Limiting access control, Using a demilitarized zone (dmz) – Sun Microsystems Portal Server 6 User Manual
Page 104
Designing Portal Security Strategies
104
Portal Server 6 2005Q1 • Deployment Planning Guide
The user
nobody
does not have a password, which prevents a regular user
from becoming nobody. Only the superuser can change users without being
prompted for a password. Thus, you still need
root
access to start and stop
Portal Server services.
See the Java Enterprise System Installation Guide for more information.
•
Non-
root
user.
You can run Portal Server as a regular UNIX user. The security
benefits of a regular user are similar to the security benefits provided by the
user
nobody
. A regular UNIX user has additional benefits as this type of user
can start, stop, and configure services. After installation, you need to change
ownership of some files.
See the Java Enterprise System Installation Guide for more information.
Limiting Access Control
While the traditional security UNIX model is typically viewed as all-or-nothing,
you can use alternative tools to provide some additional flexibility. These tools
provide the mechanisms needed to create a fine grain access control to individual
resources, such as different UNIX commands. For example, this toolset enables
Portal Server to be run as
root
, while allowing certain users and roles superuser
privileges to start, stop, and maintain the Portal Server framework.
These tools include:
•
Role-Based Access Control (RBAC)
. Solaris™ 8 and Solaris™ 9 include the
Role-Based Access Control (RBAC) to package superuser privileges and assign
them to user accounts. RBAC enables separation of powers, controlled
delegation of privileged operations to users, and a variable degree of access
control.
•
Sudo
. Sudo is publicly available software, which enables a system
administrator to give certain users the ability to execute a command as another
user. Please see:
Using a Demilitarized Zone (DMZ)
For maximum security, the Gateway is installed in the DMZ between two firewalls.
The outermost firewall enables only SSL traffic from the Internet to the Gateways,
which then direct traffic to servers on the internal network.