Solaris User

RBAC¤ÈºÇ¾®Æø¢µ¡Ç½¤òÁȤ߹ç¤ï¤»¤Æ°ìÉô¤Î¥³¥Þ¥ó¥É¤Ë¸ÂÄꤷ¤ÆÆø¢¤òÍ¿¤¨¤ë

º£²ó¤ÏRBAC¡ÊRole-Based Access Control¡Ë¤ËºÇ¾®Æø¢µ¡Ç½(Least Privilegeµ¡Ç½)¤òÍí¤á¤Æ¡¢¤è¤êÀºÅ٤ι⤤¥¢¥¯¥»¥¹¥³¥ó¥È¥í¡¼¥ë¤òÀßÄꤹ¤ëÊýË¡¤ò¾Ò²ð¤¹¤ë¡£

RBAC¤È¤ÏSolaris 8 ¤«¤é¤Îµ¡Ç½¤Ç¡¢Ìò³ä(Role)¤ò¼Â¥æ¡¼¥¶¤Ë¥¢¥µ¥¤¥ó¤¹¤ë¤³¤È¤Çroot¸¢¸Â¤Ç¤·¤«¼Â¹Ô¤¹¤ë¤³¤È¤Î¤Ç¤­¤Ê¤¤¥³¥Þ¥ó¥É·²¤ò°ìÈ̥桼¥¶¤Ë¤â¼Â¹Ô¤Ç¤­¤ë¤è¤¦¤Ë¤¹ ¤ë¤â¤Î¤À¡£RBAC¤Ë´Ø¤·¤Æ¤Ï¾ï¼±¤Ê¤Î¤Ç¤³¤³¤Ç¤Ï¶ñÂÎŪ¤ÊÀâÌÀ¤Ï¤»¤º¡¢Solaris10¤«¤é¼ÂÁõ¤µ¤ì¤¿ºÇ¾®Æø¢µ¡Ç½¤È¤ÎÍí¤ß¤òÃæ¿´¤Ë¾Ò²ð¤·¤Æ¤¤¤¯¡£

°ìÈ̥桼¥¶¤Ë file_dac_read Æø¢¤Î¤Ä¤¤¤¿ cat ¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤­¤ë¤è¤¦¤Ë¤¹¤ë¤³¤È¤òÎã¤Ë¤·¤ÆÀâÌÀ¤¹¤ë¡£
¥í¥°¥¤¥ó»þ¤Ë file_dac_read Æø¢¤òÍ¿¤¨¤ëÊýË¡¤Ï¤³¤Á¤é¤Ç¾Ò²ð¤·¤Æ¤¤¤ë¤¬¡¢¤³¤³¤Ç¤Ï¤µ¤é¤Ë¥³¥Þ¥ó¥É¤ò¸ÂÄꤷ¤Æ¡¢¤·¤«¤â°ÊÁ°¤ÎRBACµ¡Ç½¤Î¤è¤¦¤Ë root¸¢¸Â¤òÁ´ÌÌŪ¤ËÍ¿¤¨¤Ê¤¤ÀßÄêÊýË¡¤ò¾Ò²ð¤¹¤ë¡£¤³¤ÎÊýË¡¤ò±þÍѤ¹¤ì¤Ð¡¢¥»¥­¥å¥ê¥Æ¥£¥ì¥Ù¥ë¤òÊݤÁ¤Ê¤¬¤éÆÃÄê¤Î¥æ¡¼¥¶¤ä¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ËËÜÍè¤Î¸¢¸Â °Ê¾å¤Î¤³¤È¤ò¼Â¹Ô¤µ¤»¤ë¤³¤È¤¬Íưפˤʤ롣

¤Þ¤º¡¢°Ê²¼¤Î¤è¤¦¤Ë/etc/security/prof_attr¥Õ¥¡¥¤¥ë¤ËPrivTest¤È¤¤¤¦¸¢Íø¥×¥í¥Õ¥¡¥¤¥ë¤òÄêµÁ¤¹¤ë¥¨¥ó¥È¥ê¤òÄɲ乤롣
# tail -1 /etc/security/prof_attr
PrivTest:::Priv Test profile:

¤µ¤é¤Ë/etc/security/exec_attr¥Õ¥¡¥¤¥ë¤Ë/usr/bin/cat¥³¥Þ¥ó¥É¤Ëfile_dac_readÆø¢¤ò³ä¤êÅö¤Æ¤ë¡£
¥Ý¥¤¥ó¥È¤Ïº£¤Þ¤Ç¤ÎRBAC¤Î¤è¤¦¤Ëuid=0¤äeuid=0¤Ê¤É¤ò»ØÄꤷ¤Æ¤¤¤Ê¤¤¤È¤³¤í¤À¡£
Solaris10¤Ç¤Ï¡¢root¸¢¸ÂÁ´È̤ǤϤʤ¯¡¢ÆÃÄê¤ÎÆø¢¤Ë¹Ê¤Ã¤Æ³ä¤êÅö¤Æ¤ë¤³¤È¤¬¤Ç¤­¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¡£

# tail -1 /etc/security/exec_attr
PrivTest:suser:cmd:::/usr/bin/cat:privs=file_dac_read

¤¢¤È¤ÏÄ̾ï¤ÎRBACÀßÄêƱÍͤËPrivTest¸¢Íø¥×¥í¥Õ¥¡¥¤¥ë¤ò»ý¤Ä¡¢Ìò³ä¤òºîÀ®¤·¤Æ¡¢°ìÈ̥桼¥¶¤Ë³ä¤êÅö¤Æ¤ë¡£

# roleadd -d /export/home/rootcat -m -P PrivTest,All rootcat
64 ¥Ö¥í¥Ã¥¯
# passwd rootcat
¿·¤·¤¤¥Ñ¥¹¥ï¡¼¥É:
¿·¤·¤¤¥Ñ¥¹¥ï¡¼¥É¤òºÆÆþÎϤ·¤Æ¤¯¤À¤µ¤¤:
passwd: rootcat ¤Î¥Ñ¥¹¥ï¡¼¥É¤¬Êѹ¹¤µ¤ì¤Þ¤·¤¿
# usermod -R rootcat user1

¾åµ­ÀßÄê¤ÇPrivTest¸¢Íø¤òrootcatÌò³ä¤Ë»ý¤¿¤»¡¢¼Â¥æ¡¼¥¶user1¤ËrootcatÌò³ä¤ò¥¢¥µ¥¤¥ó¤·¤Æ¤¤¤ë¡£
/etc/user_attr¥Õ¥¡¥¤¥ë¤Ï°Ê²¼¤Î£²¹Ô¤¬Äɲ䵤ì¤ë¡£

# tail -2 /etc/user_attr
rootcat::::type=role;profiles=PrivTest,All
user1::::type=normal;roles=rootcat

¤¢¤È¤ÏÆ°ºî³Îǧ¤À¡£

# su - user1
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
$ more /etc/shadow
/etc/shadow: ¥¢¥¯¥»¥¹¸¢¤¬¤¢¤ê¤Þ¤»¤ó¡£
$ cat /etc/shadow
cat: /etc/shadow ¤ò¥ª¡¼¥×¥ó¤Ç¤­¤Þ¤»¤ó¡£

ÅöÁ³¡¢rootcatÌò³ä¤ò¤Þ¤Àô¤Ã¤Æ¤¤¤Ê¤¤¤Î¤Çmore¥³¥Þ¥ó¥É¤À¤í¤¦¤¬cat¥³¥Þ¥ó¥É¤À¤í¤¦¤¬¥¢¥¯¥»¥¹¸¢¤Î¤Ê¤¤¥Õ¥¡¥¤¥ë¤ÏÆɤ߹þ¤á¤Ê¤¤¡£

$ su - rootcat
Password:¡¡xxxxxx
$ id -p
uid=2001(rootcat) gid=1(other) projid=3(default)
$ more /etc/shadow
/etc/shadow: ¥¢¥¯¥»¥¹¸¢¤¬¤¢¤ê¤Þ¤»¤ó¡£
$ cat /etc/shadow
...
...
listen:*LK*:::::::
gdm:*LK*:::::::
webservd:*LK*:::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
user1:AxEfnuHATDQB2:12930::::::

¾åµ­¤Î¤è¤¦¤ËrootcatÌò³ä¤ËÊѹ¹¸å¤Ïcat¥³¥Þ¥ó¥É¤Ç¤Î¤ß¥¢¥¯¥»¥¹¸¢¤Î¤Ê¤¤¥Õ¥¡¥¤¥ë¤òÆɤ߼è¤ë¤³¤È¤¬²Äǽ¤Ë¤Ê¤ë¡£
¤Þ¤¿¡¢°Ê²¼¤Îppriv¥³¥Þ¥ó¥É¤Î·ë²Ì¤«¤é ¥×¥í¥Õ¥¡¥¤¥ë¥·¥§¥ëpfsh¤ËÆÃÊ̤ÊÆø¢¤¬¤Ä¤¤¤Æ¤¤¤Ê¤¤¤³¤È¤â¤ï¤«¤ë¡£

$ ppriv $$
1085:   -pfsh
flags = <none>
        E: basic
        I: basic
        P: basic
        L: all


========================================
¢¨¾Ü¤·¤¤¾ðÊó¤Ï°Ê²¼¤Î¥È¥ì¡¼¥Ë¥ó¥°¥³¡¼¥¹»²¾È
Solaris10¿·µ¡Ç½¡Ê¥·¥¹¥Æ¥à´ÉÍýÊÔ¡Ë
========================================

¡Ú¥¢¥ó¥±¡¼¥È¡Û
¤³¤Îµ­»ö¤Ï¤¿¤á¤Ë¤Ê¤ê¤Þ¤·¤¿¤«¡©
¡¡¡¡¡¡¤Ï¤¤¡¡¡¡/¡¡¡¡¤¤¤¤¤¨