If you’ve ever used roles based access control (RBAC) in Solaris you know how useful it can be in managing user accounts and access to system level functionality. Here’s a brief synopsis of how RBAC works and what you can expect to see in /etc/user_attr:
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# /etc/user_attr
#
# user attributes. see user_attr(4)
#
#pragma ident "@(#)user_attr.txt 1.9 07/10/17 SMI"
#
adm::::profiles=Log Management
jondoe::::type=normal;roles=addSoftware
addSoftware::::type=role;profiles=Software Installation,All
janedone::::type=normal;roles=addSoftware
lp::::profiles=Printer Management
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no;min_label=admin_low;clearance=admin_high
mrsmith::::type=normal;roles=addSoftware
In this example we have a “role” called “addSoftware” and several users with access to that role. Roles available for assignment are listed in /etc/security/prof_attr and in there you will see “Software Installation” as an available role:
Software Installation:::Add application software to the system:help=RtSoftwareInstall.html;auths=solaris.admin.prodreg.read,solaris.admin.prodreg.modify,solaris.admin.prodreg.delete,solaris.admin.dcmgr.admin,
solaris.admin.dcmgr.read,solaris.admin.patchmgr.*,solaris.smf.manage.servicetags
Assigning users this role allows them to use software installation and removal commands such as “pkginfo“, “pkgadd“, and “pkgrm” to name a few.
Root on the other hand has access to the “All” role. Lord knows what someone could do with that!
