JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Security Services     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Rights Profiles

Viewing the Contents of Rights Profiles

Order of Search for Assigned Security Attributes

Authorizations

Authorization Naming Conventions

Example of Authorization Granularity

Delegation Authority in Authorizations

RBAC Databases

RBAC Databases and the Naming Services

user_attr Database

auth_attr Database

prof_attr Database

exec_attr Database

policy.conf File

RBAC Commands

Commands That Manage RBAC

Selected Commands That Require Authorizations

Privileges

Administrative Commands for Handling Privileges

Files With Privilege Information

Privileges and Auditing

Prevention of Privilege Escalation

Legacy Applications and the Privilege Model

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Network Services Authentication (Tasks)

15.  Using PAM

16.  Using SASL

17.  Using Secure Shell (Tasks)

18.  Secure Shell (Reference)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

RBAC Databases

The following databases store the data for the RBAC elements:

The policy.conf database contains authorizations, privileges, and rights profiles that are applied to all users. For more information, see policy.conf File.

RBAC Databases and the Naming Services

The name service scope of the RBAC databases is defined in the SMF service for the naming service switch, svc:/system/name-service/switch. The properties in this service for the RBAC databases are auth_attr, password, and prof_attr. The password property sets the naming service precedence for the passwd and user_attr databases. The prof_attr property sets the naming service precedence for the prof_attr and exec_attr databases.

In the following output. the auth_attr, password, and prof_attr entries are not listed. Therefore, the RBAC databases are using the files naming service.

# svccfg -s name-service/switch listprop config
config                       application
config/value_authorization   astring       solaris.smf.value.name-service.switch
config/default               astring       files
config/host                  astring       "files ldap dns"
config/printer               astring       "user files ldap"

user_attr Database

The user_attr database contains user and role information that supplements the passwd and shadow databases.

The following security attributes can be set by using the roleadd, rolemod, useradd, usermod, and profiles commands:

For more information, see the user_attr(4) man page. To view the contents of this database, use the getent user_attr command. For more information, see the getent(1M) man page and How to View All Defined Security Attributes.

auth_attr Database

All authorizations are stored in the auth_attr database. Authorizations can be assigned to users, to roles, or to rights profiles. The preferred method is to place authorizations in a rights profile, to include the profile in a role's list of profiles, and then to assign the role to a user.

To view the contents of this database, use the getent prof_attr command. For more information, see the getent(1M) man page and How to View All Defined Security Attributes.

prof_attr Database

The prof_attr database stores the name, description, help file location, privileges, and authorizations that are assigned to rights profiles. The commands and security attributes that are assigned to rights profiles are stored in the exec_attr database. For more information, see exec_attr Database.

For more information, see the prof_attr(4) man page. To view the contents of this database, use the getent exec_attr command. For more information, see the getent(1M) man page and How to View All Defined Security Attributes.

exec_attr Database

The exec_attr database defines commands that require security attributes to succeed. The commands are part of a rights profile. A command with its security attributes can be run by roles or users to whom the profile is assigned.

For more information, see the exec_attr(4) man page. To view the contents of this database, use the getent command. For more information, see the getent(1M) man page and How to View All Defined Security Attributes.

policy.conf File

The policy.conf file provides a way of granting specific rights profiles, specific authorizations, and specific privileges to all users. The relevant entries in the file consist of key=value pairs:

The following example shows some typical values from a policy.conf database:

# grep AUTHS /etc/security/policy
AUTHS_GRANTED=solaris.device.cdrw

# grep PROFS /etc/security/policy
PROFS_GRANTED=Basic Solaris User

# grep PRIV /etc/security/policy

#PRIV_DEFAULT=basic
#PRIV_LIMIT=all

For more information about privileges, see Privileges (Overview).