1. Summary

This case adds support for per-user PAM configuration, a highly desirable feature. No changes are needed to PAM applications or modules, nor does libpam become unnecessarily Unix-specific. The case introduces a PAM module, pam_user_policy(5), which evaluates a per-user PAM configuration by calling a new PAM function, pam_eval(); the PAM configuration to evaluate is named in a user_attr(4) or prof_attr(4) entry ('pam_policy') and/or in policy.conf(4).

Administrative RBAC interfaces are modified to know about the new 'pam_policy' key for user_attr(4) and prof_attr(4). Various PAM configuration files for use with this facility are also provided.

2. Decision & Precedence Information

The project is approved as specified in reference [1], but as modified by the required technical changes listed in Appendix A. The project may be delivered in a patch release of Solaris.

3. Interfaces

Interfaces Exported
Interface Name	Classification	Comment
pam_eval(3PAM)	Stable	Defined by pam_eval(3PAM) manpage
pam_user_policy(5)	Stable	Defined by pam_user_policy(5) manpage
user_policy(5)	Stable	Defined by user_policy(5) manpage
Config file names	Stable	Defined by user_policy(5) manpage
Config file semantics	Stable	Defined by user_policy(5) manpage
Config file contents	Not an Interface
smprofile(1m), smrole(1m), smuser(1m) -K key=value	Stable	Defined by smprofile(5) manpage
user_attr/prof_attr/policy.conf pam_policy keyword	Stable	Defined by user_attr(5) manpage

Interfaces Imported
Interface Name	Classification	Comment
None of note

4. Opinion

4.1 RBAC Train Wreck

During the inception review for this case a generic RBAC database and administrative problem was brought up the full details of which are contained in reference [2]. This case follows the advice listed in that reference by providing the key in all of user_attr(4), prof_attr(4) and policy.conf(4). The API part of this may be addressed by PSARC/2005/717 “Reno: Login Process Enhancements for Interop”.

4.2 SMC Administrative interface

This project is adding GUI components to the same place in the SMC administrative tool as the Rampart (Trusted Extensions) project. The project team is advised to synchronise delivery with LSARC/2006/007, there is no inter-project dependency introduced by this case.

This case once again brought up the issue of what the future graphical administrative interface for core Solaris compoents is intended to be. We are presently shipping at least three frameworks, SMC, Lockhart and Webmin. This project changes only SMC since there is no user management content available via Lockhart at this time. Webmin does have user management but at present has no RBAC conent.

4.3 UIRB review

The committee agreed that the changes to the administrative interfaces introduced by this project are sufficiently obvious that an addition review by UIRB was not necessary.

4.4 GUI Elements

The committee had some discussion on the GUI changes for SMC. In particular it was felt that some feedback on the possibility on the existance of a policy was required. Some members requested a drop down list of the default policies that the system ships with, this led to TCA#1.

There was also some discussion on the possibility of using a unique file extension for the policy files. The project team will investigate this and may use it to assist TCA#1 if it is implemented. No TCR or TCA was issued for this.

The committee issued TCR#1 to issue a warning if the requested policy file was not present. Given the nature of how SMC works the policy file need not be available on the machine runing the SMC GUI since it may be administering a remote machine, which is why this is only a warning rather than an error. The local files only admin tools usermod(1m) et al are expected to make the same check.

5. Minority Opinion(s)

None.

6. Advisory Information

6.1 RBAC Databases

The relevant budget holders are advised to fund a project to fully resolve the API and database problems with the RBAC databases as detailed in http://sac.sfbay/PSARC/2005/275/commitment.materials/RBACTrainWreck.

6.2 Trusted Extensions

As in 4.2 the project team is advised to be aware of LSARC/2006/007.

Appendices

Appendix A: Technical Changes Required

• Display a warning if the requested policy file does not exist on the host running SMC.

• The UNIX policy must serve as a fallback when there is no entry for the user in user_attr(4), prof_attr(4) or a system wide policy specified in policy.conf(4).

Appendix B: Technical Changes Advised

• Allow the user to choose from a drop down list of the default policies shipped with the system.

  Appendix C: Reference Material

  Unless otherwise stated, path names are relative to the case directory (PSARC/2005/275).

  1. [commitment.materials/specification]Specification

  2. [commitment.materials/RBACTrainWreck] RBAC Database/API problem

  3. [commitment.materials/pam_eval.3pam] Man page

  4. [commitment.materials/pam_user_policy.5] Man page

  5. [commitment.materials/prof_attr.4] Man page

  6. [commitment.materials/roleadd.1m] Man page

  7. [commitment.materials/rolemod.1m] Man page

  8. [commitment.materials/smc.1m] Man page

  9. [commitment.materials/smprofile.1m] Man page

  10. [commitment.materials/smrole.1m] Man page

  11. [commitment.materials/user_attr.4] Man page

  12. [commitment.materials/user_policy.4] Man page

  13. [commitment.materials/useradd.1m] Man page

  14. [commitment.materials/usermod.1m] Man page