test

Trusted Solaris Administration Overview

Trusted CDE Actions

This section presents the CDE actions available to roles and describes how to use or change the restricted editor used in these actions.

To Access Trusted CDE Actions

  1. Right-click the background to bring up the Workspace Menu.

  2. Press Applications, then click Application Manager.

  3. In the Application Manager, double-click the System_Admin icon.

    The CDE action icons display in the Application Manager window.

  4. Invoke the desired action by double-clicking its icon.

    A window or dialog box for the appropriate action appears.

The trusted CDE actions are listed in the following table.

Table 2-1 Administrative Actions, Purposes, and Default Roles
 Action Name Purpose of Action Default Rights Profile

Add Allocatable Device

Creates devices by putting entries in device_allocate(4), and device_maps(4). See add_allocatable(1M).

Device Security 

Admin Editor

Edits any specified file 

Object Access Management 

Audit Classes

Edits audit_class(4)

Audit Control 

Audit Control

Edits audit_control(4)

Audit Control 

Audit Events

Edits audit_event(4)

Audit Control 

Audit Startup

Edits the audit_startup.sh script. See audit_startup(1M).

Audit Control 

Check Encodings

Runs chk_encodings(1M) on specified encodings file

Object Label Management 

Check TN Files

Runs tnchkdb(1M) on local tnidb(4), tnrhdb(4), and tnrhtp(4) files

Network Security 
Check TN NIS+ Tables

Runs tnchkdb(1M) on tnrhdb(4), and tnrhtp(4) NIS+ trusted network maps

 Network Management

Configure Selection Confirmation

Edits /usr/dt/config/sel_config. See sel_config(4).

Object Label Management 

Create NIS Client

Runs ypinit(1M), using both the specified hostname for the NIS master and the specified domain name

Name Server Security 

Create NIS+ Client

Runs nisclient(1M), using both the specified hostname for the NIS+ master and the specified domain name

Name Server Security 

Create NIS Server

Runs ypinit(1M) using the specified domain name

Name Server Security 

Create NIS+ Server

Runs nisserver(1M) using the specified domain name

Name Server Security 

Edit Encodings

Edits specified label_encodings(4) file and runs chk_encodings(1M)

Object Label Management 

Name Service Switch

Edits nsswitch.conf(4)

Network Management 

Populate NIS Tables

Runs nispopulate(1M) from the specified directory

Name Service Security 

Set Daily Message

Edits /etc/motd

Network Management 

Set Default Routes

Edits /etc/defaultrouter. See route(1M).

Network Management 

Set DNS Servers

Edits resolv.conf(4)

Network Management 

Set Mail Options

Edits /etc/mail/sendmail.cf. See sendmail(1M).

Mail Management 

Set Mount Attributes

Edits vfstab_adjunct(4)

File System Security 

Set Mount Points

Edits vfstab(4)

File System Management 

Set TSOL Gateways

Edits tsolgateways(4)

Network Management 

Shared Filesystem

Edits dfstab(4). Does not run share(1M).

File System Management 

View Table Attributes

Runs niscat(1) with the -o option on the specified NIS+ trusted network database to display the table's attributes.

Name Service Management 

View Table Contents

Runs niscat(1) on the specified NIS+ trusted network database to display the table's contents.

Name Service Management 

Admin Editor

The Admin Editor action, which can also be accessed from the command adminvi(1M), is a modified version of the vi(1) command. It restricts the user from executing shell commands and from writing to (saving to) any file other than the original file being edited. The Admin Editor action, which is assigned to the security administrator role by default, should be used in most cases instead of adminvi on the command line to edit or create administrative files. This is due to the fact that the Admin Editor is a wrapper for adminvi that incorporates auditing and allows an editor preference. You can assign the adminvi command to any users with the profile shell as their default if you need to provide them a text editor with the restrictions of adminvi.

Changing the Default Admin Editor

The Admin Editor is launched through the /usr/dt/bin/trusted_edit shell script, which brings up the editor specified in the EDITOR environment variable for the role account, restricts saves, and audits any changes made at the time the file is saved. The variable is set to adminvi(1M) by default, but the security administrator role can redefine the EDITOR variable to /usr/dt/bin/dtpad. When adminvi is specified, /bin/adminvi is invoked as root to edit the file. The adminvi command prevents the saving of the file with any other name. If dtpad(1) is specified, the New, Save, and Open options in the File menu are disabled when the action runs so that the file cannot be renamed.