Working with profile shells

Modified: 28 Apr 2022 01:26 UTC

The pfexec command only works when a user is logged into a profile shell with the proper role and privileges assigned to it. Follow the steps in this topic to configure a profile shell.

About authorizations and roles

Authorization is the mechanism in RBAC used for establishing a granular permission hierarchy. You provide users with access to commands requiring strict privileges by associating it with a specific role or profile through an authorization.

Three rules are fundamental to an RBAC system:

Adding a user to a profile shell

SmartOS comes with a wide range of pre-defined profiles you can use out-of-box. You can achieve a great deal of security granularity by knowing how to search profiles for the commands your users will need and then adding users to that profile. For example, the following instructions show you how to give a new user access to the reboot command.

  1. Create a new user and assign that user a password:

    mkdir -p /export/home
    useradd -m -d /export/home/tester tester
    128 blocks
    passwd tester
    New Password:
    Re-enter new Password:
    passwd: password successfully changed for tester

    |

    | In SmartOS, the first user you create is assigned a profile that allows that user to perform all root tasks. |

  2. Log out and log in again as the new user.
  3. Look for a profile in exec_attr that already has access to the reboot command:

    $ grep "reboot" /etc/security/exec_attr
    Maintenance and Repair:suser:cmd:::/usr/sbin/reboot:uid=0

    The above query shows a match in the "Maintenance and Repair" profile.

  4. Log in as root and assign the "Maintenance and Repair" rights profile to tester:
    $ su root
    Password:
    # usermod -P 'Maintenance and Repair' tester
    UX: usermod: tester is currently logged in, some changes may not take
    effect until next login.

The "tester" user now has access to privileged commands available through the "Maintenance and Repair" rights profile. To run these privileged commands, the user need only prepend the command with pfexec. For example:

pfexec reboot
Once a profile is setup, superusers can assign a role to that profile. Users who assume the role that is assigned to that profile can run privileged commands without the need for prepending the command with pfexec

Setting up a Role

To create a role and modify attributes, you must login as an administrator with User Management profile rights. To assign a password to a role or modify security attributes of a user, you must login as a user with User Security profile rights. The easiest way to accomplish all of this is to create the role logged in as the root user.
  1. Log in as an administrator with valid rights to create a role.
  2. Run the roleadd command.
    # roleadd <option> rolename

    For example, the following command creates a local User Administrator with the role name of "useradmin":

    # roleadd -c "User Administrator role, local" -s /usr/bin/pfbash \
    -K profiles="User Security,User Management" useradmin
  3. Run the usermod command.
    # usermod -R role [-S repository] login

    For example, the following command assigns the "useradmin" role to a local user:

    # usermod -R useradmin jdoe-local
  4. Restart the name service cache daemon to set the changes.
    # svcadm restart system/name-service-cache
  5. Assign a password to the role. You can set the password as a user who is assigned to the user security rights profile. Otherwise, a user who is assigned the role must create it.

    1. Create the password for the role.
      # passwd -r repository rolename
      Password: <Type rolename password>
      Confirm Password: <Retype rolename password>
      #
    2. Alternatively, a user who can assume the role creates a password.
      % su - rolename
      Password: <Type rolename password>
      Confirm Password: <Retype rolename password>
      $