Friday, October 6, 2006

CEC: RBAC Demystified

Brian Bianquart and Darren Moffat

style="font-weight: bold;">Role Based Access Control

What is a Role: An account on the system

Cannot directly login

Could be root (or any user)

What is a Privilege: An attribute of a process

Checked by Kernel

Authorization: given to users directly or through profile

...Cutting back on
following/outlineing until I see
something that I am less sure is readily available online and in docs...

One exec_attr table can be
used across Solaris 8 and 9,
Trusted Solaris (8) and Solaris 10

Here we have a
graphic I have never seen
before...took a picture but it will probably be lame.

I think maybe hand drawings scanned and added to the slides.

title="Photo Sharing"> style="border: 0px solid ; width: 800px; height: 600px;"
alt="A picture of an RBAC slide">

style="font-weight: bold;">Q:
Can we make it such that user and role profiles can be modified while
the user is logged in or the role is in use.

A: Yes, that
is a bug fixed in update 3...changes may not take effect until next
login, but you will be able to make the change.

Standard RBAC

Execute with elevated
privileges...Start Apache as a regular user on port 80

(As opposed to start as root and drop privs)

I think I was
hoping for more in depth technical details, still time yet we will see

/usr/bin/pfexec is the
closest thing to sudo only without authentication (yet)

pfexec will use the first
profile found....that is the ALL role should be last, otherwise don't
bother to define other profiles.

SMF demo: Allow a user to
change the running state of a service but not the boot state


ALLOWED: svcadm enable/disable -t

DISALOWED: svcadm enable/disable (no -t)


File a bug if you think it should be changed


Create your own profiles


Kernel no longer only
checks for UID==0

48+ privileges checked instead

Now privilege
sets, next how the privileges flow not really going to note that
down...I know it is well documented I have read it.

Note: Dark Red on
black...hard to see, shouldn't do colors that evaluate to black

Use ppriv -D to debug
privilege access. (Yes this is commonly known)


Solaris 10 NFSv4/ZFS ACLs
now match those as implemented in Windows NT/XP=

More info 

There is a RBAC and SUDO
comparison slide

Strengths and weaknesses
on both sides the most common requested deltas are being addressed.

Authentication and Netgroups are on/near the top of the list.
 and Sun blueprints

No comments:

Post a Comment