Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
51525354555657585960
Solaris 9 Security CX-310-301 56
Logging in to a Role
To access the functionality of a role, you must first be logged in as a normal user. The user then uses su to
assume the role identity. For example, user temptest assumes the newgroup role, running the id command
before and after:
$ id
uid=8888(temptest) gid=10(staff)
$ su newgroup
Passw
$ id
ord:
uid=50002(newgroup) gid=1(other)
Test the role by checking you can run the required commands as well as normal user commands.
Listing Roles for a User
To list the roles that user temptest has been assigned:
# roles temptest
newgroup
Listing Profiles for a Role
To see the profiles that are associated with the newgroup role:
# profiles newgroup
Group Creation
Basic Solaris User
All
By default, the profiles “Basic Solaris User” and “All” are associated with a role. This allows a user to
execute “normal” commands, such as ls with the normal user privileges.
Permissions
Whilst it might sound like common sense to most system administrators, file system permissions are
frequently overlooked and can, potentially, leave gaping holes for an attacker to exploit. This section looks
at the difference between files and directories, in terms of permissions, as well as the risks of having
insecure permissions and using the set-uid and set-gid bits.
Directories and Files
The three categories of permission – read, write and execute, have different meanings for files and
directories. These are explained below: