UsersAndRolesDemo

Users and Roles (5 Minutes)

Description

Quick demo of how the userid created at install time has the necessary privileges to perform all administration on the system, but is required to use pfexec in order to do some of that administration.

OpenSolaris Versions Supported

2008.05 or newer.

Points to Hit

  • RBAC rocks!
  • This works out of the box
  • You can setup additional users any ol' way you want - lots of flexibility

Demo Prep

None.

Gotchas

  • With the alternative demo, be careful since you're messing with your root privileges. You may want to do this in the virtual OpenSolaris machine.

Demo

  • Start the GUI tool: System > Administration > Users and Groups
  • Select the user that was created at install time and then click the Properties button
  • Click the "User privileges" tab and scroll down to show that the "Primary Administrator" entry is checked (note, due to bug 5626 - Users and Groups UI Inconsistent with /etc/user_attr, the Primary Administrator profile doesn't show up as selected in the UI, even though it's property set in the /etc/user_attr file, so you may want to skip this step for now):

  • Explain that this is a "rights profile" - a "rights profile" grants a user access to specific commands.
  • Enough of the GUI, close it down so we can see how things really work.
  • vi (or gedit) /etc/security/exec_attr
  • This file is setup automatically at install time to have a set of default "rights profiles" (for details on exec_attr, see: http://docs.sun.com/app/docs/doc/819-2251/exec-attr-4?l=en&a=view&q=exec_attr). Scroll down to the entry for "Primary Administrator" and point out two things: the command is * and the uid is 0. The * means all commands and the uid of 0 means super user. This is where the power of this particular "rights profile" comes from - it lets any user who is assigned this profile run any command as the super user. Yowza!
  • Close the exec_attr file
  • vi (or gedit) /etc/user_attr
  • Scroll down to the entry for your user and show that it has "profiles=Primary Administrator" (for details on user_attr, see: http://docs.sun.com/app/docs/doc/819-2251/user-attr-4?l=en&a=view&q=user_attr)
  • Go back to the command line
  • id
  • The output will display your uid
  • pfexec id
  • The output will display a uid of 0, which is the super user (or "root"). When you pre-pend the command "pfexec" OpenSolaris runs the command that follows it with the first rights profile that it finds for the user in the /etc/user_attr file. In this case, the only rights profile is "Primary Administrator" and that rights profile runs everything as the super user. How nice. So in many ways, pfexec is very similar to sudo in Linux or the "run as administrator" feature in Windows.
  • (Optional) So this command: pfexec vi /etc/power.conf will work fine - you can edit the file and save your changes, even though the file is owned by root (uid=0). OTOH, this won't work so well: vi /etc/power.conf - you will not have write access to the file, so you won't be able to save your changes.
  • Go back to the /etc/user_attr file and point out the entry for root. It is set up automatically as a role, not a userid (although you can change that if you want).
  • Go back to the command line
  • su will prompt you for the root password. Use id to again show that you are now running as the super user.

Alternative Demo

pfexec
  • Explain that it's our rights profile that gives us authority to perform privileged commands on the system. For example, the right to modify user privileges, should require special permission.
  • Run cat /etc/user_attr and show that your userid has the Primary Administrator profile. Let's try to remove that profile:
  • Try usermod -P "" bleonard, substituting your user name for mine. It should fail with a permission denied error.
  • Run the command again using pfexec pfexec user -P "" bleonard. You'll get a warning about the user being logged in, but otherwise, it should work.
  • Run cat /etc/user_attr to show that your userid no longer has the Primary Administrator role. Now try to add it back .
  • pfexec usermod -P "Primary Administrator" bleonard. Hmm, you've put yourself in quite a pickle now, haven't you.
root role

Work through the slides covering the root role and then return to this demo. Our user no longer has the Primary Administrator profile, but thankfully he/she still has the root role.

  • Run cat /etc/user_attr to show that your userid has the root role. You'll need to know the root password that was assigned during installation.
  • su root
  • usermod -P "Primary Administrator" bleonard.
  • cat /etc/user_attr. Phew, that was close.

Let's play with a bit more fire. While still logged in as root:

  • usermod -R "" bleonard
  • cat /etc/user_attr
  • exit. Say goodbye to root.
  • su. After entering the password you'll see the message "Roles can only be assumed by authorized users. Oops.

Question for the audience. How do I get the root role back? Yes, using pfexec. If I hadn't restored the Primary Administrator profile before removing the root role, I'd be screwed.

  • pfexec usermod -R "root" bleonard

One other cool note, show how pfexec and su can be combined to switch to the root role w/out having to enter a password:

  • pfexec su

Demo Cleanup

None.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact