Developer's Guide to Oracle Solaris Security

Chapter 1 Oracle Solaris Security for Developers (Overview)

This manual documents the public application programming interfaces (APIs ) and service provider interfaces (SPIs) for the security features in the Oracle Solaris Operating System (Oracle Solaris OS).

This chapter covers the following areas:

Overview of Oracle Solaris Security Features for Developers

This manual covers the public APIs and public SPIs to security features in the Oracle Solaris operating system. For information on how these security features operate from the system administrator's viewpoint, see System Administration Guide: Security Services.

The Oracle Solaris OS provides a network security architecture that is based on standard industry interfaces. Through the use of standardized interfaces, applications that consume or provide cryptographic services should need no modification as security technologies evolve.

System Security

For system security, the Oracle Solaris OS provides process privileges. Process privileges are an alternative to the standard, superuser-based UNIX model for granting access to privileged applications. The system administrator assigns users a set of process privileges that permit access to privileged applications. A user does not need to become superuser to use a privileged application.

Privileges enable system administrators to delegate limited permission to users to override system security instead of giving users complete root access. Accordingly, developers who create new privileged applications should test for specific privileges instead of checking for UID = 0. See Chapter 2, Developing Privileged Applications.

For highly stringent system security, the Trusted Extensions feature of the Oracle Solaris is also provided, which is outside of the scope of this book. The Trusted Extensions feature enables system administrators to specify the applications and files that a particular user can access. See http://www.sun.com/software/solaris/ds/trusted_extensions.jsp for more information.

Network Security Architecture

The network security architecture works with standard industry interfaces, such as PAM, GSS-API, SASL, and RSA Security Inc. PKCS#11 Cryptographic Token Interface (Cryptoki). Through the use of standardized protocols and interfaces, developers can write both consumers and providers that need no modification as security technologies evolve.

An application, library, or kernel module that uses security services is called a consumer. An application that provides security services to consumers is referred to as a provider and also as a plug-in. The software that implements a cryptographic operation is called a mechanism. A mechanism is not just an algorithm but includes the manner in which the algorithm is to be applied. For example, one mechanism might apply the DES algorithm to authentication. A different mechanism might apply DES to data protection with block-by-block encryption.

The network security architecture eliminates the need for developers of consumers to write, maintain, and optimize cryptographic algorithms. Optimized cryptographic mechanisms are provided as part of the architecture.

The Oracle Solaris OS provides the following public interfaces for security: