Working with profile shells
pfexec command only works when a user is logged into a profile shell with the proper role and privileges assigned to it. Follow the steps in this topic to configure a profile shell.
Authorization is the mechanism in RBAC used for establishing a granular permission hierarchy. You provide users with access to commands requiring strict privileges by associating it with a specific role or profile through an authorization.
- Commands are assigned to authorizations
- Authorizations are assigned to roles
- Roles are assigned to profiles
Three rules are fundamental to an RBAC system:
- Role assignment: A user can execute a transaction only if the user selects or is assigned a role. The identification and authentication process (logging in) is not considered a transaction. All other user activities on the system are conducted through transactions. Thus all active users are required to have some active role.
- Role authorization: The active role of a user must be authorized for a specific use case. With the above rule, this rule ensures that users can take on only roles for which they are authorized.
- Transaction authorization: A user can execute a transaction only if the transaction is authorized through an assigned role, and subject to any constraints that may be applied across users, roles, and permissions. With the two rules above, this rule ensures that users can execute only transactions for which they are authorized.
SmartOS comes with a wide range of pre-defined profiles you can use out-of-box. You can achieve a great deal of security granularity by knowing how to search profiles for the commands your users will need and then adding users to that profile. For example, the following instructions show you how to give a new user access to the
Create a new user and assign that user a password:
mkdir -p /export/home useradd -m -d /export/home/tester tester 128 blocks passwd tester New Password: Re-enter new Password: passwd: password successfully changed for tester
| | In SmartOS, the first user you create is assigned a profile that allows that user to perform all root tasks. |
- Log out and log in again as the new user.
Look for a profile in exec_attr that already has access to the
$ grep "reboot" /etc/security/exec_attr Maintenance and Repair:suser:cmd:::/usr/sbin/reboot:uid=0
The above query shows a match in the "Maintenance and Repair" profile.
- Log in as root and assign the "Maintenance and Repair" rights profile to tester:
$ su root Password: # usermod -P 'Maintenance and Repair' tester UX: usermod: tester is currently logged in, some changes may not take effect until next login.
The "tester" user now has access to privileged commands available through the "Maintenance and Repair" rights profile. To run these privileged commands, the user need only prepend the command with
pfexec. For example:
|Once a profile is setup, superusers can assign a role to that profile. Users who assume the role that is assigned to that profile can run privileged commands without the need for prepending the command with
|To create a role and modify attributes, you must login as an administrator with User Management profile rights. To assign a password to a role or modify security attributes of a user, you must login as a user with User Security profile rights. The easiest way to accomplish all of this is to create the role logged in as the root user.|
- Log in as an administrator with valid rights to create a role.
- Run the
# roleadd <option> rolename
For example, the following command creates a local User Administrator with the role name of "useradmin":
# roleadd -c "User Administrator role, local" -s /usr/bin/pfbash \ -K profiles="User Security,User Management" useradmin
- Run the
# usermod -R role [-S repository] login
For example, the following command assigns the "useradmin" role to a local user:
# usermod -R useradmin jdoe-local
- Restart the name service cache daemon to set the changes.
# svcadm restart system/name-service-cache
Assign a password to the role. You can set the password as a user who is assigned to the user security rights profile. Otherwise, a user who is assigned the role must create it.
- Create the password for the role.
# passwd -r repository rolename Password: <Type rolename password> Confirm Password: <Retype rolename password> #
- Alternatively, a user who can assume the role creates a password.
% su - rolename Password: <Type rolename password> Confirm Password: <Retype rolename password> $
- Create the password for the role.