RBAC for User sadmin

Die hier genannten RBAC-Einstellungen werden benötigt, um:
– das Skript zonerun nutzen zu können, bzw. den dort enthaltenen zlogin durchführen zu können
– ldm ls auf den Control-Domains ausführen zu können

RBAC für zonerun & zlogin auf den Logical Domains:

/etc/user_attr
sadmin::::type=normal;auths=solaris.zone.login;profiles=Zone Management sadmin;roles=root

/etc/security/prof_attr
Zone Management sadmin:::Required for zlogin with user sadmin:

/etc/security/exec_attr
Zone Management sadmin:solaris:cmd:::/usr/sbin/zlogin:uid=0

/etc/security/auth_attr
solaris.zone.login:::Grant zlogin::

or the above is a script:

#!/bin/sh

#set -x

printState() {
        if [ $? -eq 0 ]; then
                echo "OK"
        else
                echo "FAILED"
        fi
}

SBIN=/usr/sbin

#
# prof_attr
#
if [ `grep -c "Zone Management sadmin:::Required for zlogin with user sadmin:" /etc/security/prof_attr` -eq 0 ]; then
        echo "editing prof_attr...\c"
        echo "Zone Management sadmin:::Required for zlogin with user sadmin:" >>/etc/security/prof_attr
        printState $?
fi


#
# auth_attr
#
if [ `grep -c "solaris.zone.login:::Grant zlogin::" /etc/security/auth_attr` -eq 0 ]; then
        echo "editing auth_attr...\c"
        echo "solaris.zone.login:::Grant zlogin::" >>/etc/security/auth_attr
        printState $?
fi


#
# exec_attr
#
if [ `grep -c "Zone Management sadmin:solaris:cmd:::/usr/sbin/zlogin:uid=0" /etc/security/exec_attr` -eq 0 ];then
        echo "editing exec_attr...\c"
        echo "Zone Management sadmin:solaris:cmd:::/usr/sbin/zlogin:uid=0" >>/etc/security/exec_attr
        printState $?
fi


#
# user_attr
#
if [ `grep -c "^sadmin" /etc/passwd` -eq 1 ]; then
        echo "adding authorization & profile...\c"
        $SBIN/usermod -A solaris.zone.login -P "Zone Management sadmin" sadmin 2>/dev/null
        printState $?
else
        echo "creating user...\c"
        $SBIN/useradd -u 1234 -g 10 -s /usr/bin/bash -d /export/home/sadmin -m -c "Solaris Admin User" sadmin
        printState $?
        
        passwd sadmin

        echo "adding authorization & profile...\c"
        $SBIN/usermod -A solaris.zone.login -P "Zone Management sadmin"
        printState $?
fi

RBAC für ldm ls auf den Control-Domains:

/etc/user_attr
sadmin::::type=normal;auths=solaris.ldoms.read;roles=root

Leave a Reply

Your email address will not be published. Required fields are marked *