On Wed, Aug 04, 2010 at 10:53:45AM -0400, Paul Wernau wrote: > > I think you are confusing two concepts, one of which I think has a > bad security implication, which you've seen, and one of which does > not. > > This is what a user gets in /etc/user_attr by default on OSOL installs. > > user::::profiles=Primary Administrator;roles=root > > The behavior you saw is being able to "pfxec blah" with uid 0 > privilege. That has nothing to do with the root role. It has to do > with this incredibly powerful profile granted to it. That profile > was intended to be a "never to be used in production" profile. > There is an acknowledged bug to change this. > > Note that if you never gave the user the root role, you'd have the > same issue. i.e. > > user::::profiles=Primary > > still makes you all powerful dictator with pfexec. Run profiles -l > as the user to see what is actually in the profile. > > Below is the root role, by default, which is powerful. > > root::::type=role;auths=solaris.*,solaris.grant;profiles=All;lock_after_retries=no;min_label=admin_low;clearance=admin_high > > Since it is a role, you can't log in directly. > > If you have a user that is normal and doesn't have any profiles with > elevated privileges, pfexec does not impart any special powers. You > have to su to root to get the root powers. You'd only be allowed to > su to root if the role was in your user_attr line. And then the > auditing shows both that you are running as root and who you really > are. That's the idea. > > Try this one: > > user::::roles=root > > The Primary Administrator profile being assigned to users this way > has confused people and broken the RBAC concept, IMO.
Along those lines this is what I posted in the related thread on [email protected]: Making root a role and giving a user a pfexec profile that provides all privs are two different things. It is possible for example to have a user_attr entry that looks like: jimw::::type=normal;roles=root;profiles=Basic Solaris User This allows jimw to su to root which requires root's password however pfexec'ing when running as jimw doesn't grant him additional privs. One could also configure jimw's user_attr entry to be: jimw::::type=normal;profiles=File System Management,ZFS File System Management which doesn't give jimw the ability to su to root but does give some, but not all, additional privs when he pfexec's commands. And as you point out, if jimw has the Primary Administrator profile then he can essentially pfexec as root which is risky and not really the intended use case for pfexec. -- Will Fiveash Oracle http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/ _______________________________________________ security-discuss mailing list [email protected]
