I was recently charged with setting up RBAC so that the group I work
with will 'su to root' less often.
The first project I've picked is to either establish a role and/or
profile that will allow a normal user to start and stop our
webservers. Here is what I came up with, bypassing the concept of a
'role'...
1) I created a profile called "Web Administration"
in /etc/security/prof_attr
Web Administration:::Role for restarting webservers::
2) I gave the profile the ability to run the start and stop webserver
scripts as root:
in /etc/security/exec_attr
Web Administration:suser:cmd:::/opt/app/iplanet/https-myserver/start:uid=0
Web Administration:suser:cmd:::/opt/app/iplanet/https-myserver/stop:uid=0
3) I then added the role to my account on the server in /etc/user_attr:
jkatz::::type=normal;profiles=Web Administration,Basic Solaris User
4) Finally, I changed my shell to /bin/pfcsh. Now, with my regular
user account I can start and restart our webservers.
My questions are, is this a normal practice (are there other people
doing it) and is it supported? What unintended consequences am I
missing? I understand that if a user's account is compromised, the
webserver services can be stopped and started at-will. I also
understand that our sysadmin group will be restricted to using
pfcsh/pfksh/pfsh and cannot use bash or tcsh (although we can still
leave those set, type 'exec pfsh' and then do what we need to do as
the Profile.)
I was recently charged with setting up RBAC so that the group I work
with will 'su to root' less often.
The first project I've picked is to either establish a role and/or
profile that will allow a normal user to start and stop our
webservers. Here is what I came up with, bypassing the concept of a
'role'...
1) I created a profile called "Web Administration"
in /etc/security/prof_attr
Web Administration:::Role for restarting webservers::
2) I gave the profile the ability to run the start and stop webserver
scripts as root:
in /etc/security/exec_attr
Web Administration:suser:cmd:::/opt/app/iplanet/https-myserver/start:uid=0
Web Administration:suser:cmd:::/opt/app/iplanet/https-myserver/stop:uid=0
3) I then added the role to my account on the server in /etc/user_attr:
jkatz::::type=normal;profiles=Web Administration,Basic Solaris User
4) Finally, I changed my shell to /bin/pfcsh. Now, with my regular
user account I can start and restart our webservers.
My questions are, is this a normal practice (are there other people
doing it) and is it supported? What unintended consequences am I
missing? I understand that if a user's account is compromised, the
webserver services can be stopped and started at-will. I also
understand that our sysadmin group will be restricted to using
pfcsh/pfksh/pfsh and cannot use bash or tcsh (although we can still
leave those set, type 'exec pfsh' and then do what we need to do as
the Profile.)
Thanks!
--
-Jon
Jonathan Katz -- J. Random BOFH
[ reply ]