pprev
Giving user a read only access to a directory in SOlaris 10
1. Create a user account
# useradd -d /export/home/sam -m -c "Sam Sharma" -s /bin/bash sam
# passwd sam
# passwd -f sam
# groups sam
other
2. Enable cac login
# vi /etc/passwd-login.allow
# vi /etc/cac-login.allow
# id abinitio
uid=1006(abinitio) gid=102(dba)
Note: Record UID of the user.
^^^^^^^^^^^^^^^^^^^ RBAC ^^^^^^^^^^^^^^
3. Create a role
# roleadd -c "Abinitio Read only access" -u 5006 -d /export/home/abinitio_ro -m abinitio_ro
# passwd abinitio_ro
# tail -f /etc/user_attr
3. Create profile and add priviledge to profile
# cd /etc/security
# cp -p prof_attr prof_attr.11292016
# cp -p exec_attr exec_attr.11292016
# vi prof_attr and add the line below
Abinitio_ro:::Abinitio Read Only Rights:
# grep Abinitio_ro /etc/security/prof_attr
Abinitio_ro:::Abinitio Read Only Rights:
# vi exec_attr
# grep Abinitio_ro /etc/security/exec_attr
Abinitio_ro:suser:cmd:::/usr/bin/cat:uid=1006
Abinitio_ro:suser:cmd:::/usr/bin/more:uid=1006
Abinitio_ro:suser:cmd:::/usr/bin/less:uid=1006
4. Assign profile to the role and add role to the user
# rolemod -P Abinitio_ro abinitio_ro
# usermod -R abinitio_ro sam
Keep adding user to the file.
5. Verify the entry
# tail -f /etc/user_attr
abinitio_ro::::type=role;profiles=Abinitio_ro
sam::::type=normal;roles=abinitio_ro
kbhusal::::type=normal;roles=abinitio_ro
6. When user assume the role, it will prompt for role password. So, allow user to access role without supplying password.
a. Using sudo
Now, Create user alias and allow user to su to role user without password.
# visudo
user alias
User_Alias ABINITIO_RO = sam
User privilege
ABINITIO_RO ALL=NOPASSWD: /usr/bin/su - abinitio_ro
b. Using RBAC
Enable a User to Use Own Password to Assume a Role
$ rolemod -K roleauth=user rolename
$ rolemod -K roleauth=sam rolename
Note: WE are using sudo for this task.
7. Add read and execute bit to the directories to allow read and execute to others.
# cd /data/abinitio/sd/ai_data_mount/data/serial
# find . -type f -perm 770 -print
# find . -type f -perm 660 -print
# find . -type d -print | more
# find . -type d -print -exec ls -l {}\; | more
# find . -type d -print -exec ls -ld {} \; | more
# find . -type d -perm -005 -exec ls -ld {} \; | more
# find . -type d ! -perm -005 -exec ls -ld {} \; | more
# find . -type d ! -perm -005 -exec chmod o+rx {} \;
# find . -type d ! -perm -005 -exec ls -ld {} \; | more
$ profiles abinitio_ro
$ roles
Now, login as a normal user and run the following command
$ profiles abinitio_ro
$ profiles -l abinitio_ro
$ roles
and access the role
$ sudo su - abinitio_ro
find folder -type d -exec chmod 750 "{}" \;
find folder -type f -exec chmod 640 "{}" \;
Giving user a read only access to a directory in SOlaris 10
1. Create a user account
# useradd -d /export/home/sam -m -c "Sam Sharma" -s /bin/bash sam
# passwd sam
# passwd -f sam
# groups sam
other
2. Enable cac login
# vi /etc/passwd-login.allow
# vi /etc/cac-login.allow
# id abinitio
uid=1006(abinitio) gid=102(dba)
Note: Record UID of the user.
^^^^^^^^^^^^^^^^^^^ RBAC ^^^^^^^^^^^^^^
3. Create a role
# roleadd -c "Abinitio Read only access" -u 5006 -d /export/home/abinitio_ro -m abinitio_ro
# passwd abinitio_ro
# tail -f /etc/user_attr
3. Create profile and add priviledge to profile
# cd /etc/security
# cp -p prof_attr prof_attr.11292016
# cp -p exec_attr exec_attr.11292016
# vi prof_attr and add the line below
Abinitio_ro:::Abinitio Read Only Rights:
# grep Abinitio_ro /etc/security/prof_attr
Abinitio_ro:::Abinitio Read Only Rights:
# vi exec_attr
# grep Abinitio_ro /etc/security/exec_attr
Abinitio_ro:suser:cmd:::/usr/bin/cat:uid=1006
Abinitio_ro:suser:cmd:::/usr/bin/more:uid=1006
Abinitio_ro:suser:cmd:::/usr/bin/less:uid=1006
4. Assign profile to the role and add role to the user
# rolemod -P Abinitio_ro abinitio_ro
# usermod -R abinitio_ro sam
Keep adding user to the file.
5. Verify the entry
# tail -f /etc/user_attr
abinitio_ro::::type=role;profiles=Abinitio_ro
sam::::type=normal;roles=abinitio_ro
kbhusal::::type=normal;roles=abinitio_ro
6. When user assume the role, it will prompt for role password. So, allow user to access role without supplying password.
a. Using sudo
Now, Create user alias and allow user to su to role user without password.
# visudo
user alias
User_Alias ABINITIO_RO = sam
User privilege
ABINITIO_RO ALL=NOPASSWD: /usr/bin/su - abinitio_ro
b. Using RBAC
Enable a User to Use Own Password to Assume a Role
$ rolemod -K roleauth=user rolename
$ rolemod -K roleauth=sam rolename
Note: WE are using sudo for this task.
7. Add read and execute bit to the directories to allow read and execute to others.
# cd /data/abinitio/sd/ai_data_mount/data/serial
# find . -type f -perm 770 -print
# find . -type f -perm 660 -print
# find . -type d -print | more
# find . -type d -print -exec ls -l {}\; | more
# find . -type d -print -exec ls -ld {} \; | more
# find . -type d -perm -005 -exec ls -ld {} \; | more
# find . -type d ! -perm -005 -exec ls -ld {} \; | more
# find . -type d ! -perm -005 -exec chmod o+rx {} \;
# find . -type d ! -perm -005 -exec ls -ld {} \; | more
$ profiles abinitio_ro
$ roles
Now, login as a normal user and run the following command
$ profiles abinitio_ro
$ profiles -l abinitio_ro
$ roles
and access the role
$ sudo su - abinitio_ro
find folder -type d -exec chmod 750 "{}" \;
find folder -type f -exec chmod 640 "{}" \;
No comments:
Post a Comment