RBAC Commands
RBAC Commands
The following RBAC commands allow operations to be performed on the different databases that are used with RBAC.
smexec
The smexec command is used to create, update, and delete rows in the exec_attr database. One of three options must be passed to the command upon execution: add, which adds an entry; delete, which deletes an entry; or modify, which updates an entry. In order to use smexec, the user must have the solaris.profmgr.execattr.write authorization. There are two sets of parameters that can be passed to smexec (depending on which option has been selected): authorization parameters and specific parameters for each option.
The authorization parameters are common to each option, and they specify the following characteristics:
|
–domain |
The domain to be administered |
|
–hostname:port |
The hostname and port on which operations are to be performed (default port is 898) |
|
–rolepassword |
The password for role authentication |
|
–password |
The password for the user rather than the role |
|
–rolename |
The name of the role |
|
–username |
The name of the user |
For adding entries using smexec add, the following parameters can be passed on the command line:
|
–c |
Specifies the full path to the new command name to be added |
|
–g |
Specifies the effective GID for executing the new command |
|
–G |
Specifies the actual GID for executing the new command |
|
–n |
Specifies the profile name with which the command is associated |
|
–t cmd |
Specifies that the operation is a command |
|
–u |
Specifies the effective UID for executing the new command |
|
–U |
Specifies the actual UID for executing the new command |
An example smexec add operation looks like this:
# smexec add -hostname localhost -password xyz123 -username root -- -n "Print Manager" -t cmd -c /usr/sbin/lpsched -u 0 -g 0
This entry adds the capability to start the printing service to the Printer Manager profile, with the effective UID and GID of 0 (that is, root).
For removing entries using smexec delete, the following parameters can be passed on the command line:
|
–c |
Specifies the full path to the command name to be deleted |
|
–n |
Specifies the profile name with which the command is currently associated |
|
–t cmd |
Specifies that the operation is a command |
To remove the entry for lpsched, you would use the following command:
# smexec delete -hostname localhost -password xyz123 -username root -- -n "Print Manager" -t cmd -c /usr/sbin/lpsched
For changing entries using smexec modify, the following parameters can be passed on the command line:
|
–c |
Specifies the full path to the command name to be modified. |
|
–g |
Specifies the modified effective GID for executing the new command. |
|
–G |
Specifies the modified actual GID for executing the new command. |
|
–n |
Specifies the modified profile name with which the command is associated. |
|
–t cmd |
Specifies that the operation is a command. |
|
–u |
Specifies the modified effective UID for executing the new command. |
|
–U |
Specifies the modified actual UID for executing the new command. |
An example smexec modify operation looks like this:
# smexec modify -hostname localhost -password xyz123 -username root -- -n "Print Manager" -t cmd -c /usr/some/new/path/lpsched -u 0 -g 0
This entry modifies the command to start the printing service for the Printer Manager profile, from the path /usr/sbin/lpsched to /usr/some/new/path/lpsched.
smmultiuser
The smmultiuser command is used to perform batch functions, such as adding or deleting a large number of users. This is particularly useful when a file already exists that specifies all of the required user data. For instance, a backup system may need a setup that is similar to a current production system. Rather than just copying the file systems directly, all of the operations associated with new account creation can be performed, such as creating home directories. In addition, the file that specifies the user data can be updated to include pathname changes. For example, if the original system’s home directories were exported using NFS, they could be mounted under the /export mount point on the new system, and the data in the user specification file could be updated accordingly before being processed. Or, if mount points changed at a later time, user data on the system could be modified by using the smmultiuser command as well.
Like smexec, smmultiuser has three options that must be passed to the command upon execution: add, which adds multiple user entries; delete, which deletes one or more user entries; and modify, which modifies a set of existing entries. In order to use smmultiuser to change passwords, the user must have the solaris.admin.usermgr.pswd authorization. Two sets of parameters—authorization parameters and operation parameters—can be passed to smmultiuser, depending on which option has been selected.
The authorization parameters are common to each option, and they specify the following characteristics:
|
–domain |
The domain to be administered |
|
–hostname:port |
The hostname and port on which operations are to be performed (default port is 898) |
|
–password |
The password for the user rather than the role |
|
–rolename |
The name of the role |
|
–rolepassword |
The password for role authentication |
|
–trust |
Required when operating in batch mode |
|
–username |
The name of the user |
For add, delete, and modify operations using smmultiuser, the following parameters can be passed on the command line:
|
–i |
Specifies the input file to be read. This contains data for all entries to be added, modified, or deleted. |
|
–L |
Specifies the name of the log file that records whether individual operations in the batch job were a success or failure. |
In the following example, a set of records is read in from /home/paul/newaccounts.txt and added to the system:
# smmultiuser add -hostname localhost -p xyz123 -username root -- -I /home/paul/newaccounts.txt
smuser
The smuser command is used to perform operations on user accounts, whether the data is retrieved from the local user databases or from NIS/NIS+. It is similar to smmultiuser; however, it is generally used only to add single users, rather than a set of users in batch mode. In addition to adding, deleting, and modifying user records, existing user data can be retrieved and listed. One of four options must be passed to the command upon execution: add, which adds an entry; delete, which deletes an entry; list, which lists all existing entries; or modify, which updates an entry. In order to use smuser add, delete, or modify, the user must have the solaris.profmgr.execattr.write authorization. However, only the solaris.admin.usermgr.write authorization is required to list entries.
There are two sets of parameters that can be passed to smuser (depending on which option has been selected): authorization parameters and specific parameters for each option. The authorization parameters are common to each option, and they specify the following characteristics:
|
–domain |
The domain to be administered. This can be the local databases (file), NIS (nis), NIS+ (nisplus), DNS (dns), or LDAP (ldap). To administer the host foxtrot.cassowary.net using LDAP, you would specify the domain as ldap://foxtrot/cassowary.net. |
|
–hostname:port |
The hostname and port on which operations are to be performed. The default port is 898. |
|
–password |
The password for the user rather than the role. |
|
–rolename |
The name of the role. |
|
–rolepassword |
The password for role authentication. |
|
–username |
The name of the user. |
For adding entries using smuser add, the parameters are similar to those discussed for adding users using useradd. The following parameters can be passed on the command line:
|
–c |
Specifies an account description, such as “Joe Bloggs.” |
|
–d |
Specifies the user’s home directory. |
|
–e |
Specifies the account expiration date. |
|
–f |
Specifies a limit on the number of inactive days before an account is expired. |
|
–F |
Specifies a full name for the account, which must not be used by another account within the domain. |
|
–g |
Specifies the account GID. |
|
–n |
Specifies the account name. |
|
–P |
Specifies the account password. |
|
–s |
Specifies the default shell. |
|
–u |
Specifies the account UID. |
An example smuser add command is shown here:
# smuser add -H localhost -p xyz123 -u root -- -F "Paul Watters" -n walrus -c "Paul A Watters Director" –P jimmy123 –g 10 –u 1025
This command adds an account called walrus to the system for Paul Watters, with the password jimmy123. The UID for the account is 1025, and the GID is 10.
For removing entries using smuser delete, only the –n parameter (specifying the account name) needs to be passed on the command line. The following command would remove the account for walrus on the localhost:
# smuser delete -H localhost -p xyz123 -u root -- -n walrus
The smuser list command can display a list of users without any parameters, by using a command like this:
# smuser list -H localhost -p xyz123 -u root –-
For modifying entries using smuser modify, the same parameters can be passed on the command line as for smuser add, with any new supplied values resulting in the appropriate fields being updated. For example, to modify the default shell for a user to the Korn shell, the following command would be used:
# smuser update -H localhost -p xyz123 -u root -- -n walrus –s /bin/ksh
smprofile
The smprofile command is used to create, list, update, and delete profiles in the prof_attr database, using smprofile add, smprofile list, smprofile modify, and smprofile delete, respectively. The authorization arguments are similar to those used for smuser and smexec. For adding entries using smprofile add, the following parameters can be passed on the command line:
|
–a |
Adds a single authorization or a set of authorizations. |
|
–d |
Adds a description for the new profile. |
|
–m |
Specifies the path to the HTML help file associated with the profile. |
|
–n |
Specifies a name for the profile. |
An example smprofile add command is shown here:
# smprofile add -H localhost -p xyz123 -u root -- -n "Password Manager" \ -d "Change user passwords" -a solaris.admin.usermgr.pswd \ -m PasswordManager.html
This command adds a profile for the Password Manager who has the authorization solaris.admin.usermgr.pswd to change passwords.
For listing entries using smprofile list, only the –n parameter cannot be passed on the command line, which optionally specifies the name of the profile to list. An example smprofile list command is shown here:
# smprofile list -H localhost -p xyz123 -u root --
For modifying entries using smprofile modify, the same parameters can be passed on the command line as for smprofile add. Any parameters specified will result in the corresponding field being updated. An example smprofile modify command is shown here:
# smprofile modify -H localhost -p xyz123 -u root -- \ -n "Password Manager" -d "Modify user passwords
This example changes the description for the profile Password Manager.
For deleting entries using smprofile delete, only the –n parameter can be passed on the command line, which specifies the name of the profile to delete. An example smprofile delete command is shown here:
# smprofile delete -H localhost -p xyz123 -u root -- \ -n "Password Manager"
smrole
The smrole command is used to perform operations on role accounts. It is generally used to add single roles rather than a set of roles in batch mode. In addition to adding, deleting, and modifying role account records, existing role data can be retrieved and listed. One of four options must be passed to the command upon execution: add, which adds an entry; delete, which deletes an entry; list, which lists all existing entries; or modify, which updates an entry. In order to use smrole add, delete, or modify, the user must have the solaris.role.write authorization. However, only the solaris.admin.usermgr.read authorization is required to list entries. There are two sets of parameters that can be passed to smrole (depending on which option has been selected): authorization parameters and specific parameters for each option. The authorization parameters are similar to those used for smuser.
For adding entries using smrole add, the following parameters can be passed on the command line:
|
–c |
Specifies a role account description, such as “System Manager.” |
|
–d |
Specifies the role account’s home directory. |
|
–G |
Specifies any secondary GIDs for the role account, because the primary GID is always sysadmin. |
|
–n |
Specifies the role name. |
|
–P |
Specifies the account password. |
|
–s |
Specifies the default shell. |
|
–u |
Specifies the account UID. |
An example smrole add command is shown here:
# smrole add -H localhost -p xyz123 -u root -- -F "System Manager" \ -n bofh –P abc123 –G 10 –u 666
This command adds an account called bofh to the system for System Manager, with the password jimmy123. The UID for the account is 666, and the secondary GID is 10.
For removing entries using smrole delete, only the –n parameter, specifying the role account name, needs to be passed on the command line. The following command would remove the account for bofh on the localhost:
# smrole delete -H localhost -p xyz123 -u root -- -n bofh
The smrole list command can display a list of roles without any parameters, by using a command like this:
# smrole list -H localhost -p xyz123 -u root –-
For modifying entries using smrole modify, the same parameters can be passed on the command line as for smrole add, with any new supplied values resulting in the appropriate fields being updated. For example, to modify the default shell for a role to the Bourne shell, the following command would be used:
# smrole update -H localhost -p xyz123 -u root -- -n walrus –s /bin/sh
