Administrative files & pfedit

Here's another great tool from the Solaris 11.1  arsenal: pfedit (1M).
It's the per-file authorized edit of administrative text files.

Great, great tool! And it's even audit enabled!
Imagine the cumbersome work to approach (not match) it with sudo!

For the auditing I think it's worthy to quote the man page:

          ..., in  the  case  of  a  successful  update,  an
attempt  to make unauthorized use, or if an error occurs, an
audit record is generated to capture the subject,  the  file
name,  the  authorization  used, the file change if any, and
the success or failure of the  operation.  The  audit  event
type and default class is one of:

  AUE_admin_edit:edit administrative file:as
  AUE_admin_file_create:create administrative file:as
  AUE_admin_file_remove:remove administrative file:as

The fundamental idea is rather straightforward.
Add the proper Solaris authorization related to the administrative file.

Example:

Let's authorize user1 to edit /etc/hosts.
The following is just for quick learning, don't do it exactly this way.
In fact, the proper way of doing it is to create a RBAC profile or a role.

# usermod -A +solaris.admin.edit/etc/hosts user1
UX: usermod: user1 is currently logged in, 
some changes may not take effect until next login.

# getent user_attr user1
user1::::auths=solaris.admin.edit/etc/hosts;...

In the above example, user1 happened to be logged in.
But that won't be an issue for this particular case.
Otherwise, it's necessary to get a new session.

user1$ pfedit /etc/hosts
...
#
::1              localhost
127.0.0.1        localhost        loghost
#
...
~
~
"/tmp/hosts.pfedit.AXaGmg" 25L, 587C

Hadn't been for the given Solaris authorization user1 would get:

user1$ pfedit /etc/hosts
pfedit: User user1 is not authorized...

Or at best (typically after a w!):

user1$ vi /etc/hosts
...
"/etc/hosts"
"/etc/hosts" E212: Can't open file for writing
Press ENTER or type command to continue

The pfedit command can also be used to create administrative text files.
Those files can also be deleted (removed) with the -r option.

---

It isn't a good practice to apply the authorization on a per-user basis.
Let's see a more realistic approach.

In general, it's recommended to:

• Gather related authorizations in a profile.
• Assign the profile to a role and the role to authorized logins (users).

For instance:

Assume that user1 and role1 already exist, of course.
Let's invent a level 0 type 1 administration profile.

# profiles -p "Admin L0 T1"
profiles: Admin L0 T1> set auths=solaris.admin.edit/etc/hosts
profiles: Admin L0 T1> set desc="Level 0 Type 1 Administrator"
profiles: Admin L0 T1> exit

# rolemod -P +"Admin L0 T1" role1
# usermod -R +role1 user1

But as in the man page it may be OK (or enough) to not require a role.
Simply assign the profile directly to the login.

# usermod -P +"Admin L0 T1" user1

The trade-offs should be clear:

Directly assigning profiles to logins complicates account management, whereas assigning profiles to roles requires inputing a password every time roles are used (but still better than having a sudo password timeout or a sudo su -).

  

Solaris 11.2 Beta availability

Yesterday was a great day!
Solaris 11.2 Beta was made available for downloading!

I don't recall a Beta version of Solaris for a long time.
I can only think of it as a matter of marketing competition and so on.
Nevertheless, I still haven't no other option but to reinstate that:

It continues raising the bar.
Tremendous enhancements and new features.
Oracle is definitely sustaining Solaris.
  
Once more, since the beginning of this blog I can say:
If it must run, it runs on Solaris!
 

NIS & logins - troubleshooting #1

Despite all the quality and stability of Solaris 11 sometimes things go wrong.
Before pinning up anything it's important to assess all the variables.

For instance, upon forcibly rebooting a x86 with a few Solaris 11 zones, one of them acting as a NFS server, within a NIS services infrastructure something odd happened; the following values simply vanished:

• The config/* of name-service/switch SMF service.
• The config/domainname of nis/domain SMF service.
• The sharectl nfsmapid_domain.

  
The resolution was simply reentering the correct values, of course.
But until narrow down to what was wrong the symptoms were diverse:

• The NIS users were not being able to log in.
• The NFS server was not resolving any uid and gid.
• The NIS clients were listing nobody for user and group.

Nevertheless it's most important to determine the cause.
In my specific case I suspect of the well known:

Using ZFS Storage Pools in VirtualBox

Yes, I'm using VirtualBox for composing many posts.
Yes, due to a video adapter failure the host system had to be halted for repair.
And, yes, I haven't enabled the cache flushing on the VMs.
  

NIS & roles

I've already posted about NIS & logins.
This post is a similar one but about NIS & roles.

A role is an account that is used to indirectly access the system.
As a login it posses the concepts of credential and home directory.
Those resources are conveniently centrally managed by NIS services.
Unfortunately NIS can't provide nowadays security requirements.
Nevertheless, it may still be very useful on restricted scenarios.

I reinstate the assumptions listed on NIS & logins.
Nevertheless I make one exception (just for illustration):
the NIS master host nis-1 is an immutable zones of host-1.

On this example, I'll create a role called nis.
The goal is to manage NIS through this role avoiding the cumbersome sudo.

To perform the series of changes on nis-1 reboot it into read-write mode:
(when finished, reboot it once again to reenter the read-only mode)

host-1# zoneadm -z nis-1 reboot -w

Create the role account on the NIS master:

nis-1# roleadd -c "NIS" -K roleauth=user nis

nis-1# getent passwd nis
nis:x:103:10:NIS:/export/home/nis:/usr/bin/pfbash

nis-1# passwd nis
New Password:
Re-enter new Password:
passwd: password successfully changed for nis

Copy the role basic configuration to the appropriate maps' sources:

nis-1# grep nis /etc/passwd >> /var/nis/acct/passwd
nis-1# grep nis /etc/shadow >> /var/nis/acct/shadow

Clean up the local role account from the NIS master:

nis-1# roledel nis

Edit the group and home directory configuration on the passwd map.
It should look like as follows:

nis-1# grep nis /var/nis/acct/passwd
nis:x:103:1001:NIS:/home/nis:/usr/bin/pfbash

nis-1# grep nis /var/nis/group
nis::1001:

Edit the netgroup configuration.
It should look somewhat similar to:
 
nis-1# cat /var/nis/netgroup
...
nisadmin ... (-,nis,business.corp) ...
...

Edit the project configuration on the project map.
It should look like as follows:

nis-1# grep nis /var/nis/project
nisadmin:200:NISAdmin:nis::

nis-1# grep nis /var/nis/user_attr  
nis::::type=role;project=nisadmin;profiles=All;roleauth=user

Edit the automounter configuration on the auto_home map.
It should look like as follows:

nis-1# grep nis /var/nis/auto_home
nis nfs-1.business.corp:/export/home/&

Run make on the updated sources:

nis-1:/var/yp# make
updated passwd
pushed passwd
updated ageing
updated netid
pushed netid
updated project
pushed project
updated netgroup
pushed netgroup
updated auto.home
pushed auto.home
updated user_attr
pushed user_attr

Verify that the maps were correctly updated:

nis-2$ ypmatch -k nis passwd
nis: nis:...:103:1001:NIS:/home/nis:/usr/bin/pfbash
 
nis-2$ ypmatch -k nis auto.home
nis: nfs-1.business.corp:/export/home/&
 
nis-2$ ypmatch -k nisadmin project
nisadmin: nisadmin:102:NISAdmin:nis::

nis-2$ ypmatch -k nis user_attr
nis: nis::::project=nisadmin;type=role;roleauth=user;...
 
nis-2$ ypcat -k netgroup | grep nis
nisadmin (-,nis,business.corp)

Create and export the home directory:

nfs-1# zfs create \
> -o quota=1g \
> -o share.nfs.sec.sys.rw="desktops:servers" \
> rpool/export/home/nis

nfs-1# cp /etc/skel/.profile /export/home/nis
nfs-1# cp /etc/skel/.bashrc /export/home/nis

nfs-1# chown -R nis:root /export/home/nis

nfs-1# ll -a /export/home/nis
total 11
drwxr-xr-x   5 root     root    ... ..
drwxr-xr-x   2 nis      nis     ... .
-rw-r--r--   1 nis      nis     ... .profile
-r--r--r--   1 nis      nis     ... .bashrc

nfs-1# zfs set share.nfs=on rpool/export/home/nis

nfs-1# zfs get -o value share rpool/export/home/nis
VALUE
name=...,path=/export/home/nis,...,rw=servers:desktops

In addition to the update of NIS maps, if there were changes on any NIS netgroup that's referenced on some NFS share, then it's necessary to refresh the NFS service.

In order to be useful, roles must be associated with logins.
To associate the role nis with the login user2 alter the user_attr NIS map.

nis-1# grep nis /var/nis/user_attr  
nis::::project=project1;roles=nis

Then run make on the updated source:

nis-1:/var/yp# make
...
   
NOTE

It's important to note that during this processes there were no disruption of service to clients as all NIS clients should have been associated only to NIS slave servers.

  

Mercurial sample #1

There are excellent and comprehensive Mercurial references out there.
Nevertheless, it may be instructive to share my own learning process.
As an example I will take the NIS maps' source files directory tree:
 

├── acct
│   ├── passwd
│   └── shadow
├── aliases
├── auto_home
├── auto_master
├── ethers
├── group
├── hosts
├── ipnodes -> hosts
├── netgroup
├── netid
├── netmasks
├── networks
├── project
├── protocols
├── publickey
├── rbac
│   ├── auth_attr
│   ├── exec_attr
│   └── prof_attr
├── rpc
├── services
├── sudoers
└── user_attr

This directory tree will turn into a Mercurial repository on the NIS master.
Of course, this repository will be central and sysadmins will have their own.
This will help organize the shared management by several sysadmins.

The first concern is with the directory tree permissions.
The trouble is to share the directory tree with all sysadmins.
Giving root (sudo) access to sysadmins is a security problem.
Creating a group for the sysadmins may hit system limits.
The natural solution in Solaris is to share a role.

So, adjust the directory tree owner and group:
(the mode was already set according to NIS maps' source files)

nis-1# chown -R nis:nis /var/share/nis

nis-1# ls -lh /var/nis/*
total ...
-rw-r-----   1 nis     nis  ...  aliases
-rw-r-----   1 nis     nis  ...  auto_home
-rw-r-----   1 nis     nis  ...  auto_master
-rw-r-----   1 nis     nis  ...  ethers
-rw-r-----   1 nis     nis  ...  group
-rw-r-----   1 nis     nis  ...  hosts
lrwxrwxrwx   1 root    root ...  ipnodes -> hosts
-rw-r-----   1 nis     nis  ...  netgroup
-rw-r-----   1 nis     nis  ...  netid
-rw-r-----   1 nis     nis  ...  netmasks
-rw-r-----   1 nis     nis  ...  networks
-rw-r-----   1 nis     nis  ...  project
-rw-r-----   1 nis     nis  ...  protocols
-rw-r-----   1 nis     nis  ...  publickey
-rw-r-----   1 nis     nis  ...  rpc
-rw-r-----   1 nis     nis  ...  services
-r--r-----   1 nis     nis  ...  sudoers
-rw-r-----   1 nis     nis  ...  user_attr

/var/nis/acct:
total ...
-rw-r-----   1 nis     nis  ...  passwd
-r--------   1 nis     nis  ...  shadow
 
/var/nis/rbac:
total ...
-rw-r-----   1 nis     nis  ...  auth_attr
-rw-r-----   1 nis     nis  ...  exec_attr
-rw-r-----   1 nis     nis  ...  prof_attr
 
Log in as a user who has been granted the above role:

$ su - nis
Password:
Oracle Corporation    SunOS 5.11    11.1    December 2013
  
$ who am i
user2      pts/1      ...

Go to the NIS sources directory and do some adjustment:

$ cd /var/nis

$ rm ipnodes
$ ln -s hosts ipnodes

Create the Mercurial repository and minimal configuration file:

$ hg init

$ hg root
/var/share/nis

$ cat ~/.hgrc
[ui]
username = NIS role

Create a baseline (the initial snapshot or changeset):

$ hg status
? acct/passwd
? acct/shadow
? aliases
? auto_home
? auto_master
? ethers
? group
? hosts
? ipnodes
? netgroup
? netid
? netmasks
? networks
? project
? protocols
? publickey
? rbac/auth_attr
? rbac/exec_attr
? rbac/prof_attr
? rpc
? services
? sudoers
? user_attr

$ hg add
adding acct/passwd
adding acct/shadow
adding aliases
adding auto_home
adding auto_master
adding ethers
adding group
adding hosts
adding ipnodes
adding netgroup
adding netid
adding netmasks
adding networks
adding project
adding protocols
adding publickey
adding rbac/auth_attr
adding rbac/exec_attr
adding rbac/prof_attr
adding rpc
adding services
adding sudoers
adding user_attr
 
$ hg status
A acct/passwd
A acct/shadow
A aliases
A auto_home
A auto_master
A ethers
A group
A hosts
A ipnodes
A netgroup
A netid
A netmasks
A networks
A project
A protocols
A publickey
A rbac/auth_attr
A rbac/exec_attr
A rbac/prof_attr
A rpc
A services
A sudoers
A user_attr 
  
$ hg commit -m "Baseline"

$ hg summary
parent: 0:79f1ad4f096b tip
 Baseline
branch: default
commit: (clean)
update: (current)

$ hg tip
changeset:   0:79f1ad4f096b
tag:         tip
user:        NIS role
date:        Wed Apr 09 15:10:24 2014 -0300
summary:     Baseline
  

NIS maps' source files

The first (somewhat boring) step for installing a NIS master is the creation of the source files location and its appropriate contents at a stable location on the NIS master virtual file system hierarchy. Furthermore, for security reasons it's better to create 2 additional subdirectories within it in order to segregate user account information from RBAC information from general information. Instead of a traditional directory structure, I'll use two Solaris specific technologies, ZFS and VARSHARE together with a Revision Control System. Simply use ordinary directories isn't the best approach where management and control are required.

Create sub-datasets of rpool/VARSHARE which will provide boot environments (BEs) independence and allow for ZFS snapshots and specific properties such as ZFS compression and ZFS deduplication. If on an immutable zone, be aware that a preliminary boot -w will be required in order to take snapshots, which is probably an inconvenience; NIS maps need to be frequently changed and taking a ZFS snapshot before each change would require 2 reboots. Because of this, one could consider a Version Control System such as Mercurial in order to streamline the management of the source maps by not requiring any reboots leaving ZFS snapshots would be left for more long term backup strategy. But thinking twice, that's not a good idea because no NIS client should be pointing to the NIS master but instead to a NIS slave. Rebooting the NIS master isn't an issue after all.
  
# zfs create -p rpool/VARSHARE/nis/acct
# zfs create -p rpool/VARSHARE/nis/rbac

# zfs list -t all -r rpool/VARSHARE 
NAME                    USED AVAIL REFER MOUNTPOINT
rpool/VARSHARE          124K 13.9G   48K /var/share
rpool/VARSHARE/nis       95K 13.9G   33K /var/share/nis
rpool/VARSHARE/nis/acct  31K 13.9G   31K /var/share/nis/acct
rpool/VARSHARE/nis/rbac  31K 13.9G   31K /var/share/nis/rbac 
  
# chmod -R 750 /var/share/nis
  
Following the Solaris best practice, a symbolic link is created.

# ln -s /var/share/nis /var/nis
# ls -lh /var | grep ^l
...
lrwxrwxrwx   1 root     root ... nis -> ../var/share/nis
... 
 
# ls -lh /var/share/nis
...
drwxr-x---   2 root     root ... acct
drwxr-x---   2 root     root ... rbac

Next the initial maps' sources are created.
   
# cd /var/share/nis 
 
# cp /etc/{group,project} .
# cp /etc/{passwd,shadow} acct
# cp /etc/security/{prof_attr,exec_attr,auth_attr} rbac
 
# touch ethers netgroup netid
# sed -e '/^[^#]/d' < /etc/mail/aliases > ./aliases
# sed -e '/^[^#]/d' < /etc/hosts > ./hosts  
# sed -e '/^[^#]/d' < /etc/auto_master > ./auto_master
# sed -e '/^[^#]/d' < /etc/auto_home > ./auto_home
# sed -e '/^[^#]/d' < /etc/networks > ./networks
# sed -e '/^[^#]/d' < /etc/netmasks > ./netmasks
# sed -e '/^[^#]/d' < /etc/protocols > ./protocols 
# sed -e '/^[^#]/d' < /etc/services > ./services
# sed -e '/^[^#]/d' < /etc/rpc > ./rpc
# sed -e '/^[^#]/d' < /etc/publickey > ./publickey  
# sed -e '/^[^#]/d' < /etc/user_attr > ./user_attr
# sed -e '/^[^#]/d' < /etc/sudoers > ./sudoers

# ln -s hosts ipnodes 
  
# chmod -R o= /var/share/nis

# ls -lh /var/nis/*
total ...
-rw-r-----   1 root     root ... aliases
-rw-r-----   1 root     root ... auto_home
-rw-r-----   1 root     root ... auto_master
-rw-r-----   1 root     root ... ethers
-rw-r-----   1 root     root ... group
-rw-r-----   1 root     root ... hosts
lrwxrwxrwx   1 root     root ... ipnodes -> hosts
-rw-r-----   1 root     root ... netgroup
-rw-r-----   1 root     root ... netid
-rw-r-----   1 root     root ... netmasks
-rw-r-----   1 root     root ... networks
-rw-r-----   1 root     root ... project
-rw-r-----   1 root     root ... protocols
-rw-r-----   1 root     root ... publickey
-rw-r-----   1 root     root ... rpc
-rw-r-----   1 root     root ... services
-r--r-----   1 root     root ... sudoers
-rw-r-----   1 root     root ... user_attr

/var/nis/acct:
total ...
-rw-r-----   1 root     root ... passwd
-r--------   1 root     root ... shadow
 
/var/nis/rbac:
total ...
-rw-r-----   1 root     root ... auth_attr
-rw-r-----   1 root     root ... exec_attr
-rw-r-----   1 root     root ... prof_attr

Now the contents of the copied files must be appropriately adjusted according to the best practices and requirements. I'm assuming all the defaults of a fresh installation so certain source files require cleanup:

# cd /var/nis 

# cat /dev/null > acct/passwd
# cat /dev/null > acct/shadow 
# cat /dev/null > ./group
# cat /dev/null > ./project

Now the source files and respective structure for the NIS maps are set.
Now proceed to install and configure the NIS master and its NIS slaves.
   

Mercurial's complementary tools

On Mercurial installation I've mentioned how Solaris Studio 12.3 integrates it.
Now I'd like to mention a few other tools that also go with Mercurial:
  

• vim          (for syntax highlighting or patch files)
• meld        (for a visual diff and merge tool) 
• emacs     (IPS package gnu-emacs)

 
Use pkg info -r to check both them on the IPS repository.
To install, it suffices to emit the respective pkg install commands.
 

$ pkg info -r vim
          Name: editor/vim
       Summary: Vi IMproved
   Description: Vim is a clone of the Unix editor 'vi'. 
                It is a modal text editor with support for 
                syntax highlighting, ...
      Category: Development/Editors (org.opensolaris.category.2008)
                System/Text Tools (org.opensolaris.category.2008)
         State: Installed
     Publisher: solaris
       Version: 7.3.600
 Build Release: 5.11
        Branch: 0.175.1.1.0.2.0
Packaging Date: October 23, 2012 05:15:31 PM
          Size: 21.63 MB
          FMRI: pkg://solaris/editor/vim@7.3.600,...

$ pkg info -r meld
          Name: developer/meld
       Summary: meld - graphical diff and merge tool
   Description: Meld is a visual diff and merge tool. 
                You can compare two or three files and 
                edit them in place (diffs update dynamically).
                You can compare two or three folders and 
                launch file comparisons. 
                You can browse and view a working copy 
                from popular version control systems 
                such such as CVS, Subversion, Bazaar-ng
                and Mercurial.
      Category: Applications/System Utilities
         State: Installed
     Publisher: solaris
       Version: 1.4.0
 Build Release: 5.11
        Branch: 0.175.1.0.0.24.0
Packaging Date: September  4, 2012 05:16:52 PM
          Size: 1.25 MB
          FMRI: pkg://solaris/developer/meld@1.4.0,...
 
It's pretty much cosmetic but here's how they respectively look like:

Back from 2014 vacation

Well, after two months, one of which dedicated to my vacation, I'm back.
Not that anyone cares, of course, but just to make sure I'll carry on.
Having this couple of months away was of great benefit to me.
On the other side, there's a backlog I intend to attack:

• A refined version of a 1st specialized C++ memory pool
• Advanced C++ smart pointers
• Further posts about Mercurial installation 
• Further posts about DNS installation  
• Further posts about SMF

 
Not that everything will flow quickly and soon, after wall, every honest accomplishment almost always require hard work and I'm glad this is the path I've been always looking for.