Welcome to Machine Unix

Search Below

Harden your Zones through RBAC on OpenIndiana 151a

RBAC stands for Role Based Access Control and it is designed as a security feature in Solaris Systems. Since RBAC is greatly documented in here I am not going into the details very much, but instead show a scenario below where I kind of stumbled on at work.

Help, I have too many zones and I need someone to manage some of them

I wanted to let one of the normal users to be able to manage and login to a zone in the system where the user did not have any permissions to do so. Depending on your organization letting a specific user to manage zone(s) may be a desirable solution if your application needs management on a daily basis.

So to make things a bit easier, I went ahead and set up this OpenIndiana environment with two zones and an additional user.

drende@oi151a:~$ uname -a

SunOS oi151a 5.11 oi_151a i86pc i386 i86pc Solaris

drende@oi151a:~$ cat /etc/release

                      OpenIndiana Development oi_151a X86

        Copyright 2010 Oracle and/or its affiliates. All rights reserved.

                        Use is subject to license terms.

                           Assembled 01 September 2011

Let’s create a user called “macuser1″:

drende@oi151a:~$ sudo useradd -d /export/home/macuser1

-m -s /bin/bash -c “macuser1” macuser1

Password:

80 blocks

Listing the zones in the system:

drende@oi151a:~# zoneadm list -civ

  ID NAME             STATUS     PATH            BRAND    IP

   0 global           running    /               ipkg     shared

   1 zdev             running    /zones/zdev     ipkg     shared

So macuser1 is a normal user, let’s make it try to login one of the zones:

macuser1@oi151a:~$ pfexec zlogin zdev

zlogin: You lack sufficient privilege to run this command (all privs required)

The system efficiently tells you that macuser1 lacks sufficient privileges. What do we do? Enter RBAC

/etc/user_attr is a database in the system where it associates users with roles and its profiles.

So lets add the following line into /etc/user_attr:

macuser1::::type=normal;auths=solaris.zone.login,solaris.zone.manage;profiles=Zone Management

Log out/Logback and use zlogin:

macuser1@oi151a:~$ pfexec zlogin zdev

[Connected to zone ‘zdev’ pts/3]

Last login: Sun Oct 30 23:06:51 on pts/2

OpenIndiana (powered by illumos)    SunOS 5.11    oi_151a    September 2011

root@zdev:~#

macuser1 was able to login because in /etc/security/exec_attr we have the following entries among the many:

root@zdev:~# grep Zone /etc/security/exec_attr

Zone Management:solaris:cmd:::/usr/sbin/zlogin:euid=0

Zone Management:solaris:cmd:::/usr/sbin/zoneadm:euid=0

Zone Security:solaris:cmd:::/usr/sbin/txzonemgr:uid=0

Zone Security:solaris:cmd:::/usr/sbin/zonecfg:uid=0

Zone Management profile can zlogin with effective uid = 0. The file /etc/security/exec_attr contains commands to a profile ( In our case it is “Zone Management”  that can be associated with mac1user account among others.

Say that you want this user to manage ZFS file system? No problem, RBAC can do that for you:

macuser1@oi151a:~$ pfexec zfs create rpool/export/test

cannot create ‘rpool/export/test’: permission denied

root@oi151a:~# cat /etc/user_attr | grep macuser1

macuser1::::type=normal;auths=solaris.zone.login,solaris.zone.manage;

profiles=Zone Management,ZFS File System Management

macuser1@oi151a:~$ pfexec zfs create rpool/export/test

macuser1@oi151a:~$ zfs list

NAME                             USED  AVAIL  REFER  MOUNTPOINT

rpool                           26.3G  21.7G    45K  /rpool

rpool/ROOT                      2.01G  21.7G    31K  legacy

rpool/ROOT/openindiana          2.01G  21.7G  1.92G  /

rpool/export/home                104K  21.7G    33K  /export/home

..

rpool/export/test                 31K  21.7G    31K  /export/test

Neat, so you can now setup which user in your organization can do what in the system by using RBAC locally. If you want your user to execute all commands with euid=0 then there is a profile in /etc/security/exec_attr called “Primary Administrator”. It goes without saying that this setting for a normal user is highly catastrophic and dangerous. It is out there though.

Above was just an example, but let’s go back to hardening the zones.

Now let’s take a look at another example to  see what you can do with RBAC. If you have SmartOS, Openindiana installed in your system, you can do more interesting things.

In my OI151a system I have now two zones:

root@oi151a:~# zoneadm list -civ

  ID NAME             STATUS     PATH           BRAND    IP

   0 global           running    /              ipkg     shared

   1 zdev             running    /zones/zdev    ipkg     shared

   3 zdev2            running    /zones/zdev2   ipkg     shared

zdev and zdev2. But you want your user login zdev2 and manage that zone only. How do you set up such scenerio?

Let’s look at /etc/user_attr again:

root@oi151a:~# cat /etc/user_attr | grep macuser1

macuser1::::type=normal;auths=solaris.zone.login,solaris.zone.manage;profiles=Zone Management

Notice auths=solaris.zone.login,solaris.zone.manage line. Currently the user is setup to login to all zones and manage all the zones. By manage we mean that the user is able to use start/stop and reboot the zone.

Ok, so let’s limit the user only login to zdev2 and manage that zone:

root@oi151a:~# cat /etc/user_attr | grep macuser1

macuser1::::type=normal;auths=solaris.zone.login/zdev2,solaris.zone.manage/zdev2;profiles=Zone Management

Now the line contains /zdev2 in both solaris.zone.login and solaris.zone.manage. You can use comma separated zone names here.

Instead of zdev2, I’ll try to login zdev with macuser1:

macuser1@oi151a:~$ pfexec zlogin zdev

zlogin: macuser1 is not authorized  to login to zdev zone.

and now I try zdev2 and I expect it to work:

macuser1@oi151a:~$ pfexec zlogin zdev2

[Connected to zone ‘zdev2’ pts/3]

Last login: Thu Nov  3 22:45:57 on console

OpenIndiana (powered by illumos)    SunOS 5.11    oi_151a    September 2011

root@zdev2:~#

Let’s try to halt zdev and zdev2 zones with macuser1:

macuser1@oi151a:~$ pfexec zoneadm -z zdev halt

zoneadm: zone ‘zdev’: User macuser1 is not authorized to halt this zone.

macuser1@oi151a:~$

macuser1@oi151a:~$ pfexec zoneadm -z zdev2 halt

macuser1@oi151a:~$

macuser1@oi151a:~$ zoneadm list -civ

  ID NAME             STATUS     PATH           BRAND    IP

   0 global           running    /              ipkg     shared

   1 zdev             running    /zones/zdev    ipkg     shared

   – zdev2            installed  /zones/zdev2   ipkg     shared

macuser1@oi151a:~$ pfexec zoneadm -z zdev2 boot

macuser1@oi151a:~$

macuser1@oi151a:~$ zoneadm list -civ

  ID NAME             STATUS     PATH           BRAND    IP

   0 global           running    /              ipkg     shared

   1 zdev             running    /zones/zdev    ipkg     shared

   4 zdev2            running    /zones/zdev2   ipkg     shared

Very nice, I now have this macuser1 managing zdev2 zone. There are many other interesting things you can do with RBAC and you can find most of the documentation here.