|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library|
The following databases store the data for the RBAC elements:
The policy.conf database contains authorizations, privileges, and rights profiles that are applied to all users. For more information, see policy.conf File.
The name service scope of the RBAC databases is defined in the SMF service for the naming service switch, svc:/system/name-service/switch. The properties in this service for the RBAC databases are auth_attr, password, and prof_attr. The password property sets the naming service precedence for the passwd and user_attr databases. The prof_attr property sets the naming service precedence for the prof_attr and exec_attr databases.
In the following output. the auth_attr, password, and prof_attr entries are not listed. Therefore, the RBAC databases are using the files naming service.
# svccfg -s name-service/switch listprop config config application config/value_authorization astring solaris.smf.value.name-service.switch config/default astring files config/host astring "files ldap dns" config/printer astring "user files ldap"
The user_attr database contains user and role information that supplements the passwd and shadow databases.
The following security attributes can be set by using the roleadd, rolemod, useradd, usermod, and profiles commands:
For a user, the roles keyword assigns one or more defined roles.
For a role, the user value to the roleauth keyword enables the role to authenticate with the user password rather than with the role password. By default, the value is role.
For a user or role, the following attributes can be set:
audit_flags keyword - Modifies the audit mask. For reference, see the audit_flags(5) man page.
auths keyword - Assigns authorizations. For reference, see the auths(1) man page.
defaultpriv keyword - Adds privileges or removes them from the default basic set of privileges. For reference, see How Privileges Are Implemented.
limitpriv keyword - Adds privileges or removes them from the default limit set of privileges. For reference, see How Privileges Are Implemented.
projects keyword - Adds a default project. For reference, see the project(4) man page.
lock_after_retries keyword - If the value is yes, the system is locked after the number of retries exceeds the number that is allowed in the /etc/default/login file.
profiles keyword - Assigns rights profiles.
For more information, see the user_attr(4) man page. To view the contents of this database, use the getent user_attr command. For more information, see the getent(1M) man page and How to View All Defined Security Attributes.
All authorizations are stored in the auth_attr database. Authorizations can be assigned to users, to roles, or to rights profiles. The preferred method is to place authorizations in a rights profile, to include the profile in a role's list of profiles, and then to assign the role to a user.
The prof_attr database stores the name, description, help file location, privileges, and authorizations that are assigned to rights profiles. The commands and security attributes that are assigned to rights profiles are stored in the exec_attr database. For more information, see exec_attr Database.
For more information, see the prof_attr(4) man page. To view the contents of this database, use the getent exec_attr command. For more information, see the getent(1M) man page and How to View All Defined Security Attributes.
The exec_attr database defines commands that require security attributes to succeed. The commands are part of a rights profile. A command with its security attributes can be run by roles or users to whom the profile is assigned.
For more information, see the exec_attr(4) man page. To view the contents of this database, use the getent command. For more information, see the getent(1M) man page and How to View All Defined Security Attributes.
CONSOLE_USER=Console User– Refers to the Console User rights profile. This profile is delivered with a convenient set of authorizations for the console user. You can customize this profile. To view the profile contents, see Rights Profiles.
The following example shows some typical values from a policy.conf database:
# grep AUTHS /etc/security/policy AUTHS_GRANTED=solaris.device.cdrw # grep PROFS /etc/security/policy PROFS_GRANTED=Basic Solaris User # grep PRIV /etc/security/policy #PRIV_DEFAULT=basic #PRIV_LIMIT=all
For more information about privileges, see Privileges (Overview).