Allowing Normal Users to Manage SMF Services: Part 1
RBAC doesn’t just let you give mortal users the power to execute commands as a privileged user – it can also be used to allow them power over other areas of the Solaris OE. A recurring task is allowing a normal user the power to start/stop an SMF service.
In this example I’ll work through how to allow a non-privileged user to manage the SMF service using by the Sun Management Centre (SMC) agent. We do this by modifying the SMF service to add an authorisation, and then defining with RBAC who is able to use that authorisation.
Setting up RBAC for this will involve modifying three of the RBAC configuration files:
- /etc/security/prof_attr (where RBAC Profiles are defined)
- /etc/security/auth_attr (where authorisations used by RBAC are defined)
- /etc/user_attr (where user attributes are defined)
First of all, we need to edit /etc/security/prof_attr to add a new profile for the SMC agent. The syntax is simple: the name of the profile, a description, and then any authorisations that are needed. Adding the following line will do the trick:
SunMC Management:::Manage SunMC:auths=solaris.smf.manage.sunmcagent
Authorisations are extra tags that are added to an SMF service’s properties – they’re the ‘glue’ that ties together the profile and the SMF service.
Next up we need to add a definition for the new authorisation, by editing /etc/security/auth_attr and adding the following line:
solaris.smf.manage.sunmcagent:::Manage SunMC Agent::
Finally, we edit /etc/user_attr to add in a new role, and then assign our newly created SMC Profile to the role. Add the following line to the file:
Also within /etc/user_attr we need to assign the role to our users. Add in an entry for each user you want to be able to use the role, like this:
The final stage required to setup RBAC is to add the role details to /etc/passwd and to add a group entry to /etc/group. This should be standard stuff, so I’ll just show the lines added to each file:
smcmgmt:x:10003:10003:SunMC Management RBAC Role:/export/home/smcmgmt:/bin/pfksh
As always for RBAC, it’s good practice to create a role, and get users to su to that, rather than tacking profiles onto existing users and pre-pending pfexec to each command.
That’s all for part one – we’ve setup RBAC and we’re ready to roll. Part 2 will cover how we actually modify the SMF service and tie everything together.
Update: You should also head over to Ben Summers’ blog, where he wrote up an excellent end-to-end guide on how to Control untrusted processes with Solaris SMF