Oracle Solaris Trusted Extensions Administrator's Procedures

ProcedureHow to Create New Device Authorizations

If no authorization is specified at the time a device is created, by default, all users can use the device. If an authorization is specified, then, by default, only authorized users can use the device.

To prevent all access to an allocatable device without using authorizations, see Example 17–1.

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. Edit the auth_attr file.

    Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.

  2. Create a heading for the new authorizations.

    Use the reverse-order Internet domain name of your organization followed by optional additional arbitrary components, such as the name of your company. Separate components by dots. End heading names with a dot.

    domain-suffix.domain-prefix.optional.:::Company Header::help=Company.html
  3. Add new authorization entries.

    Add the authorizations, one authorization per line. The lines are split for display purposes. The authorizations include grant authorizations that enable administrators to assign the new authorizations.

    domain-suffix.domain-prefix.grant:::Grant All Company Authorizations::
    domain-suffix.domain-prefix.grant.device:::Grant Company Device Authorizations::
    domain-suffix.domain-prefix.device.allocate.tape:::Allocate Tape Device::
    domain-suffix.domain-prefix.device.allocate.floppy:::Allocate Floppy Device::
  4. Save the file and close the editor.

  5. If you are using LDAP as your naming service, update the auth_attr entries on the Sun Java System Directory Server (LDAP server).

    For information, see the ldapaddent(1M) man page.

  6. Add the new authorizations to the appropriate rights profiles. Then assign the profiles to users and roles.

    Use the Solaris Management Console. Assume the Security Administrator role, then follow the Solaris procedure How to Create or Change a Rights Profile in System Administration Guide: Security Services.

  7. Use the authorization to restrict access to tape and diskette drives.

    Add the new authorizations to the list of required authorizations in the Device Allocation Manager. For the procedure, see How to Add Site-Specific Authorizations to a Device in Trusted Extensions.

Example 17–4 Creating Fine-Grained Device Authorizations

A security administrator for NewCo needs to construct fine-grained device authorizations for the company.

First, the administrator writes the following help files, and places the files in the /usr/lib/help/auths/locale/C directory:


Next, the administrator adds a header for all of the authorizations for in the auth_attr file.

# auth_attr file
com.newco.:::NewCo Header::help=Newco.html

Next, the administrator adds authorization entries to the file:

com.newco.grant:::Grant All NewCo Authorizations::
com.newco.grant.device:::Grant NewCo Device Authorizations::
com.newco.device.allocate.tape:::Allocate Tape Device::
com.newco.device.allocate.floppy:::Allocate Floppy Device::

The lines are split for display purposes.

The auth_attr entries create the following authorizations:

Example 17–5 Creating Trusted Path and Non-Trusted Path Authorizations

By default, the Allocate Devices authorization enables allocation from the trusted path and from outside the trusted path.

In the following example, site security policy requires restricting remote CD-ROM allocation. The security administrator creates the com.someco.device.cdrom.local authorization. This authorization is for CD-ROM drives that are allocated with the trusted path. The com.someco.device.cdrom.remote authorization is for those few users who are allowed to allocate a CD-ROM drive outside the trusted path.

The security administrator creates the help files, adds the authorizations to the auth_attr database, adds the authorizations to the devices, and then places the authorizations in rights profiles. The profiles are assigned to users who are allowed to allocate devices.