user for users management

Latest response

Hello

I am a newbie in redhat, I used to administrate solaris.
Is there something in redhat like the RBAC "role based access model" ?

the thing is, I need to create a user that would have total control over users management "create and modify users, give sudo, chmod, chown, rwx on files, chage, ... etc."

TE
Log in to join the conversation

Responses

SM Guru 3731 points
5 February 2018 8:36 AM

Yes, if you wish to get a user to execute root commands such as useradd, userdel etc, then you could get this done by assigning editing /etc/sudoers file with proper attributions. You refer this KB for more details https://access.redhat.com/solutions/1527

For example, if you wish to allow user by name "redhat" to allow running of useradd, userdel commands then you can get this done by adding the following two lines to /etc/sudoers file (use visudo command as root user to edit this file):

[root@pxeserver1 ~]# grep USERS /etc/sudoers
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /usr/bin/passwd
redhat  ALL=USERS

So, this user would be able to run those commands as stated by using sudo and then specific commands, user would require to enter password for authentication. You may run "sudo -l" command after logging to check which are the commands that this user can run as sudo..

[redhat@pxeserver1 ~]$ sudo -l
[sudo] password for redhat:
Matching Defaults entries for redhat on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User redhat may run the following commands on this host:
    (root) /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /usr/bin/passwd
TE Community Member 73 points
7 February 2018 8:39 AM

is there any option other than sudo ?

Siem Korteweg's picture Guru 1450 points
7 February 2018 11:59 AM

How would you have done this on Solaris?

R. Hinton.'s picture Guru 10128 points
7 February 2018 10:26 PM

Hello Tamer Alkady,

In Red Hat you can have RBAC, (you might recall a product by Sun Microsystems named "Trusted Solaris" with RBAC and roles) however, it is a lesser known variety of SELinux namely MLS SELinux (Multi-Layer Security SELinux). This is within every version of Red Hat since Red Hat 5, and has continued with Red Hat 6, and of course Red Hat version 7.x to current. You can constrain users, processes etc to specific roles. (see videos link I proved below)

I have administered both Trusted Solaris in it's RBAC and later we transitioned the servers we used for that to RHEL 5, then 6, then 7 using MLS SELinux. Some instruction is here in the Red Hat Documentation. There's 9 videos that go over this https://access.redhat.com/videos/452063 to some detail (and the remainder of the links are there too)

If you do end up making an MLS SELinux system there's a specific command you must pass along to GRUB upon reboot or it will fail every time, and it was not trivial to find. I'll attempt to find it and post it here. EDITED/ADDED: This is important --> To transition a system to MLS SELinux, make sure to follow this documentation at Red Hat, and in particular step #2 (or it will crash upon reboot, ask me how I know)

Step 2 there says:

Before the MLS policy is enabled, each file on the file system 
must be relabeled with an MLS label. When the file system is 
relabeled, confined domains may be denied access, which 
may prevent your system from booting correctly. To prevent 
this from happening, configure SELINUX=permissive in the 
/etc/selinux/config file. Also, enable the MLS policy by 
configuring SELINUXTYPE=mls. Your configuration file 
should look like this: 
### BEGIN FILE

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=mls
### END OF FILE

The next answer is "no" to "do you leave it in permissive mode?" question, one only does this for the initial relabeling.... Later in that procedure I linked to (step 7) it is reenabled, please see that link.

Some good info by Thomas Cameron of Red Hat is "SELinux for Mere Mortals" (which doesn't go over MLS SELinux, but is a very good overview of SELinux in general) at this link http://people.redhat.com/tcameron/Summit2017/SElinux/selinux_for_mere_mortals_2017.pdf

Hope this helps, Kind Regards,

-RJ

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.