Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Sun
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: (mis)using RBAC...

from [Darren J Moffat] Network Security [Permanent Link]
Subject: Re: (mis)using RBAC...
Date: Thu, 14 Apr 2005 14:12:09 -0700 
On Tue, 2005-04-12 at 12:19, Jonathan Katz wrote:


3) I then added the role to my account on the server in /etc/user_attr:
jkatz::::type=normal;profiles=Web Administration,Basic Solaris User


Correction you added the profile to your account.  You haven't
yet created a role.

A role is a shared account that has its own uid/gid/home dir
etc.  The only real difference between a role and an normal user
account is that roles can not directly login to the system - the
pam_roles.so.1 module enforces this.

My general guidance is if you would normally have a shared 
account a role is the correct way to do this.  For example the
oracle account would IMO always be a role.

root is best though of (and can actually be) a role - ie it isn't
a real person.


4) Finally, I changed my shell to /bin/pfcsh. Now, with my regular
user account I can start and restart our webservers.

My questions are, is this a normal practice (are there other people
doing it) and is it supported? What unintended consequences am I
missing? I understand that if a user's account is compromised, the
webserver services can be stopped and started at-will. I also
understand that our sysadmin group will be restricted to using
pfcsh/pfksh/pfsh and cannot use bash or tcsh (although we can still
leave those set, type 'exec pfsh' and then do what we need to do as
the Profile.)


Or they can do this:

tcsh% pfexec /opt/app/iplanet/https-myserver/start

It really depends on what you are trying to achieve wither roles
or direct profile assignment is best.  To take a different example,
I would assign the Printer Management profile directly to users
rather than making lp a role and giving users the ability to become
the lp user.

In order to address your particular example, is the web content
intended to be updatable by the same people that can restart the
server ?  If so maybe the content (but NOT the server binaries)
should be owned by a role and the role given the ability to
restart the service.   The actions would then be:

jkatz% su webservd
webservd% vi index.html
webservd% /opt/app/iplanet/https-myserver/start

Now having said all of that.....  if this is just about restarting
services then there is a better way in Solaris 10 via SMF.  Each
SMF service can have associated with it an RBAC authorisation that
allows a user the ability to restart the service, you don't need
pfexec or pf*sh to do this since svc.startd checks the authorisations
and the user just needs to run svcadm(1m).

See:  service_bundle(4), smf_security(5), svcadm(1m)

-- 
Darren J Moffat
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: (mis)using RBAC..., benjamin brumaire
Next by Date:  Re: (mis)using RBAC..., Glenn M. Brunette, Jr.
Previous by Thread:  Re: (mis)using RBAC..., Glenn M. Brunette, Jr.
Next by Thread:  Re: (mis)using RBAC..., Glenn M. Brunette, Jr.
Indexes:  [Date] [Thread] [Top] [All Lists]