Overview of NWAM Security

Security for NWAM is designed to encompass the following components:

• CLI (netcfg and netadm commands)

• NWAM GUI

• NWAM profile repository daemon (netcfgd)

• Policy engine daemon (nwamd)

• NWAM library (libnwam)

The netcfgd daemon controls the repository where all of the network configuration information is stored. The netcfg command, the NWAM GUI, and the nwamd daemon all send requests to the netcfgd daemon to access the repository. These functional components make requests through the NWAM library, libnwam.

The nwamd daemon is the policy engine that receives system events, configures the network, and reads network configuration information. The NWAM GUI and the netcfg command are configuration tools that can be used to view and modify the network configuration. These components are also used to refresh the NWAM service when a new configuration needs to be applied to the system.

Authorizations and Profiles That Are Related to NWAM

The current NWAM implementation uses the following authorizations to perform specific tasks:

• solaris.network.autoconf.read – Enables the reading of NWAM configuration data, which is verified by the netcfgd daemon

• solaris.network.autoconf.write – Enables the writing of NWAM configuration data, which is verified by the netcfgd daemon

• solaris.network.autoconf.select – Enables new configuration data to be applied, which is verified by the nwamd daemon

• solaris.network.autconf.wlan – Enables the writing of known WLAN configuration data

These authorizations are registered in the auth_attr database. For more information, see the auth_attr(4) man page.

Two security profiles are provided: Network Autoconf User and Network Autoconf Admin. The User profile has read, select, and wlan authorizations. The Admin profile adds the write authorization. The Network Autoconf User profile is assigned to the Console User profile. Therefore, by default, anyone who logged in to the console can view, enable, and disable profiles. Because the Console User is not assigned the solaris.network.autoconf.write authorization, this user cannot create or modify NCPs, NCUs, locations, or ENMs. However, the Console User can view, create, and modify WLANs.

Authorizations That Are Required to Use the NWAM User Interfaces

The NWAM commands, netcfg and netadm, can be used to view and enable NWAM profiles by anyone who has Console User privileges. These privileges are automatically assigned to any user who is logged in to the system from /dev/console.

To modify NWAM profiles by using the netcfg command, you need the solaris.network.autoconf.write authorization or the Network Autoconf Admin profile.

You can determine the privileges that are associated with a rights profile by using the profiles command with the profile name. For more information, see the profiles(1)man page.

For example, to determine privileges that are associated with the Console User rights profile, use the following command.

$ profiles -p "Console User" info
Found profile in files repository.
    name=Console User
    desc=Manage System as the Console User
    auths=solaris.system.shutdown,solaris.device.cdrw,solaris.smf.manage.vbiosd,
    solaris.smf.value.vbiosd
    profiles=Suspend To RAM,Suspend To Disk,Brightness,CPU Power Management,
    Network Autoconf User,Desktop Removable Media User
    help=RtConsUser.html

The NWAM GUI includes the following three components, which are not privileged. These components are granted authorizations, depending on how they are started and the tasks they need to perform:

• NWAM-specific panel presence

  This component is the panel applet in the desktop that enables a user to interact with NWAM. The panel can be run by any user and is used to monitor the autoconfiguration of the system and handle event notifications. The panel can also be used to perform some basic network configuration tasks, for example, selecting a WiFi network or manually switching locations. To perform these types of tasks, the Network Autoconf User rights profile is required. This rights profile is available in the default configuration, because the panel is running with the authorizations of the user who is logged in from /dev/console, and hence has the Console User profile.

• NWAM GUI

  The NWAM GUI is the primary means for interacting with NWAM from the desktop. The GUI is used to view the network status, to create and modify NCPs and Location profiles, and to start and stop configured ENMs. Interaction with the GUI requires four of the solaris.network.autoconf authorizations or the Network Autoconf Admin profile. By default, the Console User profile has sufficient authorizations to view the network status and profiles by using the GUI. In addition, you require the solaris.network.autoconf.write authorization or the Network Autoconf Admin profile to modify profiles by using the GUI.

You can obtain additional authorizations in one of the following ways:

• Assign the Network Autoconf Admin profile to a specific user.

  You can assign appropriate authorizations, or rights profiles, directly to a given user by editing the /etc/user_attr file for that user.

• Assign the Network Autoconf Admin profile to the Console User.

  You can assign this profile to the Console User instead of the Network Autoconf User profile that is assigned by default. To assign this profile, edit the entry in the /etc/security/prof_attr file.