Solved

RBAC and ACL

Posted on 2006-07-06
5
881 Views
Last Modified: 2013-12-27
Hi Experts,

We are having some undesirable people carrying around root password; this is a concern for the security of the organization.

What is the best way that I could give these users access to only the files they need to access. These users need to have root access to some files and they should be able to reboot the system. I know that there is a way to give users a root access with RBAC. I would appreciate it if any of you could provide me with the steps of using RBAC. ACL could also be a solution that I am looking for; and if anybody has steps for ACL that would be great.

Thank you for your valuable time and suggestions.

......
0
Comment
Question by:z670193
5 Comments
 
LVL 38

Accepted Solution

by:
yuzh earned 168 total points
ID: 17056304
Why not simply download sudo and install it on your system, you can get it from:
http://sunfreeware.com/

please have a look at:
http://www.sudo.ws/sudo/

for more details.

with sudo, you can defined what commands the user can run as root, and it is very easy to use, a lot of tutorail on the Web (also do a search at EE, you can find a lot of answers).

For ACL, please have a look at :
http:Q_21292724.html

For Solaris BSM (Basic Security Module):
http:Q_20676513.html

For RBAC:
http://www.samag.com/documents/s=7667/sam0213c/0213c.htm
http://docs.sun.com/app/docs/doc/817-0365/6mg5vpmdo?a=view
0
 
LVL 14

Assisted Solution

by:arthurjb
arthurjb earned 166 total points
ID: 17061684
>We are having some undesirable people carrying around root password; this is a concern for the security of the organization.

Obviously not a huge concern or they would not have the root password.


>What is the best way that I could give these users access to only the files they need to access

Make sure that the stuff they need to access is owned by the people who need to own it.  Giving out the root password is the lazy way to handle access issues.  Sudo is the professional way.

BUT, in most cases there is no justification for anyone other than the system administrator to have the root password.  In fact in most places, the root password is locked away, and even the system administrators use sudo to do their job.

Find out why they think they need root, and you will normally find that it is because they are lazy and don't care about the security of the system.

It is much safer to setup the proper access rights and keep the root password private, but it takes a little more work.  (In the fight between programmers and sysadmins, the programers insist they need root access, yet they normally don't...)
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 166 total points
ID: 17069672
General rule of thumb is RBAC is used to assigned privileged roles to standard users whereas ACL's are generally used to control access rights to a file.

Sun's RBAC is similar in concept to sudo (as has been improved in Solaris 10), but you still find a lot of people prefer to install sudo as it is more universal and more people are familar with it.

One big downfall with RBAC compared to sudo, is RBAC doesn't provide very good logging, so you can't find out specific commands users have typed without having auditing turned on.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now