The first concept to understand relating to a system administrator’s function in Trusted Solaris 8 is that of RBAC. Under RBAC, the traditional administrative functions are divided into three different roles under the concept of least privilege, which states that no one should have more privilege than is needed to do their job. Most system administrators are familiar with the use of the root account. Any person with the root password could log in to a system and change passwords, add accounts, look at any file, change permissions, run code in protected system space—for all intents and purposes, be the “military dictator” of the system.The root account has the power to tell people where they can go, where they can’’ go, what information is available to them, what is not, or take anyone’s personal information—and, if a person becomes too much trouble, root has the power to “kill” that person arbitrarily.
With the total implementation of RBAC, root does not exist. RBAC is, com- paratively, more along the lines of the best aspects of the U.S. government, pro- viding a system of checks and balances that does not allow any particular branch to have too much control.The only difference is that RBAC actually works.The root account is subdivided into three roles:
■ Primary administrator This role is roughly analogous to the executive
branch of the U.S. government.The account with the primary adminis- trator role can administrate security functions over the system as a whole but is primarily responsible for providing the ability to give administrative roles to others, especially the system administrator and the security
administrator. Like the President of the United States in the U.S. govern- ment, the primary Administrator rarely actually “does anything, but he or she is there in case the need arises for somebody to take charge .
■ System administrator This role can be looked on as the legislative
branch of our analogy.The system administrator has the ability to per- form standard tasks such as adding new users or configuring hosts, net- works, and printers.The system administrator has some limited role in modifying user properties.The system administrator goes about the day- to-day routine of system management, much the way Congress goes about finding ways to spend tax dollars.
■ Security administrator This role is something like the judicial branch
of the U.S. government.The security administrator is responsible for implementing the security policy of a company. Duties include assigning labels and privileges for system objects, allowing access over the net- work, and modifying, defining, and implementing roles for users.The security administrator, however, cannot grant roles beyond the scope of the security administrator him- or herself. Like the Supreme Court, the Security administrator interprets and implements policy in a fair and impartial manner—no matter who it inconveniences.
Having these three primary administrative roles assigned to individual man- agers assures that no one individual has discrete power over the system. Each one of these roles has the independent capability of either auditing or restricting the others. So that even greater accountability is ensured, these roles can be assumed only after one has logged in under a personal account.When the roles are cre- ated, they are given their own attributes that give them finely tuned abilities; they have their own home directories, groups, and passwords.The only remnant from the previous account is the retention of the UID to allow for a precise audit trail.
Aside from these three administrative roles, other roles can be defined for operators and users to define access to various aspects of the system or network access by applying authorizations.There are two aspects of these authorizations: those that appear in the graphical interfaces, such as change passwords, and those used internally and in files such as solaris.admin.usrmgr.pswd. The conven- tion for the attributes is the reverse order of the Internet name of the supplier, subject area, any subarea, and the function delineated by dots. So, a third-party attribute might be something along the lines of com.incoming-traveler
.device.stargate.The authorizations that control access to various commands such as at(1), crontab(1), and allocate(1M), for example, all begin with the word solaris, as in solaris.admin.usrmgr.read, to give the ability to read user configuration files.These system-level authorizations are contained in /etc/ security/auth_attr, which cannot be modified.
Rights profiles are used as a way of providing templates of authorizations.The operator rights profile, for example, contains authorizations grouped into func- tional units such as printer management or media backup. Rights profiles for the administrative functions may be tailored as well.
Privileges can be assigned to applications to allow functionality that would normally be prohibited and can be tailored to either adhere to or ignore the roles and authorizations of the user process running them.Virtually every restriction, such as file system security and process security, for example, can be overridden on a per-application basis with privileges. On the surface, this might seem a secu- rity hole, but it should be noted that mechanisms are in place to protect this fea- ture.Take great care in using privileges with regard to the development of applications. As all experienced system administrators are aware, poor program- ming can wreak havoc. Aside from the actual design of the programming, privi- leges are automatically revoked on any executable that is modified, so the system is protected from harm.