test

Trusted Solaris Administrator's Procedures

To Make a Library Directory Trusted

The following procedure describes how to determine which libraries should be trusted, and then describes how to add them to the trusted library directories list.

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  2. Remove any forced privileges assigned to the program.

    If the program does not have forced privileges, then you do not need to do the following substeps or Step 4.

    1. Check the command for forced privileges.

      The following example gets the list of privileges and saves them in a file. The file can be used to reset the privileges, if any, after the ldd(1) command is run.


      $ getfpriv -s -f program_name > filename

    2. Remove the privileges from the program.


      $ setfpriv -s -f none program_name

  3. Use theldd command to find out which library directories the application program is using.


    $ ldd program_name
    Note -

    The program that is using the shared libraries may be imbedded in a script, so make sure you are running ldd on the actual program that needs the libraries.

  4. If you removed forced privileges from the program in Step 2, add the privileges back to the program.

    The following example uses setfpriv to set the privileges stored in filename in Step a.


    $ setfpriv -s -f `cat filename` program_name

  5. Use the Rights tool to add the crle command to the Custom Secadmin Profile with a real UID of 0, and a label and clearance of ADMIN_LOW.

    See the crle(1) man page for more information.

  6. Use the crle command to add the library directories from Step 3 to the list of trusted library directories.


    $ crle -u -s [directory_1[: . . . :directory_N]

  7. To regenerate the list of trusted directories at every reboot, add the crle command to a boot-time script.

    Use the Admin Editor to create or modify a script in the /etc/init.d directory.

    If a privileged application already has a script, modify the existing script. Otherwise, create a new script.

    Caution - Caution -

    Do not modify any default Trusted Solaris scripts. Modify only scripts that are installed with new applications that need privileges.

    The following is an example of executing the crle command in a script:


    crle -u -s directory_1[: . . . :directory_N]

  8. Make a hard link from the script in the /etc/init.d directory.

    Use the S prefix in the target file's name for starting the script. Use the proper two-digit number in the target file's name to determine the order in which the script is executed during the run level. See the README in /etc/init.d and /etc/rc2.d, if needed.

    In the following example, the name of the new script in /etc/init.d is new_script, which is linked to /etc/rc2.d/S87new_script.


    $ cd /etc/rc2.d
$ ln /etc/init.d/new_script S87new_script