UNIX Consulting and Expertise
Golden Apple Enterprises Ltd. » Posts for tag 'Solaris'

Solaris 11 is launched Comments Off on Solaris 11 is launched

The long wait is over, and Oracle have finally pushed Solaris 11 out of the door. It feels a bit odd to be talking about Oracle releasing a new version of Solaris, but given how long ago Solaris 10 came out, it’s good to see what they’ve been up to.

By now most people should be up to speed with the new features in Solaris 11, like the Automated Installer (AI) and the new IPS packaging system.

ZFS with encryption has been available since Solaris 11 Express was released a year ago. We’ve had a heads-up that support for 32bit x86 CPUs was being dropped, as was support for anything other than T and M class SPARC boxes.

However, there are some extra new features that have come to light with the FCS release:

  • Password caching for su – this is an implementation in PAM that’s similar to the ticketing system used in sudo. Darren Moffat has an entry in his blog that details how to enable it.
  • root is no longer a user, it’s a role. This been the case since Solaris 11 Express, and in OpenIndiana, but it needs repeating
  • Encrypted user home directories, using encrypted ZFS and delegated key management
  • SMF layers – basically allowing a way to apply and manage SMF properties and customisations. You can read more on Sean Wilcox’s blog here.
  • Many new zone tweaks – Immutable Zones, zone boot environments, and different packages in the global zone and other zones
  • Intel AESNI crypto functions have been added to OpenSSL. Previously in Solaris x86, the AESNI functions had been added to the kernel and pkcs11 libraries – now they’re available within OpenSSL as well.

If you can make it to Oracle’s City Office in London next Wednesday, the UK Oracle User Group Solaris SIG (yeah, I know, LOSUG was much less of a mouthful) are having a special Solaris 11 launch event, starting at 2pm and running through the normal meeting in the evening.

You can find more details on the Solaris SIG site here – it promises to be an interesting event that’s well worth attending.

Allowing Normal Users to Manage SMF Services: Part 2 Comments Off on Allowing Normal Users to Manage SMF Services: Part 2

In Part 1, I covered setting up RBAC with a custom role that would allow us to manage an SMF service as a non-privileged user. Now I’ll cover the steps required to setup the SMF part.

Note that, in the previous post, for management of the Sun MC Agent, we didn’t add a specific command – we added an authorisation to the Profile.

Although this will configure RBAC to support this nicely, it actually won’t do anything – we need to specifically configure SMF on each host to support this extra authorisation.

Basically SMF has an all or nothing approach – applying the authorisation solaris.smf.manage will allow you to manage any SMF service – very much not what we want.

Instead we want to configure a specific SMF service – in this case, sunmcagent – to allow an authorisation string that lets us specifically manage this service – and just this service.

We do this by using the svcprop command on the specific host to directly edit the properties of the service.

First of all let’s list the service’s properties:

root@madlarry # svcprop -p general sunmcagent
general/enabled boolean true
general/entity_stability astring Evolving
general/single_instance boolean true

All fairly straightforward – the above tells us:

  • the service is enabled
  • it’s an evolving service, so the stability of it’s properties isn’t guaranteed
  • there can only be a single discreet instance of this service

We want to add an additional property, our authorisation string.

We use the svccfg command to do this:

root@madlarry # svccfg -s sunmcagent setprop general/action_authorization=astring: 'solaris.smf.manage.sunmcagent'

Having done this, it won’t take effect until we refresh the service.

Check for yourself:

root@madlarry # svcprop -p general sunmcagent
general/enabled boolean true
general/entity_stability astring Evolving
general/single_instance boolean true

Then we refresh the service:

root@madlarry # svcadm refresh sunmcagent

And then check again:

root@madlarry # svcprop -p general sunmcagent
general/enabled boolean true
general/entity_stability astring Evolving
general/single_instance boolean true
general/action_authorization astring solaris.smf.manage.sunmcagent

Behold our authorisation string! Now SMF will recognise this string when passed from RBAC, realise we only want to manage this specific service, and the magic happens.

However – we still can’t disable this service.

That’s because the ‘disable’ action modifies the SMF service (by changing the value of the general/enabled property) – the other actions are all temporary, but disable is persistent across reboots.

To get round this we need to add another property, value/authorization, will gives us authority to modify the values for properties for that specific service when managing it.

Similar sort of options to svcprop to affect this change:

root@madlarry # svccfg -s sunmcagent setprop general/value_authorization=astring: 'solaris.smf.manage.sunmcagent'

Then we can refresh and review the change:

root@madlarry # svcadm refresh sunmcagent
root@madlarry # svcprop -p general sunmcagent
general/enabled boolean true
general/entity_stability astring Evolving
general/single_instance boolean true
general/action_authorization astring solaris.smf.manage.sunmcagent
general/value_authorization astring solaris.smf.manage.sunmcagent

So now the authorisation ‘solaris.smf.manage.sunmcagent’ is allowed to perform temporary actions and permanently modify the values of the sunmcagent service.

There’s a good BigAdmin article on configuring custom RBAC roles in Solaris here – highly recommended reading.

Allowing Normal Users to Manage SMF Services: Part 1 Comments Off on Allowing Normal Users to Manage SMF Services: Part 1

RBAC doesn’t just let you give mortal users the power to execute commands as a privileged user – it can also be used to allow them power over other areas of the Solaris OE. A recurring task is allowing a normal user the power to start/stop an SMF service.

In this example I’ll work through how to allow a non-privileged user to manage the SMF service using by the Sun Management Centre (SMC) agent. We do this by modifying the SMF service to add an authorisation, and then defining with RBAC who is able to use that authorisation.

Setting up RBAC for this will involve modifying three of the RBAC configuration files:

  • /etc/security/prof_attr (where RBAC Profiles are defined)
  • /etc/security/auth_attr (where authorisations used by RBAC are defined)
  • /etc/user_attr (where user attributes are defined)

First of all, we need to edit /etc/security/prof_attr to add a new profile for the SMC agent. The syntax is simple: the name of the profile, a description, and then any authorisations that are needed. Adding the following line will do the trick:

SunMC Management:::Manage SunMC:auths=solaris.smf.manage.sunmcagent

Authorisations are extra tags that are added to an SMF service’s properties – they’re the ‘glue’ that ties together the profile and the SMF service.

Next up we need to add a definition for the new authorisation, by editing /etc/security/auth_attr and adding the following line:

solaris.smf.manage.sunmcagent:::Manage SunMC Agent::

Finally, we edit /etc/user_attr to add in a new role, and then assign our newly created SMC Profile to the role. Add the following line to the file:

smcmgmt::::type=role;profiles=SunMC Management,All

Also within /etc/user_attr we need to assign the role to our users. Add in an entry for each user you want to be able to use the role, like this:

tom::::type=normal;roles=smcmgmt

The final stage required to setup RBAC is to add the role details to /etc/passwd and to add a group entry to /etc/group. This should be standard stuff, so I’ll just show the lines added to each file:

/etc/passwd

smcmgmt:x:10003:10003:SunMC Management RBAC Role:/export/home/smcmgmt:/bin/pfksh

/etc/shadow

smcmgmt:lku7RuB1d71jY:13162::::::

/etc/group

smcmgmt::10003:

As always for RBAC, it’s good practice to create a role, and get users to su to that, rather than tacking profiles onto existing users and pre-pending pfexec to each command.

That’s all for part one – we’ve setup RBAC and we’re ready to roll. Part 2 will cover how we actually modify the SMF service and tie everything together.

Update: You should also head over to Ben Summers’ blog, where he wrote up an excellent end-to-end guide on how to Control untrusted processes with Solaris SMF

OpenIndiana 151a is released! Comments Off on OpenIndiana 151a is released!

Another milestone has been reached by the OpenIndiana team. Release 151a is now out, bringing several key new changes to the table. The biggest one is that OpenIndiana now integrates Illumos, and also includes the kernel virtual machine (KVM), as recently released by Joyent.

You can grab the downloads from http://openindiana.org/download, with several options to choose from:

  • Desktop DVD ISO
  • Desktop USB installer image
  • Server text-based CD ISO
  • Server text-based USB installer image

You can browse the full OpenIndiana 151a release notes at http://wiki.openindiana.org/oi/oi_151a+Release+Notes

Solaris 11 Early Adopter Release Comments Off on Solaris 11 Early Adopter Release

As the Solaris 11 GA release approaches, Oracle have announced the Solaris 11 Early Adopter release. The EA release is an update on the previous Solaris 11 Express, with final features frozen.

The EA Release is aimed at developers, to carry out testing and qualification of their applications. With the feature list and functionality frozen, barring some last minute bug fixes, this is what the final Solaris 11 release will look like.

You can find out more at Oracle’s Solaris 11 Early Adopter page. Download links are direct from there – but a quick warning: the only supported SPARC systems are M and T series kit.

Now’s the time to get to grips with the Automated Installer, ZFS root, and the other changes that Solaris 11 will bring.

Top of page / Subscribe to new Entries (RSS)