User's Manual

Solaris 9 Security CX-310-301 55

Creating A Profile

A profile is created by making an entry with an editor, such as vi, in the file /etc/security/prof_attr. To

create a new profile for adding user groups add the following entry, noting the number of “:” characters:

Group Creation:::Create new groups:

Associating Executions with a Profile

The previous action created a profile. At this point the profile does not do anything. The commands for a

profile must be entered in /etc/security/exec_attr. The following example adds the groupadd commands to

the “User Creation” profile:

Group Creation:suser:cmd:::/usr/sbin/groupadd:euid=0

This entry will run the groupadd command as user root (euid=0).

Creating a Role

Roles are created using the roladd command. A role called newgroup will be added, which is associated

with the “Group Creation” profile:

# roleadd –P “Group Creation” –s /usr/bin/pfsh newgroup

As a result, the following entry is inserted into /etc/user_attr:

newgroup::::type=role;profiles=Group Creation

Note that a role needs to be assigned a default shell that is a profile shell. This ensures that the profile

attributes in /etc/security/exec_attr are used when a command is run. There are three profile shells:

¾ /usr/bin/pfsh – Profile Bourne shell

¾ /usr/bin/pfksh – Profile korn shell

¾ /usr/bin/pfcsh – Profile C shell

Assigning a Role to a User

Having created a role, it needs to be assigned to a user account. To assign the newgroup role to the user

temptest:

# usermod –R newgroup temptest

The following entry appears in /etc/user_attr showing the user account temptest and that it has been

assigned the role newgroup:

temptest::::type=normal;roles=newgroup