• No results found

Managing User Privileges

In document D72965GC10_ag Solaris11 Adnace LAB (Page 174-182)

Practices for Lesson 8: Configuring Privileges and

Task 2: Managing User Privileges

This task covers the following activities:

• Determining the privilege needed by a user

• Debugging the privileges

• Assigning privileges to a user/role • Limiting privileges of a user/role

• Determining the privileged commands you can use Task 2A: Using the File Ownership Privilege

This task covers the following activities:

• Determining the privilege needed by a user

• Debugging the privileges

• Assigning privileges to a user/role

1. Double-click the Sol11-Server1 icon to launch the Sol11-Server1 virtual machine. 2. Log in to the virtual machine Sol11-Server1 as the oracle user. Use the password

oracle1.

3. Run the su - command to assume administrator privileges.

oracle@s11-serv1:~$ su - Password:

root@s11-serv1:~#

4. Create two user accounts and their passwords as indicated. These accounts will be utilized for working with the privileges.

root@s11-serv1:~# useradd -u 2003 -g 10 -d /export/home/jholt -m -c "john holt" -s /bin/bash jholt

80 blocks

root@s11-serv1:~# passwd jholt New Password: oracle1

Re-enter new Password: oracle1

passwd: password successfully changed for jholt

root@s11-serv1:~# useradd -u 2006 -g 10 -d /export/home/jmoose -m -c "jerry moose" -s /bin/bash jmoose

Oracle Internal & Or

80 blocks

root@s11-serv1:~# passwd jmoose New Password: oracle1

Re-enter new Password: oracle1

passwd: password successfully changed for jmoose

Note: Create these users only if they are not already there.

5. Create two user accounts and their passwords as indicated. These accounts will be utilized for working with the privileges.

root@s11-serv1:~# su - jmoose

Oracle Corporation SunOS 5.11 snv_173 August 2011

jmoose@s11-serv1:~$ pwd /home/jmoose

Note: Although you created /export/home/jmoose as the home directory, it is

mounted as /home/jmoose. When referring to the home directory, in the context of this practice, you can use /home/jmoose or /export/home/jmoose.

jmoose@s11-serv1:~$ mkdir docs

jmoose@s11-serv1:~$ ls -ld /home/jmoose/docs

drwxr-xr-x 2 jmoose staff 2 Oct 20 03:00 /home/jmoose/docs

jmoose@s11-serv1:~$ exit logout

root@s11-serv1:~#

Exit to the administrator account.

Since jmoose created the docs directory, he is the owner.

6. Use the su – jholt command to switch to jholt’s account. Use the password

oracle1.

root@s11-serv1:~# su - jholt

Oracle Corporation SunOS 5.11 snv_173 August 2011

The reasons for logging in as jholt are:

a) to determine the privileges needed by jholt

b) to grant him the privileges as the administrative user.

Oracle Internal & Or

7. Check your privileges as the jholt account, use the ls –ld command to display the owner of the docs directory in jmoose’s home directory.

jholt@s11-serv1:~$ id uid=2003(jholt) gid=10(staff) jholt@s11-serv1:~$ ppriv $$ 1319: -ksh flags = <none> E: basic I: basic P: basic L: all

Since you are logged in as jholt, the current process shows your privileges, which could be different for different accounts based upon the privileges granted by the system administrator.

Why would you want to use the -v option with this command? Issue the command and

analyze the difference. Refer to Task 1 if you need help.

jholt@s11-serv1:~$ ls -ld /export/home/jmoose/docs drwxr-xr-x 2 jmoose staff 2 Oct 20 03:00

/export/home/jmoose/docs

jholt@s11-desktop:~$

Before you change the ownership of the docs directory in jmoose’s home directory, you want to make sure jmoose is (of course!) the owner.

8. As the jholt user, use the chown command to change the ownership of the docs directory to jholt.

jholt@s11-serv1:~$ chown jholt /export/home/jmoose/docs chown: /export/home/jmoose/docs: Not owner

As expected, since jholt doesn’t have the privilege to execute the chown command, a message is displayed.

9. Use the ppriv command in debug mode to determine what privilege is missing. jholt@s11-serv1:~$ ppriv -eD chown jholt \

/export/home/jmoose/docs

chown[2551]: missing privilege "file_chown" (euid = 2003, syscall = 56) needed at zfs_setattr+0xac5

Can you tell which privilege is needed by jholt? The file_chown privilege. The -D

option is for debugging.

Oracle Internal & Or

10. Use the truss command to determine what privilege is missing.

jholt@s11-serv1:~$ truss chown jholt /export/home/jmoose/docs execve("/usr/bin/chown", 0x08047E58, 0x08047E68) argc = 3

sysinfo(SI_MACHINE, "i86pc", 257) = 6

mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFEFB0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFEFA0000… … … lstat64("/export/home/jmoose/docs", 0x08064010) = 0 chown("/export/home/jmoose/docs", 2003, -1) Err#1 EPERM [file_chown]

fstat64(2, 0x08046D90) = 0

chown: write(2, " c h o w n : ", 7) = 7

open("/usr/lib/locale/en_US.UTF-8/LC_MESSAGES/SUNW_OST_OSLIB.mo", O_RDONLY) Err#2 ENOENT

/export/home/jmoose/docswrite(2, " / e x p o r t / h o m e".., 24) = 24 : write(2, " : ", 2) = 2 Not ownerwrite(2, " N o t o w n e r", 9) = 9 write(2, "\n", 1) = 1 _exit(1)

The truss utility is also used for debugging purposes. As you see this utility also reports that the file_chown privilege is missing (although not in plain English text!) 11. As administrator, using the usermod command, grant jholt the file_chown privilege.

Confirm the entry in the /etc/user_attr file.

root@s11-serv1:~# usermod –K defaultpriv=basic,file_chown jholt root@s11-serv1:~# grep jholt /etc/user_attr

jholt::::type=normal;defaultpriv=basic,file_chown

Here you have granted jholt the file_chown privilege. Note that you are only interested in granting him the file_chown privilege but you must include the basic privilege also since the defaultpriv keyword will replace all his privileges with the specified privileges. This file is used to record any special privileges to users or roles. This facility is covered in detail in the next practice.

Oracle Internal & Or

12. Exit jholt’s account and log back in to jholt’s account. Now issue that chown command. Confirm the ownership of the docs directory.

jholt@s11-serv1:~$ exit root@s11-serv1:~# su - jholt

Oracle Corporation SunOS 5.11 snv_173 August 2011

You need to exit and log in again to pick up the new privilege.

jholt@s11-serv1:~$ chown jholt /export/home/jmoose/docs

jholt@s11-serv1:~$ ls -ld /export/home/jmoose/docs drwxr-xr-x 2 jholt staff 2 Oct 20 03:00

/export/home/jmoose/docs

Success! You were able to successfully change the ownership to jholt.

Let’s return the ownership of the docs directory to jmoose. So, you can use this setup again.

jholt@s11-serv1:~$ chown jmoose /export/home/jmoose/docs

jholt@s11-serv1:~$ ls -ld /export/home/jmoose/docs drwxr-xr-x 2 jmoose staff 2 Oct 20 03:00

/export/home/jmoose/docs

Task 2B: Limiting the Privileges of a User The following activities are covered in this task:

• Limiting the privileges of a user

• Determining the privileged commands you can use

1. As the jholt account, use the ps –ef command to display the current processes. jholt@s11-serv1:~$ ps -ef | more

UID PID PPID C STIME TTY TIME CMD root 0 0 0 01:07:24 ? 0:04 sched root 5 0 0 01:07:22 ? 0:07 zpool-rpool root 1 0 0 01:07:25 ? 0:00 /usr/sbin/init root 2 0 0 01:07:25 ? 0:00 pageout root 3 0 0 01:07:25 ? 0:05 fsflush root 6 0 0 01:07:25 ? 0:00 intrd root 7 0 0 01:07:25 ? 0:00 vmtasks root 427 1 0 01:08:57 ? 0:00 /sbin/dhcpagent root 10 1 0 01:07:27 ? 0:05 /lib/svc/bin/svc.startd

Oracle Internal & Or

root 12 1 0 01:07:27 ? 0:36 /lib/svc/bin/svc.configd daemon 75 1 0 01:07:52 ? 0:00 /lib/crypto/kcfd netadm 96 1 0 01:07:57 ? 0:00 /lib/inet/ipmgmtd root 114 1 0 01:08:07 ? 0:00 /lib/inet/in.mpathd dladm 43 1 0 01:07:43 ? 0:00 /usr/sbin/dlmgmtd netcfg 48 1 0 01:07:45 ? 0:00 /lib/inet/netcfgd … … …

At this time, with the current privileges, are you able to view any processes started by others? Yes.

2. As the administrator, launch a Korn shell and use the usermod command to limit jholt’s privileges.

root@s11-serv1:~# ps

PID TTY TIME CMD 2410 pts/1 0:00 su 2411 pts/1 0:00 bash 2604 pts/1 0:00 ps

root@s11-serv1:~# usermod -K defaultpriv=basic,!proc_info jholt -bash: !proc_info: event not found

As the message says, the bash shell is not aware of the !proc_info event. Let’s switch to ksh.

root@s11-serv1:~# ksh root@s11-serv1:~# ps

PID TTY TIME CMD 2410 pts/1 0:00 su 2411 pts/1 0:00 bash 2605 pts/1 0:00 ksh 2608 pts/1 0:00 ps

root@s11-serv1:~# usermod -K defaultpriv=basic,!proc_info jholt Found user in files repository.

root@s11-serv1:~# grep jholt /etc/user_attr

Oracle Internal & Or

jholt::::type=normal;defaultpriv=basic,!proc_info

root@s11-serv1:~# exit

Exit to Bash shell, which is your default shell.

root@s11-serv1:~# ps

PID TTY TIME CMD 2410 pts/1 0:00 su 2411 pts/1 0:00 bash 2636 pts/1 0:00 ps

You have taken away the process view privilege from jholt. Can you guess if he can display the processes for other users? No.

3. As the jholt account, use the ps –ef command to display the current processes. root@s11-serv1:~# su - jholt

Oracle Corporation SunOS 5.11 snv_173 August 2011

jholt@s11-serv1:~$ ps -ef

UID PID PPID C STIME TTY TIME CMD jholt 2630 2629 0 04:34:45 pts/2 0:00 -bash jholt 2634 2630 0 04:34:49 pts/2 0:00 ps -ef jholt@s11-desktop:~$

Are you able to view processes for other users? No.

Why? Because the administrator has taken away the proc_info privilege. Did you remember to log back in to jholt’s account? Yes.

Why? To make the new privileges effective.

How would you find out if jholt still has the privilege to execute the chown command? a) issue the chown command on a file as demonstrated earlier

OR

b) check jholt’s privileges

4. As the administrator, replace the original privileges for the jholt account.

root@s11-serv1:~# usermod -K defaultpriv=basic jholt Found user in files repository.

root@s11-serv1:~# grep jholt /etc/user_attr jholt::::type=normal;defaultpriv=basic

Now John Holt should be able to use all the privileges included in the basic rights profile. You will learn more about profiles in the next practice.

Can you determine the privileges included in the basic privilege set? Yes, use the ppriv

command.

Oracle Internal & Or

5. Now you are curious. You want to know what privileges John Holt has. As John Holt, use the commands profiles, roles and auths to view the privileges.

jholt@s11-serv1:~$ profiles Basic Solaris User

All jholt@s11-serv1:~$ roles No roles jholt@s11-serv1:~$ auths solaris.admin.wusb.read,solaris.device.mount.removable,solaris.ma il.mailq

If any special profiles, roles, or individual authorizations are assigned to John Holt, they would be displayed here.

These facilities are part of Role-Based Access Control, which will be covered in the next practice.

6. Use the profiles –l command to see more details of the privileges assigned to John Holt.

jholt@s11-serv1:~$ profiles -l Basic Solaris User

auths=solaris.mail.mailq,solaris.device.mount.removable,sol aris.admin.wusb.read profiles=All /usr/bin/cdrecord.bin privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,ne t_privaddr /usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr /usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr All *

These are the same profiles you displayed in the previous step. However, the privileges

connected to the profiles are also displayed.

Oracle Internal & Or

In document D72965GC10_ag Solaris11 Adnace LAB (Page 174-182)