×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Give a user root privliages RBAC

Give a user root privliages RBAC

Give a user root privliages RBAC

(OP)
Version Sun OS 5.8

Background

We have over 200 users on this box, and I was wanting to give our helpdesk a access to create add and delete users.
So I wrote a menu with options for add user, del user ect
It works fine however you must be a root user! NB I can point a user to only access theis app and log them out after.

Problem
I'm really nervous about tampering with the security (P45) etc....  I can't use sudo, but can use su however I do not want to give the root password + no windows rubbish. Also there has been no sysadm users setup there is only root  etc/user_attr  I'm assuming that it is using all other users as standard.  Futhermore if logon as root and vi the user_attr it is read only which indicates a command needed.

Q1. If I create a standard user is the command to change there role smrole or rolemod? And does this write to the user_attr?

Could someone give an example and explain as I'm really unsure?

Big Thanks to anyone who can help!

 


RE: Give a user root privliages RBAC

Maybe http://www.webmin.com/solaris.html

Can you create a restriced user with a shell of your script and have them login as that user and then log connection if you need to track?

Not a solaris guy but maybe this'll help.


-john

RE: Give a user root privliages RBAC

(OP)
Not a solaris guy

Thanks John but even manuals @ solaris are not really helpful  
also

Not a solaris guy  

Join the club!


THe script only creates a standard user, just there is only one poweruser within the box is root!  all the rest are standard users that once log on go to a finance app. this is why I want to know how to give users roles,  Ive chmoded the user_attr file then copied the root user to standard user however there is still permission error when you use the app.  I don't think that user_app done anything. I don't want to give sysadmin the same uid as root which is a bad idea as once u change the sysadmin pwd roots will change + u can't have the same uid in solaris.


   

RE: Give a user root privliages RBAC

Robert,
Give your sysadmins group 14 privileges.  They will be able to create users and do other tasks such as printer maintenance.  But, they do not have the full priviliges as root.

RE: Give a user root privliages RBAC

(OP)
Hi  bfitzmai

how do you do that ?Im up for anything!
on the etc/passwd it has

SuperUser
root:x:0:1:Super-User:/:/sbin/sh

Sysadmin User
sysadmin:x:1377:1:System Administrator:/export/home/lisa:/bin/sh

all other users
dochertr:x:1374:102:IS:/export/home/finuser:/bin/sh

THE user_attr has only

root::::type=normal;auths=solaris.*,solaris.grant;profiles=All

NOTHING ELSE!!

If I add sysadmin::::type=normal;role=root  

it has no effect SO when they create a user it says permission denied.  

I also need this user to be able to chge passwords

HELP!!!!!!

RE: Give a user root privliages RBAC

Edit /etc/group and add your users to group 14.  This is not RBAC... Group 14 is a default Solaris group.

RE: Give a user root privliages RBAC

(OP)
HI bfitzmai


Have tried the user sysadmin to group 14 no dice!!!

still permission denied...


If on user_attr I put

root's type = role (this only gives access to root at the console) but I need a couple of users as SUPERUSERS for tracking + run my little app.  Ps sysadmin is just a test user...

I know that you can assign a user/s with the role of root however they must have a (role?) however it says you must stop and start the  service cache daemon which I DO NOT want to do as 50 users are on the box (P45!!!) if they are kicked out!!

  

RE: Give a user root privliages RBAC

Do a id -a on your test user to make sure the group 14 privileges are set.  If your script is just running a useradd or usermod command, group 14 privileges should work.  If there is a special command that you are using in your script, something like init, you can set the setuid bit to your users can use them.  Let me know.

RE: Give a user root privliages RBAC

(OP)

RIght done id -a on sysadmin

uid=1377(sysadmin) gid=1(other) groups=1(other)

with root its

uid=0(root) gid=1(other) groups=0(root),2(bin),3(sys),4(adm),5(uucp),6(mail),7()

this is before adding it to group 14

with group 14 its

sysadmin::14:admin,russ,lisa,sysadmin
haven't a scoobies who the others are !
uid=1377(sysadmin) gid=1(other) groups=14(sysadmin)

so its now group 14!  

the script is useradd  so

/usr/sbin/useradd -u $uid -g $gid -d $dir -m -s $shell -c "$comment" $username

I have Logged on as sysadmin run the script below

Please enter a username you want to create, eg Bondj for James Bond
docherty
Please enter the users full a name and department eg James Bond Warden
is2
Is this correct? Please enter YES (in capitals) to confirm account.
otherwise you will return to menu
YES
UX: /usr/sbin/useradd: ERROR: Permission denied.
If there are no errors above then docherty has now been created.
Press Enter to Return


doh!!!Permission denied!!!

Cheers Bfitzmai nice to know someones willing to try and  help!!

RE: Give a user root privliages RBAC

Gave it a try now that I am at work...  You are correct, group 14 does not have access to useradd.  Doesn't make sense because group 14 can create user accounts using admintool.  I will have some time later today to try other options.  Will let you know.

RE: Give a user root privliages RBAC

Robert,
Did what you needed using RBAC... Will post the procedure tomorrow when I get into work.

RE: Give a user root privliages RBAC

(OP)
Nice one Mate

Really can't wait as starting to look at creating a primiary user or see if its been created!!!

but yes you would have though that put users into group 14 would give them the ability to useradd!  I'm sure Solaris is Unix's evil twin!!!

RE: Give a user root privliages RBAC

(OP)
I put sysadmin as role of root
user_attr

even typed roles  
which said root

however the useradd cmd still comes up Permission denied!!!

Permission denied!!!aararaarrarh

RE: Give a user root privliages RBAC

Here you go Rob,

roleadd -u <id number> -g <group number> -m -d /export/home/<rolename> -s /bin/csh <rolename>

example: roleadd -u 9999 -g 14 -m -d /export/home/sysadmin -s /bin/csh sysadmin

passwd <rolename>

I used default /etc/security/prof_attr entry "System Administrator"

rolemod -P <rolename> "System Administrator"

Verify role entry in /etc/user_attr
Example: sysadmin::::profiles=System Administrator;type=role

useradd -u <userid> -g 14 -m -d /export/home/<username> -s /bin/csh -R rolename <username>
Example: useradd -u 9997 -g 14 -m -d /export/home/testuser -s /bin/csh -R sysadmin testuser

passwd <username>

vi /etc/security/exec_attr
Here is the entries I put into this file:
System Administrator:suser:cmd:::/usr/sbin/useradd:euid=0
System Administrator:suser:cmd:::/usr/sbin/usermod:euid=0
System Administrator:suser:cmd:::/usr/sbin/userdel:euid=0
System Administrator:suser:cmd:::/usr/bin/passwd:euid=0


Now to test user testuser privileges:

su - testuser
su - sysadmin
/usr/sbin/useradd

Entering this command, I get a invalid syntax error because  the parameters are invalid... But, I have access to the command.

If this doesn't work, we need to check the set up using the smc gui.  If it doesn't work, let me know.

RE: Give a user root privliages RBAC

(OP)
arrrrrrrr

ok I tried this and guess what !!


# roleadd -u 1382 -g 14 -m -d /export/home/sysadm -s /bin/sh sysadm
6 blocks
# passwd sysadm
New Password:
Re-enter new Password:
passwd: password successfully changed for sysadm

# rolemod -P sysadm "System Administrator"
UX: rolemod: ERROR: System Administrator does not exist.


Yet

pwd
/export/home/

ls -l

drwxr-xr-x   2 sysadm   sysadmin     512 Oct 27 09:44 sysadm

more etc/user_attr

root::::type=normal;auths=solaris.*,solaris.grant;profiles=All
sysadm::::type=role;profiles=All


more /etc/security/prof_attr

System Administrator:::Can perform most non-security administrative tasks:profil
es=Audit Review,Printer Management,Cron Management,Device Management,File System
 Management,Mail Management,Maintenance and Repair,Media Backup,Media Restore,Na
me Service Management,Network Management,Object Access Management,Process Manage
ment,Software Installation,User Management,All;help=RtSysAdmin.htm

 id -a sysadm
uid=1382(sysadm) gid=14(sysadmin) groups=14(sysadmin)

roles sysadm
roles: sysadm : No roles

RE: Give a user root privliages RBAC

You are using Solaris 8.  Okay...  I have a Sun Blade running Solaris 8... Will try again.

RE: Give a user root privliages RBAC

Couple things are wrong.

Do not use -s option (default shell) during roleadd command.  Shell must be an administrative shell.  The default is /bin/pfsh.

This command is wrong:
rolemod -P <rolename> "System Administrator"

Should be:
rolemod -P "System Administrator" <rolename>

Sorry for the confusion...  Hope it works better for you this time.

RE: Give a user root privliages RBAC

(OP)
so close know I feel it!!!

# roleadd -u 1382 -g 14 -m -d /export/home/sysadm -s /bin/pfsh sysadm
6 blocks
# passwd sysadm
New Password:
Re-enter new Password:
passwd: password successfully changed for sysadm

# rolemod -P "System Administrator" sysadm


#useradd -u 1383 -g 14 -m -d /export/home/helpdesk -s /bin/pfsh -R sysadm helpdesk


passwd heldesk


cd /export/home

ls -l

drwxr-xr-x   2 1382     sysadmin     512 Oct 28 09:49 sysadm
drwxr-xr-x   2 1383     sysadmin     512 Oct 28 10:07 helpdesk

tail /etc/passswd/

sysadm:x:1382:14::/export/home/sysadm:/bin/pfsh
helpdesk:x:1383:14::/export/home/helpdesk:/bin/pfsh


more /etc/user_auth

root::::type=normal;auths=solaris.*,solaris.grant;profiles=All
sysadm::::type=role;profiles=System Administrator

done exec attr


Yet

logon helpdesk
su sysadm

then do passwd on (user)  permission denied  

when do -s path

if look at root it
more /etc/passwd/
root:x:0:1:Super-User:/:/sbin/sh

instead of pfsh would sbin/sh work? or am I on the wrong track!!

RE: Give a user root privliages RBAC

User helpdesk has been set up with a Administrative Shell...  Should be normal shell.  Check to see if commands like useradd, usermod work.

RE: Give a user root privliages RBAC

(OP)
roleadd -u 1382 -g 14 -m -d /export/home/sysadm -s /bin/pfsh sysadm

(roleadd -u 1382 -g 14 -m -d /export/home/sysadm -s /sbin/sh sysadm)

6 blocks
# passwd sysadm
New Password:
Re-enter new Password:
passwd: password successfully changed for sysadm

# rolemod -P "System Administrator" sysadm


#useradd -u 1383 -g 14 -m -d /export/home/helpdesk -s /bin/sh -R sysadm helpdesk
ps /bin/sh (what all other users use)

passwd heldesk


cd /export/home

ls -l

drwxr-xr-x   2 helpdesk sysadmin     512 Oct 28 13:01 helpdesk
drwxr-xr-x   2 sysadm   sysadmin     512 Oct 28 13:00 sysadm

tail /etc/passswd/
sysadm:x:1382:14::/export/home/sysadm:/bin/pfsh  or sbin/sh
helpdesk:x:1383:14::/export/home/helpdesk:/bin/sh


more /etc/user_attr

sysadm::::type=role;profiles=System Administrator
helpdesk::::type=normal;roles=sysadm

done exec attr



Yet

logon helpdesk
su sysadm

then do passwd on (user)  permission denied  
or
UX: /usr/sbin/useradd: ERROR: Permission denied.

must be missing something but don't know what!!

RE: Give a user root privliages RBAC

Rob,
Didn't forget you.  I just can't get RBAC to work with Solaris 8.  I even created a new profile with just the commands you need.  When I bring up Solaris Management Console, I see all the proper information.  Don't give up hope yet, it hasn't defeated me yet!!!

RE: Give a user root privliages RBAC

(OP)
PLEASE PLEASE can someone help me .......... Ive fallen and can't get up!  Seriously can help on this or pointers would be great!!!

RE: Give a user root privliages RBAC

Rob,

You said earlier that you can't use sudo - that would obviously be the best and most widely used way of doing it...

Is the reason you can't use it a corporate one?

Mike

"Deliver me from that bane of civilised life; teddy bear envy."

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

RE: Give a user root privliages RBAC

By default, RBAC files are open to public, which is a security concern.

I prefer using sudo and recommend it.

Chandra.

RE: Give a user root privliages RBAC

(OP)
dear Chandra, Mike

I would really love to use sudo  but can't in this Solaris version.

The reason is that it doesn't exist!!  if you do a man on sudo  it doesn't like it, also in Unix the sudo file usually hangs around the /etc/  and I can happliy tell you it is not there!!

So if canyone know how to clone root or make a cut down version I'm all ears!!

NB you can't put the uid to 0 is it tells you where to go!!

RE: Give a user root privliages RBAC

Hi robert3975,

I was looking for something in my Solaris 8 Sys Admin 2 course notes yesterday when I came across a worked example of creating an RBAC user (Role-Based Access Control).  We don't actually use this concept at the site where I work, so I couldn't answer any questions about RBAC, but I do remember doing this on the course and seeing it work.

Here is the scenario and what we did:
Create the user "james" with role "butler".  Once james assumes the role he will be allowed to shutdown the system and run the snoop command.

Files modified:
   /etc/passwd
   /etc/group
RBAC Database files used/modified:
   /etc/user_attr
   /etc/security/prof_attr
   /etc/security/exec_attr
   /etc/security/auth_attr

Procedure.
1. Create the new user with the useradd command:
   useradd -u 1001 -g 10 -d /export/home/james -m -s /usr/bin/ksh james

2. Set password for the user:
   passwd james

Test steps 1 & 2
   cat /etc/passwd
   cat /etc/shadow
   ls -al /export/home/james

3. Create the role (butler) using the roleadd command and set the password:
   roleadd -u 1002 -g 10 -d /export/home/butler -m butler
   passwd butler

Test step 3
   cat /etc/passwd
   cat /etc/user_attr
      (see the following line at the end)
      butler::::type=role;profiles=All
   cat /etc/shadow

4. Create the profile for the role to use:
   vi /etc/security/prof_attr
      (add the following lines at the end)
      Shut:::Able to shutdown the system:
      Snoop:::Able to use the snoop command:

5. Assign the commands to execute to the profile:
   vi /etc/security/exec_attr
      (add the following lines at the end)
      Shut:suser:cmd:::/usr/sbin/shutdown:uid=0
      Snoop:suser:cmd:::/usr/sbin/snoop:uid=0

NB: ensure the names in /etc/security/prof_attr and /etc/security/exec_attr are the same

6. Update the role:
   rolemod -P Shut,Snoop,All butler

Test step 6
   cat /etc/user_attr
      (see the following line at the end)
      butler::::type=role;profiles=Shut,Snoop,All

7. Assign the role to the user:
   usermod -R butler james

Test step 7
   cat /etc/user_attr
      (see the following lines at the end)
      butler::::type=role;profiles=Shut,Snoop,All
      james::::type=normal;roles=butler

8. Test the role works:
   As root, su - james (shouldn't need a password from root)
      try using the shutdown and snoop commands (should not have the permissions)
   Then, su - butler (should need the password)
      try using the shutdown and snoop commands (should now work)


So it looks like you need just the one role:- to create accounts (using useradd), modify accounts (using usermod) and delete accounts (using userdel).  Personally I wouldn't allow anyone else to delete accounts, just in case they type root instead of olduser (just to see what would happen) !!

I hope it works for you as it did for me on the course.

Mike

RE: Give a user root privliages RBAC

(OP)
Cheers Mike I'll give this a bash!! hmm never thought of deleting root!  but my helpdesk team are pretty good as them can create /delete or chge pwd on our dg/ux box I think I should be ok.

However if I use sudo will this stop them deleting root?


Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close