| Skip Navigation Links | |
| Exit Print View | |
|
Transitioning From Oracle Solaris 10 to Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Transitioning From Oracle Solaris 10 to Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
1. Transitioning From Oracle Solaris 10 to an Oracle Solaris 11 Release (Overview)
2. Transitioning to an Oracle Solaris 11 Installation Method
6. Managing Software and Boot Environments
7. Managing Network Configuration
8. Managing System Configuration
Pluggable Authentication Module Changes
Roles, Rights, Privileges, and Authorizations
Viewing Privileges and Authorizations
10. Managing Oracle Solaris Releases in a Virtual Environment
The following sections describe changes to file and file system security.
The aclmode property that determines how the ACL permissions on a file are modified during a chmod operation is reintroduced in Oracle Solaris 11. The aclmode values are discard, mask, and passthrough. The discard default value is the most restrictive, and the passthrough value is the least restrictive.
Example 9-3 ACL Interaction With chmod Operations on ZFS Files
The following examples illustrate how specific aclmode and aclinherit property values influence the interaction of existing ACLs with a chmod operation that either reduces or expands any existing ACL permissions to be consistent with the ownership of a group.
In this example, the aclmode property is set to mask and the aclinherit property is set to restricted. The ACL permissions in this example are displayed in compact mode, which more easily illustrates changing permissions.
The original file and group ownership and ACL permissions are as follows:
# zfs set aclmode=mask pond/whoville
# zfs set aclinherit=restricted pond/whoville
# ls -lV file.1
-rwxrwx---+ 1 root root 206695 Aug 30 16:03 file.1
user:amy:r-----a-R-c---:-------:allow
user:rory:r-----a-R-c---:-------:allow
group:sysadmin:rw-p--aARWc---:-------:allow
group:staff:rw-p--aARWc---:-------:allow
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--aARWc--s:-------:allow
everyone@:------a-R-c--s:-------:allow
A chown operation changes the file ownership on file.1 and the output is now seen by the owning user, amy. For example:
# chown amy:staff file.1
# su - amy
$ ls -lV file.1
-rwxrwx---+ 1 amy staff 206695 Aug 30 16:03 file.1
user:amy:r-----a-R-c---:-------:allow
user:rory:r-----a-R-c---:-------:allow
group:sysadmin:rw-p--aARWc---:-------:allow
group:staff:rw-p--aARWc---:-------:allow
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--aARWc--s:-------:allow
everyone@:------a-R-c--s:-------:allow
The following chmod operation changes the permissions to a more restrictive mode. In this example, the modified sysadmin group's and staff group's ACL permissions do not exceed the owning group's permissions.
$ chmod 640 file.1
$ ls -lV file.1
-rw-r-----+ 1 amy staff 206695 Aug 30 16:03 file.1
user:amy:r-----a-R-c---:-------:allow
user:rory:r-----a-R-c---:-------:allow
group:sysadmin:r-----a-R-c---:-------:allow
group:staff:r-----a-R-c---:-------:allow
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
The following chmod operation changes the permissions to a less restrictive mode. In this example, the modified sysadmin group's and staff group's ACL permissions are restored to allow the same permissions as the owning group.
$ chmod 770 file.1
$ ls -lV file.1
-rwxrwx---+ 1 amy staff 206695 Aug 30 16:03 file.1
user:amy:r-----a-R-c---:-------:allow
user:rory:r-----a-R-c---:-------:allow
group:sysadmin:rw-p--aARWc---:-------:allow
group:staff:rw-p--aARWc---:-------:allow
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--aARWc--s:-------:allow
everyone@:------a-R-c--s:-------:allow
In previous Oracle Solaris releases and in this release, the Cryptographic Framework feature provides the encrypt, decrypt, and mac commands to encrypt files.
Oracle Solaris 10 does not support ZFS encryption, but Oracle Solaris 11 supports the following ZFS encryption features:
ZFS encryption is integrated with the ZFS command set. Like other ZFS operations, key change and rekey operations are performed online.
You can use your existing storage pools as long as they are upgraded. You have the flexibility of encrypting specific file systems.
ZFS encryption is inheritable to descendent file systems. Key management can be delegated through ZFS delegated administration.
Data is encrypted by using AES (Advanced Encryption Standard) with key lengths of 128,192, and 256 in the CCM and GCM operation modes.
ZFS encryption uses the Cryptographic Framework feature, which gives it access to any available hardware acceleration or optimized software implementations of the encryption algorithms automatically.
Note - Currently, you cannot encrypt a ZFS root file system or other OS components, such as the /var directory, even if it is a separate file system.
Example 9-4 Creating an Encrypted ZFS File System
The following example shows how to create an encrypted ZFS file system. The default encryption policy is to prompt for a passphrase, which must be a minimum of 8 characters in length.
# zfs create -o encryption=on tank/data Enter passphrase for 'tank/data': xxxxxxxx Enter again: xxxxxxxx
The default encryption algorithm is aes-128-ccm when a file system's encryption value is on.
After an encrypted file system is created, it cannot be unencrypted. For example:
# zfs set encryption=off tank/data cannot set property for 'tank/data': 'encryption' is readonly
For more information, see Encrypting ZFS File Systems in Oracle Solaris 11.1 Administration: ZFS File Systems.
New in Oracle Solaris 11, the file-mac-profile property enables you to run zones with a read-only root file system. This feature enables you to choose between four predefined profiles that determine how much of a zone file system is read-only only, even for processes that have allzone privileges. See zonecfg file-mac-profile Property in Oracle Solaris 11.1 Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management.
|