Determining Your Assigned Privileges
When a user is directly assigned privileges, the privileges are in effect in
every shell. When a user is not directly assigned privileges, then the user
must open a profile shell. For example, when commands with assigned privileges are
in a rights profile that is in the user's list of rights
profiles, then the user must execute the command in a profile shell.
How to Determine the Privileges That You Have Been Directly Assigned
The following procedure shows how to determine if you have been directly assigned
privileges.
Caution - Inappropriate use of directly assigned privileges can result in unintentional breaches of security.
For a discussion, see Security Considerations When Directly Assigning Security Attributes.
- List the privileges that your processes can use.
See How to Determine the Privileges on a Process for the procedure.
- Invoke actions and run commands in any shell.
The privileges that are listed in the effective set are in effect throughout
your session. If you have been directly assigned privileges in addition to the basic
set, the privileges are listed in the effective set.
Example 11-9 Determining Your Directly-Assigned Privileges
If you have been directly assigned privileges, then your basic set contains more
than the default basic set. In this example, the user always has
access to the proc_clock_highres privilege.
% /usr/ucb/whoami
jdoe
% ppriv -v $$
1800: pfksh
flags = <none>
E: file_link_any,…,proc_clock_highres,proc_session
I: file_link_any,…,proc_clock_highres,proc_session
P: file_link_any,…,proc_clock_highres,proc_session
L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time
% ppriv -vl proc_clock_highres
Allows a process to use high resolution timers.Example 11-10 Determining a Role's Directly-Assigned Privileges
Roles use an administrative shell, or profile shell. Users who assume a role
can use the role's shell to list the privileges that have been
directly assigned to the role. In the following example, the role realtime has been
directly assigned privileges to handle date and time programs.
% su - realtime
Password: <Type realtime password>
$ /usr/ucb/whoami
realtime
$ ppriv -v $$
1600: pfksh
flags = <none>
E: file_link_any,…,proc_clock_highres,proc_session,sys_time
I: file_link_any,…,proc_clock_highres,proc_session,sys_time
P: file_link_any,…,proc_clock_highres,proc_session,sys_time
L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time
How to Determine the Privileged Commands That You Can Run
When a user is not directly assigned privileges, then the user gets access
to privileged commands through a rights profile. Commands in a rights profile must
be executed in a profile shell.
Before You Begin
The user or role who authenticates to the Solaris Management Console must have
the solaris.admin.usermgr.read authorization. The Basic Solaris User rights profile includes this authorization.
- Determine the rights profiles that you have been assigned.
$ /usr/sadm/bin/smuser list -- -n username -l
Authenticating as user: admin
… Please enter a string value for: password ::
…
User name: username
User ID (UID): 130
Primary group: staff
Secondary groups:
Comment: object mgt jobs
Login Shell: /bin/sh
Home dir server: system
Home directory: /export/home/username
AutoHome setup: True
Mail server: system
Rights: Object Access Management
Assigned Roles:
- Locate the line that begins with “Rights:”.
The “Rights” line lists the names of the rights profiles that have been
directly assigned to you.
- Find the names of the rights profiles in the exec_attr database.
$ cd /etc/security
$ grep "Object Access Management" exec_attr
Object Access Management:solaris:cmd:::/usr/bin/chgrp:privs=file_chown
Object Access Management:solaris:cmd:::/usr/bin/chown:privs=file_chown
Object Access Management:suser:cmd:::/usr/bin/chgrp:euid=0
Object Access Management:suser:cmd:::/usr/bin/chmod:euid=0
…
The commands with added privileges are listed at the end of solaris
policy entries.
- Type the commands that require privileges in a profile shell.
When the commands are typed in a regular shell, the commands do
not run with privilege, and do not succeed.
% pfsh
$
Example 11-11 Running Privileged Commands in a Profile Shell
In the following example, the user jdoe cannot change the group permissions on
a file from his regular shell. However, jdoe can change the permissions when
typing the command in a profile shell.
% whoami
jdoe
% ls -l useful.script
-rwxr-xr-- 1 nodoe eng 262 Apr 2 10:52 useful.script
chgrp staff useful.script
chgrp: useful.script: Not owner
% pfksh
$ /usr/ucb/whoami
jdoe
$ chgrp staff useful.script
$ chown jdoe useful.script
$ ls -l useful.script
-rwxr-xr-- 1 jdoe staff 262 Apr 2 10:53 useful.script
How to Determine the Privileged Commands That a Role Can Run
A role gets access to privileged commands through a rights profile that contains
commands with assigned privileges. The most secure way to provide a user with
access to privileged commands is to assign a role to them. After assuming
the role, the user can execute all the privileged commands that are included
in the rights profiles for that role.
Before You Begin
The user or role who authenticates to the Solaris Management Console must have
the solaris.admin.usermgr.read authorization. The Basic Solaris User rights profile includes this authorization.
- Determine the roles that you can assume.
$ /usr/sadm/bin/smuser list -- -n username -l
Authenticating as user: primadmin
…
User name: username
User ID (UID): 110
Primary group: staff
Secondary groups:
Comment: Has admin roles
Login Shell: /bin/sh
…
Rights:
Assigned Roles: primadmin, admin
- Locate the line that begins with “Assigned Roles:”.
The “Assigned Roles” line lists the roles that you can assume.
- Determine the rights profiles that are included in one of your roles.
$ /usr/sadm/bin/smuser list -- -n admin -l
Authenticating as user: primadmin
…
User name: admin
User ID (UID): 101
Primary group: sysadmin
Secondary groups:
Comment: system administrator
Login Shell: /bin/pfksh
…
Rights: System Administrator
Assigned Roles:
- Locate the names of the rights profiles for the role in the
“Rights:” line.
- Find the rights profiles in the prof_attr database.
Because the System Administrator profile is a collection of profiles, you need to
list the profiles in the System Administrator profile.
$ cd /etc/security
$ grep "System Administrator" prof_attr
System Administrator:::Can perform most non-security administrative
tasks:profiles=Audit Review,Printer Management,Cron Management,
Device Management,File System Management,Mail Management,Maintenance
and Repair,Media Backup,Media Restore,Name Service Management,Network
Management,Object Access Management,Process Management,Software
Installation,User Management,All;help=RtSysAdmin.html
- For each rights profile, find the rights profiles in the exec_attr database.
For example, the Network Management profile is a supplementary profile of the System
Administrator profile. The Network Management profile includes a number of privileged commands.
$ cd /etc/security
$ grep "Network Management" exec_attr
Network Management:solaris:cmd:::/usr/sbin/ifconfig:privs=sys_net_config
Network Management:solaris:cmd:::/usr/sbin/route:privs=sys_net_config
…
The commands and their assigned privileges are the final two fields of solaris
policy entries. You can run these commands in the profile shell of your
role.
Example 11-12 Running the Privileged Commands in Your Role
When a user assumes a role, the shell becomes a profile shell.
Therefore, the commands are executed with the privileges that were assigned to the
commands. In the following example, the admin role can change the permissions on the
useful.script file.
% whoami
jdoe
% ls -l useful.script
-rwxr-xr-- 1 elsee eng 262 Apr 2 10:52 useful.script
chgrp admin useful.script
chgrp: useful.script: Not owner
% su - admin
Password: <Type admin password>
$ /usr/ucb/whoami
admin
$ chgrp admin useful.script
$ chown admin useful.script
$ ls -l useful.script
-rwxr-xr-- 1 admin admin 262 Apr 2 10:53 useful.script
