The commands in this section enable you to find rights that are defined on the system, and list the rights that are in effect on a user's process.
For a full description of the commands in this section, see the following man pages:
useradm list username – Lists the direct rights assignments of username
useradm list -S [files|ldap] username – Lists the direct rights assignments of username in the specified naming service.
useradm list -q qualifier username – Lists the qualified attributes of username
This user has different rights in LDAP and in files. For comparison, see Example 57, Listing a Local User's Rights.
$ useradm list -S ldap jdoe
inactive = 0
userID = 1234
groupName = staff
defaultShell = /bin/bash
username = jdoe
description = Jane Doe
groups =
docusers
test_src
web_publish
accountStatus = Unknown
homeDirectory = /home/jdoe
groupID = 123
Example 57 Listing a Local User's Rights
This user has different rights in files and in LDAP. For comparison, see Example 56, Listing a User's Rights in LDAP.
$ useradm -S files jdoe
inactive = 0
Profiles =
Compliance Assessor
userID = 1234
groupName = staff
defaultShell = /bin/bash
username = jdoe
description = Jane Doe
accountStatus = Unknown
homeDirectory = /home/jdoe
groupID = 123
auths – Lists the current user's authorizations
auths list – Lists the current user's authorizations, one authorization per line
auths list -u username – Lists the authorizations for username
auths list -x – Lists the current user's authorizations that require authentication
auths list -xu username – Lists the username's authorizations that require authentication
auths info – Lists all authorization names in the naming service
getent auth_attr – Lists the full definition of all authorizations in the naming service
$ auths info
solaris.account.activate
solaris.account.setpolicy
solaris.admin.edit
...
solaris.zone.login
solaris.zone.manage
Example 59 Listing the Content of the Authorizations Database
$ getent auth_attr | more solaris.:::All Solaris Authorizations:: solaris.account.:::Account Management:: ... solaris.zone.login:::Zone Login:: solaris.zone.manage:::Zone Deployment::Example 60 Listing the Default Authorizations of Users
The following authorizations are included in the rights profiles that are assigned to all users by default.
$ auths solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq solaris.network.autoconf.read,solaris.admin.wusb.read solaris.smf.manage.vbiosd,solaris.smf.value.vbiosd
profiles – Lists the current user's rights profiles
profiles -a – Lists all rights profiles names
profiles -l – Lists the full definition of the current user's rights profiles
profiles username – Lists the rights profiles for username
profiles -x – Lists the current user's rights profiles that require authentication
profiles -x username – Lists the username's rights profiles that require authentication
profiles -p profile-name info – Pretty prints the contents of specified rights profile
getent prof_attr – Lists the full definition of all rights profiles in the naming service
$ profiles -a
Console User
CUPS Administration
Desktop Removable Media User
...
VSCAN Management
WUSB Management
Example 62 Listing the Contents of the Rights Profiles Database
$ getent prof_attr | more All:::Execute any command as the user or role: Audit Configuration:::Configure Solaris Audit:auths=solaris.smf.value.audit; ... Zone Management:::Zones Virtual Application Environment Administration: Zone Security:::Zones Virtual Application Environment Security:auths=solaris.zone.*, solaris.auth.delegate;...Example 63 Listing the Default Rights Profiles of Users
List your rights profiles. The following rights profiles are assigned to all users by default.
$ profiles Basic Solaris User AllExample 64 Listing the Rights Profiles of the Initial User
The initial user is assigned several rights profiles.
$ profiles Initial user System Administrator Audit Review ... CPU Power Management Basic Solaris User All
To show all the security attributes that are assigned to the initial user's profiles, use the –l option.
$ profiles -l Initial user | more
Initial user:
System Administrator
profiles=Install Service Management,Audit Review,Extended Accounting
Flow Management,Extended Accounting Net Management,Extended Accounting Process
Management,Extended Accounting Task Management,Printer Management,Cron Management,
Device Management,File System Management,Log Management,Mail Management,
Maintenance and Repair,Media Catalog,Name Service Management,Network Management,
Project Management,RAD Management,Service Operator,Shadow Migration Monitor,
Software Installation,System Configuration,User Management,ZFS Storage Management
/usr/sbin/gparted uid=0
Install Service Management
auths=solaris.autoinstall.service
profiles=Install Manifest Management,Install Profile Management,
Install Client Management
...
Example 65 Listing the Contents of an Assigned Rights Profile
The initial user lists the rights that are granted by the Audit Review profile.
$ profiles -l Audit Review solaris.audit.read /usr/sbin/auditreduce euid=0 /usr/sbin/auditstat privs=proc_audit /usr/sbin/praudit privs=file_dac_readExample 66 Listing the Security Attributes of a Command in a Rights Profile
This variant of the profiles command is useful for viewing the security attributes of a command in a rights profile that is not assigned to you.
First, list the commands in the profile.
$ profiles -p "Audit Review" info name=Audit Review desc=Review Solaris Auditing logs cmd=/usr/sbin/auditreduce cmd=/usr/sbin/auditstat cmd=/usr/sbin/praudit
Then, list the security attributes of one of the commands in the profile.
$ profiles -p "Audit Review" "select cmd=/usr/sbin/praudit ; info; end;" select: command is read-only id=/usr/sbin/praudit privs=file_dac_read end: command is read-onlyExample 67 Listing the Contents of Rights Profiles That Are Recently Created
The –less option displays the most recently added rights profiles first. This variant of the profiles command is useful when you create or modify rights profiles at your site. The following output shows the contents of the profile that was added in Example 38, Assigning Security Attributes to a Legacy Application. A regular user can run this command.
$ profiles -la | less
LegacyApp
/opt/legacy-app/bin/legacy-cmd
euid=0
OpenLDAP...
roles – Lists the current user's roles
roles username – Lists the roles for username
logins -r – Lists all available roles
The root role is assigned to the initial user by default. No roles indicates that you are not assigned a role.
$ roles root
man privileges – Lists privilege definitions and their names as they are used by developers
ppriv -vl – Lists privilege definitions and their names as they are used by administrators
ppriv -vl basic – Lists names and definitions of privileges in the basic set of privileges
ppriv $$ – Lists the privileges in the current shell ($$)
getent exec_attr – Lists all commands that have security attributes (setuid or privileges) by rights profile name
$ getent exec_attr | more All:solaris:cmd:::*: Audit Configuration:solaris:cmd:::/usr/sbin/auditconfig:privs=sys_audit ... Zone Security:solaris:cmd:::/usr/sbin/txzonemgr:uid=0 Zone Security:solaris:cmd:::/usr/sbin/zonecfg:uid=0 ...Example 69 Listing All Privileges and Their Definitions
The privilege format described in the privileges(7) man page is used by developers.
$ man privileges
Standards, Environments, and Macros privileges(7)
NAME
privileges - process privilege model
...
The defined privileges are:
PRIV_CONTRACT_EVENT
Allow a process to request reliable delivery of events
to an event endpoint.
Allow a process to include events in the critical event
set term of a template which could be generated in
volume by the user.
...
Example 70 Listing Privileges That Are Used in Privilege Assignment
The ppriv command lists all privileges by name. For a definition, use the –v option.
This privilege format is used to assign privileges to users and roles with the useradd, roleadd, usermod, and rolemod commands, and to rights profiles with the profiles command.
$ ppriv -lv | more
contract_event
Allows a process to request critical events without limitation.
Allows a process to request reliable delivery of all events on
any event queue.
...
win_upgrade_sl
Allows a process to set the sensitivity label of a window
resource to a sensitivity label that dominates the existing
sensitivity label.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
Example 71 Listing the Privileges in Your Current Shell
Every user is assigned the basic privilege set by default. The default limit set is all privileges.
The single letters in the output refer to the following privilege sets:
Effective privilege set
Inheritable privilege set
Permitted privilege set
Limit privilege set
$ ppriv $$
1200: -bash
flags = <none>
E: basic
I: basic
P: basic
L: all
$ ppriv -v $$
1200: -bash
flags = <none>
E: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,
proc_info,proc_self, proc_session,sys_ib_info
I: file_link_any,file_read,...,sys_ib_info
P: file_link_any,file_read,...,sys_ib_info
L: contract_event,contract_identity,...,sys_time
The double dollar sign ($$) passes the process number of the parent shell to the command. This listing does not include privileges that are restricted to commands in an assigned rights profile.
Example 72 Listing the Basic Privileges and Their Definitions$ ppriv -vl basic file_link_any Allows a process to create hardlinks to files owned by a uid different from the process' effective uid. file_read Allows a process to read objects in the filesystem. file_write Allows a process to modify objects in the filesystem. net_access Allows a process to open a TCP, UDP, SDP or SCTP network endpoint. proc_exec Allows a process to call execve(). proc_fork Allows a process to call fork1()/forkall()/vfork() proc_info Allows a process to examine the status of processes other than those it can send signals to. Processes which cannot be examined cannot be seen in /proc and appear not to exist. proc_self Allows a process to access files under /proc, including /proc/self. proc_session Allows a process to send signals or trace processes outside its session. sys_ib_info Allows a process to perform read InfiniBand MAD (Management Datagram) operations.Example 73 Listing the Commands With Security Attributes in Your Rights Profiles
The Basic Solaris User profile includes commands that enable users to read and write to CD-ROMs.
$ profiles -l
Basic Solaris User
...
/usr/bin/cdrecord.bin privs=file_dac_read,sys_devices,
proc_lock_memory,proc_priocntl,net_privaddr
/usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr
/usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices,
proc_priocntl,net_privaddr
All
*
man user_attr – Defines qualifiers of security attributes
getent – Lists qualified security attributes of a user or role on the system where the command is run
ldapaddent – Lists all qualified security attributes of a user or role
system1$ getent user_attr | grep jdoe: jdoe:system1:::lock_after_retries=no;profiles=System AdministratorExample 75 Listing All Qualified Attributes for a User in LDAP
system1$ ldapaddent -d user_attr | grep ^jdoe: jdoe:system1:::lock_after_retries=no;profiles=System Administrator jdoe:sysopgroup:::lock_after_retries=no;profiles=System Operator