The authorizations, roles, rights profiles, and privileged commands are defined in four files.
# cat /etc/user_attr ==> lists rights profiles & authorizations
associated with users and roles
# cat /etc/security/prof_attr ==> to view the rights profile names and
descriptions
# cat /etc/security/policy.conf
# cat /etc/security/exec_attr file
Assigning Rights Profiles To Users
# cat /etc/security/prof_attr ==> to view the rights profile names and
descriptions
All:::Execute any command as the user or role:help=RtAll.html
Log Management:::Manage log files:help=RtLogMngmnt.html
Media Backup:::Backup files and file systems:help=RtMediaBkup.html
Media Restore:::Restore files and file systems from
backups:help=RtMediaRestore.html
First column: Right profile name
Fourth column: Comment
Last column: Pointer to a help file
Help files exist in the /usr/lib/help/auths/locale/C directory
The /etc/security/exec_attr file holds the execution attributes.
An execution attribute is associated with a rights profile name.
# cat /etc/security/exec_attr
Printer Management:suser:cmd:::/usr/bin/lpstat:euid=0
Printer Management:suser:cmd:::/usr/lib/lp/local/accept:uid=lp
# useradd -md /export/home/john -s /bin/ksh john
# profiles john ==> to view the default profiles assigned to every
new user account
To assign a profile while creating a user
# useradd -md /export/home/paul -s /bin/ksh -P "Printer Management" paul
# profiles paul ==> to list the rights profiles assigned to a user
# su - paul
$ profiles
# usermod -P "Printer Management" chris ==> to assign rights profiles to a
user account
This automatically updates the /etc/user_attr file
# cat /etc/user_attr
# usermod -P "Service Operator,Printer Management" username
# profiles -l chris ==> to view the contents of a rights profile
# usermod -P "" username ==> to remove the rights profiles
Assigning Rights Profiles To Roles
If a large number of user accounts require the same configuration and management of rights profiles, it can be easier to assign the rights profiles to a role and give the users access to the role.
Creating a Role
The roleadd command creates a role entry in the /etc/passwd, /etc/shadow, and /etc/user_attr files
-c comment A text string that provides a short description of
the role.
-d dir Specifies the home directory of the new role.
-m Creates the new role’s home directory if it does
not already exist.
-P profile Assigns rights profiles to the role. Use commas (,)
to separate multiple rights profiles.
To create a role
# roleadd -m -d /export/home/level1 -c "Level One Support" \
-P "Printer Management,Media Backup,Media Restore" level1
# passwd level1
The role cannot be used until a password is applied to it
# grep level1 /etc/passwd
level1:x:102:1:Level One Support:/export/home/level1:/bin/pfsh
# grep level1 /etc/shadow
level1:CUs8aQ64vTrZ.:12713::::::
# grep level1 /etc/user_attr
level1::::type=role;profiles=Printer Management,Media Backup,Media Restore
Modifying a Role
-e expire Specifies the expiration date for a role.
-l new_logname Specifies the new login name for the role.
-P profile Specifies one or more comma-separated rights
profiles, as defined in the /etc/security/prof_attr file.
-s shell Specifies the full path name of the program that
is used as the role’s shell when logging in.
These shells are special versions of the Bourne
shell (sh), C shell (csh), and Korn shell (ksh).
# rolemod -P "profile1,profile2" -s /usr/bin/pfksh level1
# rolemod -P "Printer Management,Service Operator" level1
# rolemod -P "" level1 ==> to remove the rights profiles assigned to a role
The profile shells are pfsh, pfcsh, and pfksh. These profile shells correspond to Bourne shell (sh), C shell (csh), and Korn shell (ksh), respectively.
# roledel -r rolename ==> to delete a role
Assigning Roles To Users
A user can have access to many roles
To assign roles to a user
# useradd -m -d /export/home/paul -s /bin/ksh -R level1 paul
# passwd paul
# roles username ==> to list the roles of a user account
# usermod -R rolename username ==> to add roles to an existing user account
# usermod -R "" username ==> to remove all role access from a user
account
Using Roles
It is not possible to log into a role account.
Log in as a regular user first.
The roles command shows the roles available to the account.
$ id
$ roles
Switch the user to the role account with the su command
$ su - level1
$ id
$ profiles
