UNIX Consulting and Expertise
Golden Apple Enterprises Ltd. » Archive of 'Jan, 2009'

Solaris RBAC configuration 1 comment

RBAC is Roles Based Access Control for Solaris. It’s similar to sudo in that it allows you to let specific users enhance their privileges to run specific tasks.

RBAC has been around in Solaris for a long, long time. It’s matured nicely and is now very accessible and usable – once you get your head round the concepts. It’s very powerful and it’s an under-used framework which really needs to be understood more.

Unlike sudo RBAC can be integrated into NIS or LDAP, and provides a much more comprehensive framework out of the box for doing things.

The basic tasks to setup RBAC are:

  1. define a ‘Profile’ in prof_attr
  2. tie specific commands to that profile in exec_attr
  3. tie specific authorisations to that profile in auth_attr
  4. tie the profile to a role, then that role to a user(s) in user_attr
  5. or tie the profile directly to a user in user_attr

There are some tradeoffs between using Roles vs. adding Profiles to user:

  • Roles require a user to su to another user to execute the command
  • when many users need to do the same thing that requires several different Profiles, it’s easier to change the Role once to add more Profiles than to edit many users to add the same extra Profiles to all of them
  • easier to track who has access to what by using Roles rather than assigning things direct to users

Personally, when doing more than one thing, I like to define a Role, and then make users su to that Role. It makes management and scalability that much easier, and also more clearly defines who can do what.

It also continues the paradigm of having to su to another user to gain extra privileges. Keeping things working the same as they have done previously is the easiest way to introduce new methods of working, and new technologies, to the users whilst avoiding complaints :-)

In the next few posts I’ll cover some basic RBAC setup, and then adding RBAC configuration to allow a non-privileged user to control Solaris services via SMF.

Tape Devices in Solaris Comments Off on Tape Devices in Solaris

Yes, people out there are still using tape – and in fact in certain situations tape still has many advantages over disk backup or site replication. One of the many quirks with Solaris is how tape devices are addressed, so in this post I’m going to quickly cover the options.

Solaris tape devices all live under /dev/rmt, where rmt stands for Raw Magnetic Tape device.

First tape device name: /dev/rmt/0
Second tape device name: /dev/rmt/1

Each tape device also has special characters added after it to specify density and the characteristics of the drive that you want to use.

So the actual format you’d use to address a drive would be /dev/rmt/XY, where:

  • X is tape drive number such as 0, 1 etc.
  • Y can be any one of following
    • l – Low density
    • m – Medium density
    • h – High density
    • u – Ultra density
    • c – Compressed density
    • n – No rewinding

It’s actually pretty straightforward. If you want to use tar to backup to your first tape drive, using compressing, and not rewinding the media afterwards (so you can append to the backup), you’d use the device /dev/rmt/0cn

On top of this, Solaris comes with a utility called mt, which is used to carry out some simple tape operations.

mt takes the -f option to specific which device it should talk to, and it then mainly used for these three options:

  1. Rewinding a tape
    # mt –f /dev/rmt/0 rewind
    
  2. Display the status of a tape drive
    # mt –f /dev/rmt/0 status
    
  3. Retensioning a tape
    # mt –f /dev/rmt/0 retension
    

Most people will have some sort of front end software to handle their tape backups – Oracle RMAN, Networker, Netbackup or similar – but if you need to do a quick test, or are just using tar or another backup utility, then this post should point you in the right direction.

Top of page / Subscribe to new Entries (RSS)