Using Solaris™ RBAC

Ross Oliver

Role-Based Access Control (RBAC) was introduced in Solaris 8. Adopted from Sun’s Trusted Solaris offering, RBAC has its roots in military and government computing systems where operations are more tightly controlled than in a typical commercial UNIX environment. Like sudo, RBAC allows sys admins the flexibility to grant users superuser privileges on a per-command basis.

To show how RBAC can be used as a substitute for sudo, I will begin with an example sudoers file, then replicate the same configuration using RBAC. Here is the example sudoers file:

User_Alias    SENIORADMIN = reo, tmiller, jbuffet
User_Alias    ADMIN = jkim, sfox, dmarch
User_Alias    OPERATOR = agrove, bgates, smcnealy
User_Alias    WEBMASTER = crobin, elim
User_Alias    DBMASTER = lellison,

Runas_Alias   OP = root, bin
Runas_Alias   DB = dbadmin, db
Runas_Alias   WEB = webadmin, web

Cmnd_Alias     DUMPS = /usr/bin/mt, /usr/sbin/ufsdump, \
                      /usr/sbin/ufsrestore
Cmnd_Alias    KILL = /usr/bin/kill
Cmnd_Alias    PRINT = /usr/sbin/lpadmin, \
                    /usr/bin/lpsched,\
                    /usr/lib/lpshut
Cmnd_Alias    SHUTDOWN = /usr/sbin/shutdown, \
                    /usr/sbin/halt,\
                    /usr/sbin/reboot
Cmnd_Alias    SU = /usr/bin/su
Cmnd_Alias    SHELL = /usr/bin/su
Cmnd_Alias    WEBADMIN = /usr/local/bin/httpd
Cmnd_Alias    DBADMIN = /usr/local/bin/dbstart, \
                    /usr/local/bin/dbstop,\
                    /usr/local/bin/dbdump, \
                    /usr/local/bin/dbload
Cmnd_Alias    USERADMIN = /usr/sbin/useradd, \
                    /usr/sbin/userdel,\
                    /usr/sbin/usermod

SENIORADMIN   ALL
OPERATOR      DUMPS, KILL, SHUTDOWN
ADMIN         DUMPS, KILL, SHUTDOWN, USERADMIN, PRINT
WEBMASTER     (DB) WEBADMIN
DBMASTER      (WEB) DBADMIN

Note that there are no Host_alias entries or references to specific hosts.