JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information


Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

Order of Search for Assigned Security Attributes

Contents of Rights Profiles

System Administrator Rights Profile

Operator Rights Profile

Printer Management Rights Profile

Basic Solaris User Rights Profile

Console User Rights Profile

All Rights Profile

Stop Rights Profile

Order of Rights Profiles

Viewing the Contents of Rights Profiles

Authorization Naming and Delegation

Authorization Naming Conventions

Example of Authorization Granularity

Delegation Authority in Authorizations

Databases That Support RBAC

RBAC Database Relationships

RBAC Databases and the Naming Services

user_attr Database

auth_attr Database

prof_attr Database

exec_attr Database

policy.conf File

RBAC Commands

Commands That Manage RBAC

Commands That Require Authorizations

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Oracle Solaris Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Solaris Secure Shell (Tasks)

20.  Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Oracle Solaris Auditing

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Oracle Solaris Auditing (Tasks)

31.  Oracle Solaris Auditing (Reference)



Databases That Support RBAC

The following four databases store the data for the RBAC elements:

The policy.conf database contains authorizations,privileges, and rights profiles that are applied to all users. For more information, see policy.conf File.

RBAC Database Relationships

Each RBAC database uses a key=value syntax for storing attributes. This method accommodates future expansion of the databases. The method also enables a system to continue to operate if the system encounters a keyword that is unknown to its policy. The key=value contents link the files. The following linked entries from the four databases illustrate how the RBAC databases work together.

Example 10-1 Showing RBAC Database Connections

In the following example, the user jdoe gets the capabilities of the Audit Control rights profile through being assigned the role audcontrol.

  1. The role audcontrol is created and assigned the Audit Control rights profile.

    # roleadd -P "Audit Control" audcontrol
  2. The user jdoe is assigned the audcontrol role. the userattr command verifies the assignment.

    # usermod -R audcontrol jdoe
    # userattr -v roles jdoe
    user_attr : audcontrol
  3. The Audit Control rights profile is defined in the prof_attr database. This rights profile includes one authorization.

    ## prof_attr - rights profile definitions and assigned authorizations
    Audit Control:::Control Solaris Audit:auths=solaris.smf.manage.audit;help=RtAuditCtrl.html
  4. The authorization is defined in the auth_attr database.

    ## auth_attr - authorization definitions
    solaris.smf.manage.audit:::Manage Audit Service States::help=SmfManageAudit.html
  5. The Audit Control profile rights profile is assigned one command with security attributes in the exec_attr database.

    # profiles -l jdoe
          Audit Control
              /usr/sbin/audit            privs=proc_owner,sys_audit

RBAC Databases and the Naming Services

The name service scope of the RBAC databases is defined in the /etc/nsswitch.conf file on the local host. The following entries in the nsswitch.conf file determine whether an RBAC database uses the files naming service or the LDAP naming service:

user_attr Database

The user_attr database contains user and role information that supplements the passwd and shadow databases. The user_attr database contains extended user attributes such as authorizations, rights profiles, privileges, and assigned roles. For information about the format of the database, see the user_attr(4) man page.

The following security attributes can appear in a user_attr entry:

auth_attr Database

All authorizations are stored in the auth_attr database. Authorizations can be assigned to users, to roles, or to rights profiles. The preferred method is to place authorizations in a rights profile, to include the profile in a role's list of profiles, and then to assign the role to a user. For information about the format of the database, see the auth_attr(4) man page.

The following example shows an auth_attr database with some typical values:

% grep network /etc/security/auth_attr
... Security::help=LinkSecurity.html VRRP::help=NetworkVRRP.html Config::help=WifiConfig.html Wep::help=WifiWep.html

Note that is defined as a heading, because the authorization name ends in a dot (.). Headings are used by the GUIs to organize families of authorizations.

prof_attr Database

The prof_attr database stores the name, description, help file location, privileges, and authorizations that are assigned to rights profiles. The commands and security attributes that are assigned to rights profiles are stored in the exec_attr database. For more information, see exec_attr Database. For information about the format of the database, see the prof_attr(4) man page.

The following security attributes can appear in a prof_attr entry:

The following example shows two typical prof_attr database entries. Note that the Network IPsec Management rights profile is a supplementary rights profile of the Network Security rights profile. The example is wrapped for display purposes.

% grep 'Network IPsec Management' /etc/security/prof_attr
Network IPsec:::         Name of rights profile
Manage IPsec and IKE:         Description
help=RtNetIPsec.html;         Help file
auths=solaris.smf.manage.ipsec, Authorizations
Network Security:::         Name of rights profile
Manage network and host security:         Description
profiles=Network Wifi Security,Network Link Security,
Network IPsec Management         Supplementary rights profiles;
help==RtNetSecure.html         Help file

exec_attr Database

The exec_attr database defines commands that require security attributes to succeed. The commands are part of a rights profile. A command with its security attributes can be run by roles or users to whom the profile is assigned. For information about the format of the database, see the exec_attr(4) man page.

The name of a rights profile from the prof_attr database starts an exec_attr entry. Security attributes in the exec_attr entry can reduce or extend the process' initial inheritable set, add a privilege, and can limit its limit set. The full path to the command or program must be specified. Each command can be assigned UNIX security attributes or privileges as security attributes. UNIX security attributes include UID, GID, EUID, and EGID. The value can be a name or a numeric value. Privilege-aware programs can be directly assigned one or more privileges.

The following example shows a typical exec_attr entry. Note the addition of privileges (privs) to the process, and the addition of two privileges and the removal of five privileges from the limit set (limitprivs) of the gnome-netstatus-wifi-info command.

% grep 'Network Wifi' /etc/security/exec_attr
Network Wifi Info:solaris:cmd:::/usr/lib/gnome-netstatus-wifi-info:

policy.conf File

The policy.conf file provides a way of granting specific rights profiles, specific authorizations, and specific privileges to all users. The relevant entries in the file consist of key=value pairs:

The following example shows some typical values from a policy.conf database:

# grep AUTHS /etc/security/policy

# grep PROFS /etc/security/policy
PROFS_GRANTED=Basic Solaris User

# grep PRIV /etc/security/policy


For more information about privileges, see Privileges (Overview).