths foo
auths: foo : No authorizations
# profiles foo
# profiles -l foo
 /export/home/foo/bin/Address    uid=0

As foo user, run Address command:

# su foo
# /export/home/foo/bin/Address
lo0: <snip>     <=== works as required
# ls
ls: not found   <=== as expected - foo user is limited

Create another user, test

  • if the shell is /usr/bin/bash – doesn’t seem to cause problems. However, it may affect services – testing would be required.
  • if the shell is /usr/bin/pfsh:
# ls
ls: not found   <=== ie other accounts with profile shells need a profile explicitly assigned

If the default auths and profile aren’t removed from all users, we get this – foo user is allowed to run all user level binaries (the *):

# auths foo
# profiles foo
 Basic Solaris User
# profiles -l foo
 /export/home/foo/bin/Address    uid=0
comments powered by Disqus

  « Previous: Next: »