Give a user root privliages RBAC

[robert3975]

Version Sun OS 5.8

Background

We have over 200 users on this box, and I was wanting to give our helpdesk a access to create add and delete users.
So I wrote a menu with options for add user, del user ect
It works fine however you must be a root user! NB I can point a user to only access theis app and log them out after.

Problem
I'm really nervous about tampering with the security (P45) etc.... I can't use sudo, but can use su however I do not want to give the root password + no windows rubbish. Also there has been no sysadm users setup there is only root etc/user_attr I'm assuming that it is using all other users as standard. Futhermore if logon as root and vi the user_attr it is read only which indicates a command needed.

Q1. If I create a standard user is the command to change there role smrole or rolemod? And does this write to the user_attr?

Could someone give an example and explain as I'm really unsure?

Big Thanks to anyone who can help!

 

[jouell]

Maybe

http://www.webmin.com/solaris.html

Can you create a restriced user with a shell of your script and have them login as that user and then log connection if you need to track?

Not a solaris guy but maybe this'll help.


-john

 

[robert3975]

Not a solaris guy

Thanks John but even manuals @ solaris are not really helpful
also

Not a solaris guy

Join the club!


THe script only creates a standard user, just there is only one poweruser within the box is root! all the rest are standard users that once log on go to a finance app. this is why I want to know how to give users roles, Ive chmoded the user_attr file then copied the root user to standard user however there is still permission error when you use the app. I don't think that user_app done anything. I don't want to give sysadmin the same uid as root which is a bad idea as once u change the sysadmin pwd roots will change + u can't have the same uid in solaris.

 

[bfitzmai]

Robert,
Give your sysadmins group 14 privileges. They will be able to create users and do other tasks such as printer maintenance. But, they do not have the full priviliges as root.

 

[robert3975]

Hi bfitzmai

how do you do that ?Im up for anything!
on the etc/passwd it has

SuperUser
root:x:0:1:Super-User:/:/sbin/sh

Sysadmin User
sysadmin:x:1377:1:System Administrator:/export/home/lisa:/bin/sh

all other users
dochertr:x:1374:102:IS:/export/home/finuser:/bin/sh

THE user_attr has only

root::::type=normal;auths=solaris.*,solaris.grant;profiles=All

NOTHING ELSE!!

If I add sysadmin::::type=normal;role=root

it has no effect SO when they create a user it says permission denied.

I also need this user to be able to chge passwords

HELP!!!!!!

 

[bfitzmai]

Edit /etc/group and add your users to group 14. This is not RBAC... Group 14 is a default Solaris group.

 

[robert3975]

HI bfitzmai


Have tried the user sysadmin to group 14 no dice!!!

still permission denied...


If on user_attr I put

root's type = role (this only gives access to root at the console) but I need a couple of users as SUPERUSERS for tracking + run my little app. Ps sysadmin is just a test user...

I know that you can assign a user/s with the role of root however they must have a (role?) however it says you must stop and start the service cache daemon which I DO NOT want to do as 50 users are on the box (P45!!!) if they are kicked out!!

 

[bfitzmai]

Do a id -a on your test user to make sure the group 14 privileges are set. If your script is just running a useradd or usermod command, group 14 privileges should work. If there is a special command that you are using in your script, something like init, you can set the setuid bit to your users can use them. Let me know.

 

[robert3975]

RIght done id -a on sysadmin

uid=1377(sysadmin) gid=1(other) groups=1(other)

with root its

uid=0(root) gid=1(other) groups=0(root),2(bin),3(sys),4(adm),5(uucp),6(mail),7()

this is before adding it to group 14

with group 14 its

sysadmin::14:admin,russ,lisa,sysadmin
haven't a scoobies who the others are !
uid=1377(sysadmin) gid=1(other) groups=14(sysadmin)

so its now group 14!

the script is useradd so

/usr/sbin/useradd -u $uid -g $gid -d $dir -m -s $shell -c "$comment" $username

I have Logged on as sysadmin run the script below

Please enter a username you want to create, eg Bondj for James Bond
docherty
Please enter the users full a name and department eg James Bond Warden
is2
Is this correct? Please enter YES (in capitals) to confirm account.
otherwise you will return to menu
YES
UX: /usr/sbin/useradd: ERROR: Permission denied.
If there are no errors above then docherty has now been created.
Press Enter to Return


doh!!!Permission denied!!!

Cheers Bfitzmai nice to know someones willing to try and help!!

 

[bfitzmai]

Gave it a try now that I am at work... You are correct, group 14 does not have access to useradd. Doesn't make sense because group 14 can create user accounts using admintool. I will have some time later today to try other options. Will let you know.

 

[bfitzmai]

Robert,
Did what you needed using RBAC... Will post the procedure tomorrow when I get into work.

 

[robert3975]

Nice one Mate

Really can't wait as starting to look at creating a primiary user or see if its been created!!!

but yes you would have though that put users into group 14 would give them the ability to useradd! I'm sure Solaris is Unix's evil twin!!!

 

[robert3975]

I put sysadmin as role of root
user_attr

even typed roles
which said root

however the useradd cmd still comes up Permission denied!!!

Permission denied!!!aararaarrarh

 

[bfitzmai]

Here you go Rob,

roleadd -u <id number> -g <group number> -m -d /export/home/<rolename> -s /bin/csh <rolename>

example: roleadd -u 9999 -g 14 -m -d /export/home/sysadmin -s /bin/csh sysadmin

passwd <rolename>

I used default /etc/security/prof_attr entry "System Administrator"

rolemod -P <rolename> "System Administrator"

Verify role entry in /etc/user_attr
Example: sysadmin:::rofiles=System Administrator;type=role

useradd -u <userid> -g 14 -m -d /export/home/<username> -s /bin/csh -R rolename <username>
Example: useradd -u 9997 -g 14 -m -d /export/home/testuser -s /bin/csh -R sysadmin testuser

passwd <username>

vi /etc/security/exec_attr
Here is the entries I put into this file:
System Administrator:suser:cmd:::/usr/sbin/useradd:euid=0
System Administrator:suser:cmd:::/usr/sbin/usermod:euid=0
System Administrator:suser:cmd:::/usr/sbin/userdel:euid=0
System Administrator:suser:cmd:::/usr/bin/passwd:euid=0


Now to test user testuser privileges:

su - testuser
su - sysadmin
/usr/sbin/useradd

Entering this command, I get a invalid syntax error because the parameters are invalid... But, I have access to the command.

If this doesn't work, we need to check the set up using the smc gui. If it doesn't work, let me know.

 

[robert3975]

arrrrrrrr

ok I tried this and guess what !!


# roleadd -u 1382 -g 14 -m -d /export/home/sysadm -s /bin/sh sysadm
6 blocks
# passwd sysadm
New Password:
Re-enter new Password:
passwd: password successfully changed for sysadm

# rolemod -P sysadm "System Administrator"
UX: rolemod: ERROR: System Administrator does not exist.


Yet

pwd
/export/home/

ls -l

drwxr-xr-x 2 sysadm sysadmin 512 Oct 27 09:44 sysadm

more etc/user_attr

root::::type=normal;auths=solaris.*,solaris.grant;profiles=All
sysadm::::type=role;profiles=All


more /etc/security/prof_attr

System Administrator:::Can perform most non-security administrative tasksrofil
es=Audit Review,Printer Management,Cron Management,Device Management,File System
Management,Mail Management,Maintenance and Repair,Media Backup,Media Restore,Na
me Service Management,Network Management,Object Access Management,Process Manage
ment,Software Installation,User Management,All;help=RtSysAdmin.htm

id -a sysadm
uid=1382(sysadm) gid=14(sysadmin) groups=14(sysadmin)

roles sysadm
roles: sysadm : No roles

 

[bfitzmai]

You are using Solaris 8. Okay... I have a Sun Blade running Solaris 8... Will try again.

 

[bfitzmai]

Couple things are wrong.

Do not use -s option (default shell) during roleadd command. Shell must be an administrative shell. The default is /bin/pfsh.

This command is wrong:
rolemod -P <rolename> "System Administrator"

Should be:
rolemod -P "System Administrator" <rolename>

Sorry for the confusion... Hope it works better for you this time.

 

[robert3975]

so close know I feel it!!!

# roleadd -u 1382 -g 14 -m -d /export/home/sysadm -s /bin/pfsh sysadm
6 blocks
# passwd sysadm
New Password:
Re-enter new Password:
passwd: password successfully changed for sysadm

# rolemod -P "System Administrator" sysadm


#useradd -u 1383 -g 14 -m -d /export/home/helpdesk -s /bin/pfsh -R sysadm helpdesk


passwd heldesk


cd /export/home

ls -l

drwxr-xr-x 2 1382 sysadmin 512 Oct 28 09:49 sysadm
drwxr-xr-x 2 1383 sysadmin 512 Oct 28 10:07 helpdesk

tail /etc/passswd/

sysadm:x:1382:14::/export/home/sysadm:/bin/pfsh
helpdesk:x:1383:14::/export/home/helpdesk:/bin/pfsh


more /etc/user_auth

root::::type=normal;auths=solaris.*,solaris.grant;profiles=All
sysadm::::type=role;profiles=System Administrator

done exec attr


Yet

logon helpdesk
su sysadm

then do passwd on (user) permission denied

when do -s path

if look at root it
more /etc/passwd/
root:x:0:1:Super-User:/:/sbin/sh

instead of pfsh would sbin/sh work? or am I on the wrong track!!

 

[bfitzmai]

User helpdesk has been set up with a Administrative Shell... Should be normal shell. Check to see if commands like useradd, usermod work.

 

[robert3975]

roleadd -u 1382 -g 14 -m -d /export/home/sysadm -s /bin/pfsh sysadm

(roleadd -u 1382 -g 14 -m -d /export/home/sysadm -s /sbin/sh sysadm)

6 blocks
# passwd sysadm
New Password:
Re-enter new Password:
passwd: password successfully changed for sysadm

# rolemod -P "System Administrator" sysadm


#useradd -u 1383 -g 14 -m -d /export/home/helpdesk -s /bin/sh -R sysadm helpdesk
ps /bin/sh (what all other users use)

passwd heldesk


cd /export/home

ls -l

drwxr-xr-x 2 helpdesk sysadmin 512 Oct 28 13:01 helpdesk
drwxr-xr-x 2 sysadm sysadmin 512 Oct 28 13:00 sysadm

tail /etc/passswd/
sysadm:x:1382:14::/export/home/sysadm:/bin/pfsh or sbin/sh
helpdesk:x:1383:14::/export/home/helpdesk:/bin/sh


more /etc/user_attr

sysadm::::type=role;profiles=System Administrator
helpdesk::::type=normal;roles=sysadm

done exec attr



Yet

logon helpdesk
su sysadm

then do passwd on (user) permission denied
or
UX: /usr/sbin/useradd: ERROR: Permission denied.

must be missing something but don't know what!!