This document describes the setup of Solaris 10 roles for Web and Mail Administrators. It is assumed that Apache 2.0 and sendmail are already setup and working on the target server. Apache is also assumed to be running as user ‘webservd’. This configuration will allow Administrators/Developers to switch to a new account (RBAC Role) and run commands necessary to handle Apache, and sendmail. Commands will be run by the user specified in the preceding command prompt, i.e. “[root] # ls” – means the ls command should be run as root. Substitute user ‘mbaxter’ with the users needed for this document.
Step 1 Stop Apache and Coldfusion.
[root] # svcadm –v disable –s apache2
[root] # svcadm -v disable -s sendmail
Step 2 Create separate Administrative Role
[root] # roleadd –g webservd –d /home/webadm –m webadm
[root] # passwd webadm
New Password:
Re-enter new Password:
Passwd: password successfully changed for webadm
[root] # usermod –R webadm mbaxter
Step 3 Create authorizations for webadm.
Add the following lines to /etc/security/auth_attr file in vi
[root] # vi /etc/security/auth_attr
sunw.*:::Custom Authorizations::
sunw.grant:::Grant Custom Authorizations::
sunw.smf.manage.http/apache2:::Manage the Apache2 Service::
sunw.smf.modify.application.http/apache2:::Modify the Apache2 Application Properties::
Assign new authorizations to root user by editing /etc/user_attr
[root] # vi /etc/user_attr
root::::auths=solaris.*,solaris.grant,sunw.*,sunw.grant;profiles=Web Console Management,All;lock_after_retries=no
Step 4 Grant SMF-Specific authorizations to webadm
[root] # rolemod –A sunw.smf.manage.http/apache2,sunw.smf.modify.application.http/apache2 webadm
Step 5 Configure Apache2 with reduced privileges and required authorizations.
[root] # svccfg –s apache2
Install new properties:
svc:/network/http:apache2> setprop httpd/value_authorization = astring:
sunw.smf.modify.application.http/apache2
svc:/network/http:apache2> setprop general/action_authorization = astring:
sunw.smf.manage.http/apache2
svc:/network/http:apache2> setprop general/value_authorization =
astring: sunw.smf.manage.http/apache2
Configure reduced privileges:
svc:/network/http:apache2> setprop start/user = astring: webservd
svc:/network/http:apache2> setprop start/group = astring: webservd
svc:/network/http:apache2> setprop start/privileges = astring: basic,!proc_session,!proc_info,!file_link_any,net_privaddr
svc:/network/http:apache2> setprop start/limit_privileges = astring: :default
svc:/network/http:apache2> setprop start/use_profile = boolean: false
svc:/network/http:apache2> setprop start/supp_groups = astring: :default
svc:/network/http:apache2> setprop start/working_directory = astring: :default
svc:/network/http:apache2> setprop start/project = astring: :default
svc:/network/http:apache2> setprop start/resource_pool = astring: :default
svc:/network/http:apache2> end
[root] # svcadm –v refresh apache2
Action refresh set for svc:/network/http:apache2.
Step 6 Change ownership of log files.
[root] # cd /var/apache2/logs
[root] # chown webservd:webservd access_log error_log
Step 7 Configure Pidfile and Lockfile location.
[root] # mkdir –p /var/apache2/run
[root] # chown webservd:webservd /var/apache2/run
[root] # vi /etc/apache2/httpd.conf
Make these changes:
LockFile /var/apache2/logs/accept.lock
PidFile /var/apache2/run/httpd.pid
Step 8 Create Sendmail Profile by editing /etc/security/prof_attr with vi
[root] # vi /etc/security/prof_attr
Sendmail Management:::Sendmail Management Profile:
Step 9 Create Sendmail executable attributes by editing /etc/security/exec_attr with vi
[root] # vi /etc/security/exec_attr
Sendmail Management:solaris:cmd:::/usr/sbin/sendmail:uid=0
Sendmail Management:solaris:cmd:::/usr/sbin/dig:uid=0
Sendmail Management:solaris:cmd:::/usr/bin/mailq:uid=0
Step 10 Add Sendmail Profile to webadm
[root] # rolemod –P “Sendmail Management” webadm
Step 11 Change ownership of /etc/apache2 to webadm
[root] # chown –R webadm:webservd /etc/apache2
Step 12 Change ownership of /etc/mail to webadm
[root] # chown –R webadm:webservd /etc/mail
Step 13 Test configurations:
disabled - 14:41:05 - svc:/network/http:apache2
[root] # su – webadm
[webadm] # svcadm –v enable –s apache2
[webadm] # svcs –v apache2
online - Sep_21 112 svc:/network/http:apache2
[webadm] # svcadm -v enable -s sendmail
Step 14 Add users to webadm role.
[root] # usermod –R webadm mbaxter
Posts
1 comment:
Greets dude!
It is my first time here. I just wanted to say hi!
Post a Comment