Part I Security Overview
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Authorization Naming and Delegation
Databases That Support RBAC
11. Privileges (Tasks)
12. Privileges (Reference)
Part IV Solaris Cryptographic Services
13. Solaris Cryptographic Framework (Overview)
14. Solaris Cryptographic Framework (Tasks)
15. Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
17. Using PAM
18. Using SASL
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
Part VI Kerberos Service
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Solaris Auditing
28. Solaris Auditing (Overview)
29. Planning for Solaris Auditing
30. Managing Solaris Auditing (Tasks)
31. Solaris Auditing (Reference)
Contents of Rights Profiles
This section describes some typical rights profiles. Rights profiles can include authorizations, commands with
security attributes, and supplementary rights profiles. The rights profiles are listed from most
to least powerful. For suggestions on how to distribute rights profiles to roles
at your site, see How to Plan Your RBAC Implementation.
Primary Administrator rights profile – Provides the capabilities of superuser in one profile.
System Administrator rights profile – Provides a profile that can do most tasks that are not connected with security. This profile includes several other profiles to create a powerful role.
Operator rights profile – Provides limited capabilities to manage files and offline media. This profile includes supplementary rights profiles to create a simple role.
Printer Management rights profile – Provides a limited number of commands and authorizations to handle printing. This profile is one of several profiles that cover a single area of administration.
Basic Solaris User rights profile – Enables users to use the system within the bounds of security policy. This profile is listed by default in the policy.conf file.
All rights profile – For roles, provides access to commands that do not have security attributes.
Console User rights profile – For the workstation owner, provides access to authorizations, commands, and actions that you want to reserve for the person who is seated at the computer.
Each rights profile has an associated help file. The help files are in
HTML and are customizable. The files reside in the /usr/lib/help/profiles/locale/C directory.
Primary Administrator Rights Profile
The Primary Administrator rights profile is assigned to the most powerful role on
the system. The role that includes the Primary Administrator rights profile has superuser
The solaris.* authorization effectively assigns all of the authorizations that are provided by the Solaris software.
The solaris.grant authorization lets a role assign any authorization to any rights profile, role, or user.
The command assignment *:uid=0;gid=0 provides the ability to run any command with UID=0 and GID=0.
You can customize the help file RtPriAdmin.html for your site, if necessary. Help
files are stored in the /usr/lib/help/profiles/locale/C directory.
Note also that if the Primary Administrator rights profile is not consistent with
a site's security policy, the profile can be modified or not assigned at
all. However, the security capabilities in the Primary Administrator rights profile would need
to be handled in one or more other rights profiles. Those other rights
profiles would then be assigned to roles.
Table 10-1 Contents of Primary Administrator Rights Profile
To perform all administrative tasks
Help File: RtPriAdmin.html
System Administrator Rights Profile
The System Administrator rights profile is intended for the System Administrator role. Because
the System Administrator does not have the broad capabilities of the Primary Administrator,
no wildcards are used. Instead, this profile is a set of discrete, supplementary
administrative rights profiles that do not deal with security. The commands with security attributes
from one of the supplementary rights profiles are shown.
Note that the All rights profile is assigned at the end of
the list of supplementary rights profiles.
Table 10-2 Contents of System Administrator Rights Profile
To perform most nonsecurity administrative tasks
Supplementary rights profiles: Audit Review, Printer
Management, Cron Management, Device Management, File System Management, Mail Management, Maintenance and Repair,
Media Backup, Media Restore, Name Service Management, Network Management, Object Access Management, Process Management,
Software Installation, Project Management, User Management, All
Help File: RtSysAdmin.html
Commands from one of the
Object Access Management rights profile, solaris policy: /usr/bin/chgrp:privs=file_chown, /usr/bin/chmod:privs=file_chown, /usr/bin/chown:privs=file_chown, /usr/bin/setfacl:privs=file_chown
suser policy: /usr/bin/chgrp:euid=0,
/usr/bin/chmod:euid=0, /usr/bin/chown:euid=0, /usr/bin/getfacl:euid=0, /usr/bin/setfacl:euid=0
Operator Rights Profile
The Operator rights profile is a less powerful profile that provides the ability
to do backups and printer maintenance. The ability to restore files has more
security consequences. Therefore, in this profile, the default is to not include the
ability to restore files.
Table 10-3 Contents of Operator Rights Profile
To perform simple administrative tasks
Supplementary rights profiles: Printer Management, Media Backup, All
Printer Management Rights Profile
Printer Management is a typical rights profile that is intended for a
specific task area. This profile includes authorizations and commands. The following table shows
a partial list of commands.
Table 10-4 Contents of Printer Management Rights Profile
To manage printers, daemons, and spooling
Authorizations: solaris.print.*, solaris.label.print,
solaris.admin.printer.delete, solaris.admin.printer.modify, solaris.admin.printer.read
Commands: /usr/lib/lp/local/lpadmin:uid=lp;gid =lp, /usr/sbin/lpfilter:euid=lp;uid=lp, /usr/sbin/lpforms:euid=lp, /usr/sbin/lpusers:euid=lp, /usr/sbin/ppdmgr:euid=0
Help File: RtPrntMngmnt.html
Basic Solaris User Rights Profile
By default, the Basic Solaris User rights profile is assigned automatically to all
users through the policy.conf file. This profile provides basic authorizations that are useful in
normal operations. Note that the convenience that is offered by the Basic Solaris
User rights profile must be balanced against site security requirements. Sites that need
stricter security might prefer to remove this profile from the policy.conf file.
Table 10-5 Contents of Basic Solaris User Rights Profile
assign rights to all users
Authorizations: solaris.profmgr.read, solaris.jobs.user, solaris.mail.mailq, solaris.device.mount.removable, solaris.admin.usermgr.read, solaris.admin.logsvc.read, solaris.admin.fsmgr.read,
solaris.admin.serialmgr.read, solaris.admin.diskmgr.read, solaris.admin.procmgr.user, solaris.compsys.read, solaris.admin.printer.read, solaris.admin.prodreg.read, solaris.admin.dcmgr.read, solaris.snmp.read, solaris.project.read, solaris.admin.patchmg.read, solaris.network.hosts.read, solaris.admin.volmgr.read
/usr/bin/cdda2wav.bin:privs=file_dac_read,sys_devices, proc_priocntl,net_privaddr, /usr/bin/cdrecord.bin:privs=file_dac_read,sys_devices, proc_lock_memory,proc_priocntl,net_privaddr, /usr/bin/readcd.bin:privs=file_dac_read,sys_devices,net_privaddr, /usr/lib/ospm/lp-queue-helper:euid=lp;gid=lp,
Supplementary rights profiles: All
Help File: RtDefault.html
Console User Rights Profile
The Console User rights profile is intended for the console user, that is,
the person who is seated in front of the system. This profile
is delivered with a convenient set of authorizations for the console user. You can
customize the Console User rights profile to satisfy your site security requirements. For
an example, see Example 9-20.
All Rights Profile
The All rights profile uses the wildcard to include all commands. This profile
provides a role with access to all commands that are not explicitly assigned
in other rights profiles. Without the All rights profile or other rights profiles
that use wildcards, a role has access to explicitly assigned commands only. Such
a limited a set of commands is not very practical.
The All rights profile, if used, should be the final rights profile that
is assigned. This last position ensures that explicit security attribute assignments in other
rights profiles are not inadvertently overridden.
Table 10-6 Contents of All Rights Profile
To execute any command as the user
Help File: RtAll.html
Order of Rights Profiles
The commands in rights profiles are interpreted in order. The first occurrence of
a command is the only version of the command that is used
for that role or user. Different rights profiles can include the same command. Therefore,
the order of rights profiles in a list of profiles is important. The
rights profile with the most capabilities should be listed first.
Rights profiles are listed in the Solaris Management Console GUI and in the
prof_attr file. In the Solaris Management Console GUI, the rights profile with the
most capabilities should be the top profile in a list of assigned rights
profiles. In the prof_attr file, the rights profile with the most capabilities should
be the first in a list of supplementary profiles. This placement ensures that
a command with security attributes is listed before that same command without security
Viewing the Contents of Rights Profiles
The Solaris Management Console Rights tool provides one way of inspecting the contents
of the rights profiles.
The prof_attr and exec_attr files offer a more fragmented view. The prof_attr file
contains the name of every rights profile that is defined on the system.
The file also includes the authorizations and the supplementary rights profiles for each profile.
The exec_attr file contains the names of rights profiles and their commands with