I'm a member of
Quicksearch
Codenews Search
Disclaimer
The individual owning this blog works for Oracle in Germany. The opinions expressed here are his own, are not necessarily reviewed in advance by anyone but the individual author, and neither Oracle nor any other party necessarily agrees with them.
Navigation
Categories
About this blog- Apple
- iPhone
- Aviation
- Bahn
- Begriffe des Lebens
- Blogosphere
- Braindump
- Business Travel
- CANBOX
- CeBIT
- CEC
- Computing
- del.icio.us
- Fundsache
- General
- HHOSUG
- i hate sundays
- Kochen
- Mindfuck
- Movies
- Music
- On Benchmarketing
- Persoenliches Pech
- Photographie
- policy of ...
- Privacy
- Recommended Blogs
- Security
- Solaris
- Strange Days
- Sun/Oracle
- suncec2007
- suncec2008
- Technology
- The IT Business
- Toolbox
- Travel
- Work
< Less known Solaris features: BART | Less known Solaris features: RBAC and Privileges - Part 2: Role based access control >
Less known Solaris features: RBAC and Privileges - Part 1: Introduction
Monday, February 4. 2008
The Story of root
And then there was root. And root was allmighty. And that wasnīt a good thing. root was able to control the world without any control. And root needed control. It was only a short chant between the mere mortals and root. Everybody with the knowledge of the magic chant was able to speak through root.
And then there was root. And root was allmighty. And that wasnīt a good thing. root was able to control the world without any control. And root needed control. It was only a short chant between the mere mortals and root. Everybody with the knowledge of the magic chant was able to speak through root.
But root wasnīt alone. root had servants called daemons. Some of one them needed divine powers to do their daily job. But root was an undividable being. So the servants had to work with the powers of root. But the servants wasnīt as perfect as root: Some of the servants started to do everything mere mortals said to them if they only said more than a certain amount of prayers at once.
One day, the world of root experienced a large disaster, the negation of beeing. Top became bottom, left became right, the monster of erem-ef anhilitated much of the world. But it got even stranger. root destroyed itīs own world, and by the power of root the destruction was complete.
Then there was a FLASH. The world restarted, root got a second attempt to reign his world. But this time, it would be different world.
Superuser
The old model of rights in a unix systems is based on a duality. There is the superuser and the normal user. The normal users have a restriced set of rights in the system, the superuser has an unrestricted set of rights. To modify the system, a normal user has to login as root directly or assume the rights of root (by su -). But such a user has unrestricted access to system. Often this isnīt desirable. Why should you enable an operator to modify a system, when all he or she has do to on the system is creating some users from time to time. Youīve trained him to do useradd or passwd, but itīs a Windows admin who doesnīt know anything about beeing an Unix admin. What do you do when he gets to curious. He needs root privileges to create a user or change a password. You need some mechanisms to limit this operator.
But itīs get more problematic. Programs have to modify the system to work. A webserver is a nice example. It uses port 80. Ports beneath port number 1024 have a special meaning. They are privileged ports. You need special rights to modify the structures of the system to listen to the port 80. A normal user doesnīt have this rights. So the webserver has to be started as root. The children of this process drop the rights of root by running with a normal user. But there is this single instance of the program with all the rights of the user. This process has much rights than needed, a possible attack vector for malicous users.
This led to the development to differet models of handling the rights of users in the system: Privileges and Role Based Access Control.
Least privileges
There is a concept in security. Itīs called least privileges. You give someone only least amount of privileges, only enough to do itīs tasks. An example of the real world. You wonīt give the janitor the master key for all the rooms on the campus, when all he has to do is working in Building C. The other way round: There are some trusted people who have access to all rooms in case of emergency.
You have the same concept in computer security. Everyone should have only the least amount of privileges in the system to do itīs job. The concept of the superuser doesnīt match to this. Itīs an all or nothing. You are an ordinary user with basic privileges or you are an user with unrestricted rights. There is nothing in between. There is no least privileges in this concept.
Role Based Access Control
The example with the key for the janitors is a good example. Letīs imagine a large campus. You have janitors responsible for the plumbing (letīs call them Lenny and Carl), for the park (letīs call him Homer), for the security system (letīs call Marge, Lenny helps from time to time).
These roles have different sets of privileges: For example the plumbing janitor has access to all rooms of the heating system. The janitor for the park has only access to the garage with the lawnmover and the cafeteria and the janitor for the security system.
When they start to work in their job, they assume a role. From the privilege perspective itīs not important who is the person, but what role the person has assumed. Lenny punches the clock and assumes the role of the plumbing janitor for the next 8 hours. And while he is doing itīs job he uses the privileges inherent to the role. But he has to do tasks in his office or in his workshop. Itīs his own room, so he doesnīt need the privileges. He doesnīt need the special privileges.
Role Based Access Control is quite similar. You login to the system, and then you start work. You read your emails (no special privileges needed), you find an email "Create user xy45345. Your Boss". Okay, now you need special privileges. You assume the role of an User Administrator create the user. Job done, you donīt need the privileges anymore. You leave the role and write the "Job done" mail to your boss with your normal users.
Role Based Access Control is all about this: Defining roles, giving them privileges and assigning users to this roles.
Privileges
Iīve used the word quite often in the article so far. What is a privilege. A privilege is the right to do something. For example, having the keys for the control panel of the heating system.
Unix users are nothing different. Every user has privileges in a unix system. A normal user has the privilege to open, close, read write and delete files when he his allowed to do this (Because he created it, because he belongs to the same group as the create of the file or the creator gave everybody the right to do it). This looks normal to you, but itīs privilege based on the login credentials you gave to system. You donīt have the privilege to read all files on the system or to use a port number 1024.
Every thing done in the system is based on this privileges. Solaris seperated the tasks into many privilege sets. At the moment, there are 70 different privileges in the system. The difference between the normal user is that the users has only a basic set, the root has all.
But it hasnīt to be this way. Privileges and users arenīt connected with each other. You can give any user the power of the root user, and restrict the privileges of the root user. Itīs just our binary compatibility guarantee that mandates that the standard configuration of the system resembles the superuser model. There are application out there, which assume that only the root user or the uid 0 as unrestricted rights and exit when they are started with a different user.
RBAC and Privileges in Solaris
Both features have their root in the Trusted Solaris development. Trusted Solaris was a version of Solaris to ensure highest security standards. Today, these mechanisms are part of the normal Solaris in conjunction with the Trusted Extentions. So RBAC is a really old feature: Itīs in Solaris since version 8 (published in 2000). Privileges found their way into the generic Solaris with the first availability of Solaris 10 in February 2005.
One day, the world of root experienced a large disaster, the negation of beeing. Top became bottom, left became right, the monster of erem-ef anhilitated much of the world. But it got even stranger. root destroyed itīs own world, and by the power of root the destruction was complete.
Then there was a FLASH. The world restarted, root got a second attempt to reign his world. But this time, it would be different world.
Superuser
The old model of rights in a unix systems is based on a duality. There is the superuser and the normal user. The normal users have a restriced set of rights in the system, the superuser has an unrestricted set of rights. To modify the system, a normal user has to login as root directly or assume the rights of root (by su -). But such a user has unrestricted access to system. Often this isnīt desirable. Why should you enable an operator to modify a system, when all he or she has do to on the system is creating some users from time to time. Youīve trained him to do useradd or passwd, but itīs a Windows admin who doesnīt know anything about beeing an Unix admin. What do you do when he gets to curious. He needs root privileges to create a user or change a password. You need some mechanisms to limit this operator.
But itīs get more problematic. Programs have to modify the system to work. A webserver is a nice example. It uses port 80. Ports beneath port number 1024 have a special meaning. They are privileged ports. You need special rights to modify the structures of the system to listen to the port 80. A normal user doesnīt have this rights. So the webserver has to be started as root. The children of this process drop the rights of root by running with a normal user. But there is this single instance of the program with all the rights of the user. This process has much rights than needed, a possible attack vector for malicous users.
This led to the development to differet models of handling the rights of users in the system: Privileges and Role Based Access Control.
Least privileges
There is a concept in security. Itīs called least privileges. You give someone only least amount of privileges, only enough to do itīs tasks. An example of the real world. You wonīt give the janitor the master key for all the rooms on the campus, when all he has to do is working in Building C. The other way round: There are some trusted people who have access to all rooms in case of emergency.
You have the same concept in computer security. Everyone should have only the least amount of privileges in the system to do itīs job. The concept of the superuser doesnīt match to this. Itīs an all or nothing. You are an ordinary user with basic privileges or you are an user with unrestricted rights. There is nothing in between. There is no least privileges in this concept.
Role Based Access Control
The example with the key for the janitors is a good example. Letīs imagine a large campus. You have janitors responsible for the plumbing (letīs call them Lenny and Carl), for the park (letīs call him Homer), for the security system (letīs call Marge, Lenny helps from time to time).
These roles have different sets of privileges: For example the plumbing janitor has access to all rooms of the heating system. The janitor for the park has only access to the garage with the lawnmover and the cafeteria and the janitor for the security system.
When they start to work in their job, they assume a role. From the privilege perspective itīs not important who is the person, but what role the person has assumed. Lenny punches the clock and assumes the role of the plumbing janitor for the next 8 hours. And while he is doing itīs job he uses the privileges inherent to the role. But he has to do tasks in his office or in his workshop. Itīs his own room, so he doesnīt need the privileges. He doesnīt need the special privileges.
Role Based Access Control is quite similar. You login to the system, and then you start work. You read your emails (no special privileges needed), you find an email "Create user xy45345. Your Boss". Okay, now you need special privileges. You assume the role of an User Administrator create the user. Job done, you donīt need the privileges anymore. You leave the role and write the "Job done" mail to your boss with your normal users.
Role Based Access Control is all about this: Defining roles, giving them privileges and assigning users to this roles.
Privileges
Iīve used the word quite often in the article so far. What is a privilege. A privilege is the right to do something. For example, having the keys for the control panel of the heating system.
Unix users are nothing different. Every user has privileges in a unix system. A normal user has the privilege to open, close, read write and delete files when he his allowed to do this (Because he created it, because he belongs to the same group as the create of the file or the creator gave everybody the right to do it). This looks normal to you, but itīs privilege based on the login credentials you gave to system. You donīt have the privilege to read all files on the system or to use a port number 1024.
Every thing done in the system is based on this privileges. Solaris seperated the tasks into many privilege sets. At the moment, there are 70 different privileges in the system. The difference between the normal user is that the users has only a basic set, the root has all.
But it hasnīt to be this way. Privileges and users arenīt connected with each other. You can give any user the power of the root user, and restrict the privileges of the root user. Itīs just our binary compatibility guarantee that mandates that the standard configuration of the system resembles the superuser model. There are application out there, which assume that only the root user or the uid 0 as unrestricted rights and exit when they are started with a different user.
RBAC and Privileges in Solaris
Both features have their root in the Trusted Solaris development. Trusted Solaris was a version of Solaris to ensure highest security standards. Today, these mechanisms are part of the normal Solaris in conjunction with the Trusted Extentions. So RBAC is a really old feature: Itīs in Solaris since version 8 (published in 2000). Privileges found their way into the generic Solaris with the first availability of Solaris 10 in February 2005.
Posted by Joerg Moellenkamp
in English, Solaris
at
09:55
| Comments (2)
| Trackbacks (2)
View as PDF: This entry | This month | Full blog
View as PDF: This entry | This month | Full blog
Comments
Display comments as
(Linear | Threaded)
Trying to revoke any OS binary which uses TCP.
It was simply done in Solaris 8 with nonet group and setfacl on /dev/tcp.
Since that does not work in Solaris 10, trying to use RBAC, but my setup does not work.
It was simply done in Solaris 8 with nonet group and setfacl on /dev/tcp.
Since that does not work in Solaris 10, trying to use RBAC, but my setup does not work.
Links in this article
The LKSF book
The book with the consolidated Less known Solaris Tutorials is available for download here
Web 2.0
Contact
Networking
xing.com
LinkedIn
Facebook
My photos
- mail: joerg@c0t0d0s0.org
- icq: 144000169
- Me, myself and I
- openBC
- My del.icio.us
- c0t0d0s0@twitter
- c0t0d0s0@last.fm
- wiki@c0t0d0s0
- Amazon Wishlist
Networking
xing.com
My photos
Syndication
Tagged articles
AMD Apple avs Bahn Blogging Blogosphere braindump Business Travel CeBIT cec cec2006 CMT del.icio.us deutsch dtrace fliegen Fundsache General Hamburg IBM i hate sundays Intel iscsi jumpstart Links Linux lksf Mindfuck Movies Music Musik Niagara Opensolaris Opteron Photographie policy of ... Politik Security Solaris storage Sun suncec2007 sunw t1 The IT Business Ultrasparc ultrasparc t1 Wirtschaft Work ZFS
Comments
Thu, 09.09.2010 13:04
Okay, I must have overseen tha
t 
Thank you for this link.
I'll test it again without the
underscore.
Thank you for this link.
I'll test it again without the
underscore.Thu, 09.09.2010 12:59
1. Gerne:
zb. für ne SAN Migr
ation. Ich weiss das Sun das G
efühl hat, dass man sowas nich
t braucht.
Das ist ähn [...]
Thu, 09.09.2010 12:00
Believe it or not ... there ar
e company obeying the licenses
. So that's a very practical c
hange ....
Thu, 09.09.2010 11:54
So practically, there is zero
difference:
90 day evaluati
on period which wouldn't expir
e anyway, vs. a "perpetu [...]
Thu, 09.09.2010 11:49
There is no timelimit ...
Buttons
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Germany License
Iīve wrote a quite long article about RBAC and privileges. I had to divide it into 4 seperate parts: Less known Solaris features: RBAC and Privileges - Part 1: IntroductionLess known Solaris features: RBAC and Privileges - Part 2: Role based access contr
Tracked: Feb 04, 17:01
Tracked: Jul 23, 06:32