System Administration Guide
Chapter 5, Maintaining system security

Assigning administrative roles and system privileges

Assigning administrative roles and system privileges

The first basic choice you must make is who will maintain the trusted system. You can have a single, all-powerful superuser with the root login, or you can assign parts of the administrative responsibility to other users, assigning no more power than is necessary to administer a single aspect of system operation. Subsystem authorizations allow you to assign administrative roles rather than using a single root user to administer the system. Under the Low and Traditional security profiles, most subsystem authorizations (except auth) are assigned to users by default. To assign a subsystem authorization, see ``Assigning subsystem authorizations''.

If you intend to operate a system that conforms to C2 requirements, you should grant subsystem authorizations based on the notion of ``least-privilege'': assigning subsystem authorizations based on their responsibilities. For example, the backups administrator is granted the backup authorization and the printer administrator is granted lp authorization. Only root should have all authorizations. Under this scheme, general users should be assigned as few subsystem authorizations as possible. Use secondary authorizations to grant limited access to capabilities of a subsystem.


NOTE: You might notice that each primary subsystem authorization appears to be identical to the group name for that subsystem. This means that if a user is a member of a subsystem group, there is an implied ability to access the files of that subsystem. You should never make a user a member of a subsystem's group, as this can put actual data files at risk. Use the proper subsystem authorization to permit access to the subsystem.

subsystem(M) lists all the programs and data files associated with a subsystem. Most of the functions normally exercised by the superuser on non-trusted UNIX systems are delegated to the protected subsystems detailed in this section. However, some functions still need to be performed by the superuser. This includes mounting and unmounting filesystems, and traversing the entire file tree. Only the superuser can do everything. Restrict the root password to a few users and assign a responsible user to the root account.