Securing Users and Processes in Oracle® Solaris 11.2

Exit Print View

 
Updated: July 2014
 
 

user_attr Database

The user_attr database contains user and role information that supplements the passwd and shadow databases. The attr field contains security attributes and the qualifier field contains attributes that qualify or limit the effect of security attributes to a system or group of systems.

    The security attributes in the attr field can be set by using the roleadd, rolemod, useradd, usermod, and profiles commands. They can be set locally and in the LDAP naming scope.

  • For a user, the roles keyword assigns one or more defined roles.

  • For a role, the user value to the roleauth keyword enables the role to authenticate with the user password rather than with the role password. By default, the value is role.

  • For a user or role, the following attributes can be set:

    • access_times keyword – Specifies the days and times that specified applications and services can be accessed. For more information, see the getaccess_times(3C) man page.

    • access_tz keyword – Specifies the time zone to use when interpreting the times in access_times entries. For more information, see the pam_unix_account (5) man page.

    • audit_flags keyword – Modifies the audit mask. For more information, see the audit_flags(5) man page.

    • auths keyword – Assigns authorizations. For more information, see the auths (1) man page.

    • auth_profiles keyword – Assigns authenticated rights profiles. For reference, see the profiles (1) man page.

    • defaultpriv keyword – Adds privileges or removes them from the default basic set of privileges.

    • limitpriv keyword – Adds privileges or removes them from the default limit set of privileges.

      The defaultpriv and limitpriv privileges are always in effect because they are assigned to the user's initial process. For more information, see the privileges(5) man page and How Privileges Are Implemented.

    • idlecmd keyword – Logs out the user or locks the screen after idletime is reached.

    • idletime keyword – Sets the time that the system is available after no keyboard activity. Set idletime when you specify a value for idlecmd.

    • lock_after_retries keyword – If the value is yes, the system is locked after the number of retries exceeds the number that is allowed in the /etc/default/login file. For more information, see the login (1) man page

    • profiles keyword – Assigns rights profiles. For more information, see the profiles (1) man page.

    • project keyword – Adds a default project. For more information, see the project(4) man page.

Note -  Because the access_times and access_tz attributes are PAM attributes, they are checked during authentication. Therefore, they must be assigned either directly to a user or role, or in an authenticated rights profile. They are ignored in a regular rights profile.

The qualified attributes can be set for users and roles in the LDAP naming scope only. These qualifiers limit a user or role's attribute assignment, such as a rights profile, to one or more systems. For examples, see the useradd (1M) and user_attr (4) man pages.

    The qualifiers are host and netgroup:

  • host qualifier – Identifies the system where the user or role can perform specified actions.

  • netgroup qualifier – Lists systems where the user or role can perform specified actions. host assignments have priority over netgroup assignments.

For more information, see the user_attr(4) man page. To view the contents of this database, use the getent user_attr command. For more information, see the getent(1M) man page and Chapter 6, Listing Rights in Oracle Solaris.

Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next