Users and Roles in Oracle Solaris 11

Users in Oracle Solaris 11 are identified by a User ID and Group ID but we will see that each process has a Real, Effective and Set User ID and Group ID. We will see how we can create users and investigate the user account databases /etc/passwd, /etc/shadow, and/etc/group and/etc/user_attr. The user_attr file is home to roles and role assignment and we can see how these roles can add critical management to Solaris.

The simple command id(/usr/bin/id) can be used to display the current users User ID and Group ID. It is these IDs that are used when accessing resources and help control access.

For the current user we can see that the User ID is 100 and Group ID 100. Each running process also maintains the IDs that the process is running as. This will show 3 User IDs and 3 Group Ids

• Real: The actual ID used to start the process
• Effective: Shows if it was run with sudo or similar.
• Set: Shows if the Set UID bit or Set GID bit is set on the program which controls the accounts used when the process runs. This is set by default on programs such as /usr/bin/passwd.

The variable $$ contains the name of the currently running process so if we use the command:

pcred $$

We can display the credential used for the current process which will be the BASH shell in our case:

When as standard user run the passwd program it will run as the user root. The SUID permission is set on this program. We can demonstrate this by running the passwd program and leaving it running. From another terminal we can search for the process and display the credentials:

sudo pcred $(pgrep passwd)

Here we can see the REAL UID is 100 but the EFFECTIVE and SET UID is 0 for the root user.

A user with root privileges can create new local users to the system using the command useradd(/usr/sbin/useradd). Not all options need to be provided with the command; default values can be displayed with:

useradd -D

We can see from the above output that the default user shell will be bash and the users’ home directory will be located in /export/home is not specified at the time the user is created.

To create a new user we can use the command

useradd -m bob

The -m option creates the user’s home directory immediately rather than on first log in. User accounts are stored in the file /etc/passwd. The new user will be the last entry in the file so we can use the command:

tail -1 /etc/passwd

to display the entry.

Output from the command:

id bob

Will show the group and user ids.

Using the command:

finger bob

We can display user information including last login times.

We have created the user bob; as yet he does not have a password. User passwords are stored in the file /etc/shadow.

tail -1 /etc/shadow

Here we can see the user bob. The password is the 2^nd field shown as UP in the output. This is the password status and can be seen also with the command :

passwd -s bob

UP indicates that the password is as yet unset by the administrator and the account cannot be used.

The initial setting of the users password is known as activating the account. To activate the password the root user or a user with the privileges to set the password:

• solaris.passwd.assign
• solaris.account.activate

We can then simply set the password for the user with:

passwd bob

We will need to enter the password twice to verify our typing expertise. The passwd status should now show as PS indicating that the password is set.

passwd -s bob

We now have a functioning account for the user bob.

If the new user bob needs to carry out administrative duties we will find that he cannot use the substitute user command to gain root permissions, even if he does know the password.

If we add the user bob to the root role he then will be able to use su.

usermod -R root bob

We can display the roles associated with a user using the roles command

roles bob