Tuesday, November 29, 2016

Solaris 10 - RBAC --> Giving user a read only access to a directory



Giving user a read only access to a directory in SOlaris 10
1. Create a user account
# useradd -d /export/home/jmiles -m -c "John  Miles" -s /bin/bash jmiles
# passwd jmiles
# passwd -f jmiles
# groups jmiles
other
2. Enable cac login
# vi /etc/passwd-login.allow
# vi /etc/cac-login.allow
# id abinitio
uid=1006(abinitio) gid=102(dba)
Note: Record UID of the user.
^^^^^^^^^^^^^^^^^^^ RBAC ^^^^^^^^^^^^^^
3. Create a role
# roleadd -c "Abinitio Read only access" -u 5006 -d /export/home/abinitio_ro -m abinitio_ro
# passwd abinitio_ro
# tail -f /etc/user_attr
3. Create profile and add priviledge to profile
# cd /etc/security
# cp -p prof_attr prof_attr.11292016
# cp -p exec_attr exec_attr.11292016
# vi prof_attr and add the line below
Abinitio_ro:::Abinitio Read Only Rights:
# grep Abinitio_ro /etc/security/prof_attr
Abinitio_ro:::Abinitio Read Only Rights:
# vi exec_attr
# grep Abinitio_ro /etc/security/exec_attr
Abinitio_ro:suser:cmd:::/usr/bin/cat:uid=1006
Abinitio_ro:suser:cmd:::/usr/bin/more:uid=1006
Abinitio_ro:suser:cmd:::/usr/bin/less:uid=1006

4. Assign profile to the role and add role to the user
# rolemod -P Abinitio_ro abinitio_ro
# usermod -R abinitio_ro jmiles
Keep adding user to the file.

5. Verify the entry
# tail -f /etc/user_attr
abinitio_ro::::type=role;profiles=Abinitio_ro
jmiles::::type=normal;roles=abinitio_ro
kbhusal::::type=normal;roles=abinitio_ro
6. When user assume the role, it will prompt for role password. So, allow user to access role without supplying password.
a. Using sudo
Now, Create user alias and allow user to su to role user without password.
# visudo
user alias
User_Alias ABINITIO_RO = jmiles
User privilege
ABINITIO_RO ALL=NOPASSWD: /usr/bin/su - abinitio_ro
b. Using RBAC
Enable a User to Use Own Password to Assume a Role
$ rolemod -K roleauth=user rolename
$ rolemod -K roleauth=jmiles rolename
Note: WE are using sudo for this task.
7. Change the permission of the directories to allow read and execute bit
# cd /data/abinitio/sd/ai_data_mount/data/serial
# find . -type f -perm 770 -print
# find . -type f -perm 660 -print
# find . -type d -print | more
# find . -type d -print -exec ls -l {}\; | more
# find . -type d -print -exec ls -ld {} \; | more
# find . -type d -perm -005  -exec ls -ld {} \; | more
# find . -type d ! -perm -005  -exec ls -ld {} \; | more
# find . -type d ! -perm -005  -exec chmod o+rx {} \;
# find . -type d ! -perm -005  -exec ls -ld {} \; | more

$ profiles abinitio_ro
$ roles
Now, login as a normal user and run the following command
$ profiles abinitio_ro
$ profiles -l abinitio_ro
$ roles
and access the role
$ sudo su - abinitio_ro

No comments:

Post a Comment