System Administration Guide: Security Services

Managing Device Allocation

Device allocation restricts or prevents access to peripheral devices. Restrictions are enforced at user allocation time. By default, users must have authorization to access allocatable devices.

ProcedureHow to Make a Device Allocatable

If you have already run the bsmconv command to enable auditing, then device allocation is already enabled on your system. For more information, see the bsmconv(1M) man page.

  1. Assume a role that includes the Audit Control rights profile, or become superuser.

    The Primary Administrator role includes the Audit Control rights profile. You can also assign the Audit Control rights profile to a role that you create. To create the role and assign the role to a user, see Example 9–3.

  2. Enable device allocation.


    # bsmconv
    This script is used to enable the Basic Security Module (BSM).
    Shall we continue with the conversion now? [y/n] y
    bsmconv: INFO: checking startup file.
    bsmconv: INFO: move aside /etc/rc3.d/S81volmgt.
    bsmconv: INFO: turning on audit module.
    bsmconv: INFO: initializing device allocation files.
    
    The Basic Security Module is ready.
    If there were any errors, please fix them now.
    Configure BSM by editing files located in /etc/security.
    Reboot this system now to come up with BSM enabled.

    Note –

    The Volume Management daemon (/etc/rc3.d/S81volmgt) is disabled by this command.


ProcedureHow to Authorize Users to Allocate a Device

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Create a rights profile that contains the appropriate authorization and commands.

    Typically, you would create a rights profile that includes the solaris.device.allocate authorization. Follow the instructions in How to Create or Change a Rights Profile. Give the rights profile appropriate properties, such as the following:

    • Rights profile name: Device Allocation

    • Granted authorizations: solaris.device.allocate

    • Commands with security attributes: mount with the sys_mount privilege, and umount with the sys_mount privilege

  3. Create a role for the rights profile.

    Follow the instructions in How to Create and Assign a Role by Using the GUI. Use the following role properties as a guide:

    • Role name: devicealloc

    • Role full name: Device Allocator

    • Role description: Allocates and mounts allocated devices

    • Rights profile: Device Allocation

      This rights profile must be at the top of the list of profiles that are included in the role.

  4. Assign the role to every user who is permitted to allocate a device.

  5. Teach the users how to use device allocation.

    For examples of allocating removable media, see How to Allocate a Device.

    Because the Volume Management daemon (vold) is not running, removable media are not automatically mounted. For examples of mounting a device that has been allocated, see How to Mount an Allocated Device.

ProcedureHow to View Allocation Information About a Device

Before You Begin

Device allocation must be enabled for this procedure to succeed. To enable device allocation, see How to Make a Device Allocatable.

  1. Assume a role that includes the Device Security rights profile, or become superuser.

    The Primary Administrator role includes the Device Security rights profile. You can also assign the Device Security rights profile to a role that you create. To create the role and assign the role to a user, see Example 9–3.

  2. Display information about allocatable devices on your system.


    # list_devices device-name
    

    where device-name is one of the following:

    • audio[n] – Is a microphone and speaker.

    • fd[n] – Is a diskette drive.

    • sr[n] – Is a CD-ROM drive.

    • st[n] – Is a tape drive.

Troubleshooting

If the list_devices command returns an error message similar to the following, then either device allocation is not enabled, or you do not have sufficient permissions to retrieve the information.

list_devices: No device maps file entry for specified device.

For the command to succeed, enable device allocation and assume a role with the solaris.device.revoke authorization.

ProcedureForcibly Allocating a Device

Forcible allocation is used when someone has forgotten to deallocate a device. Forcible allocation can also be used when a user has an immediate need for a device.

Before You Begin

The user or role must have the solaris.device.revoke authorization.

  1. Determine if you have the appropriate authorizations in your role.


    $ auths
    solaris.device.allocate solaris.device.revoke
  2. Forcibly allocate the device to the user who needs the device.

    In this example, the tape drive is forcibly allocated to the user jdoe.


    $ allocate -U jdoe
    

ProcedureForcibly Deallocating a Device

Devices that a user has allocated are not automatically deallocated when the process terminates or when the user logs out. Forcible deallocation is used when a user has forgotten to deallocate a device.

Before You Begin

The user or role must have the solaris.device.revoke authorization.

  1. Determine if you have the appropriate authorizations in your role.


    $ auths
    solaris.device.allocate solaris.device.revoke
  2. Forcibly deallocate the device.

    In this example, the printer is forcibly deallocated. The printer is now available for allocation by another user.


    $ deallocate -f /dev/lp/printer-1
    

ProcedureHow to Change Which Devices Can Be Allocated

  1. Assume a role that includes the Device Security rights profile, or become superuser.

    The Primary Administrator role includes the Device Security rights profile. You can also assign the Device Security rights profile to a role that you create. To create the role and assign the role to a user, see Example 9–3.

  2. Specify if authorization is required, or specify the solaris.device.allocate authorization.

    Change the fifth field in the device entry in the device_allocate file.


    audio;audio;reserved;reserved;solaris.device.allocate;/etc/security/lib/audio_clean
    fd0;fd;reserved;reserved;solaris.device.allocate;/etc/security/lib/fd_clean
    sr0;sr;reserved;reserved;solaris.device.allocate;/etc/security/lib/sr_clean

    where solaris.device.allocate indicates that a user must have the solaris.device.allocate authorization to use the device.


Example 5–4 Permitting Any User to Allocate a Device

In the following example, any user on the system can allocate any device. The fifth field in every device entry in the device_allocate file has been changed to an at sign (@).


$ whoami
devicesec
$ vi /etc/security/device_allocate
audio;audio;reserved;reserved;@;/etc/security/lib/audio_clean
fd0;fd;reserved;reserved;@;/etc/security/lib/fd_clean
sr0;sr;reserved;reserved;@;/etc/security/lib/sr_clean
…


Example 5–5 Preventing Some Peripheral Devices From Being Used

In the following example, the audio device cannot be used. The fifth field in the audio device entry in the device_allocate file has been changed to an asterisk (*).


$ whoami
devicesec
$ vi /etc/security/device_allocate
audio;audio;reserved;reserved;*;/etc/security/lib/audio_clean
fd0;fd;reserved;reserved;solaris device.allocate;/etc/security/lib/fd_clean
sr0;sr;reserved;reserved;solaris device.allocate;/etc/security/lib/sr_clean
…


Example 5–6 Preventing All Peripheral Devices From Being Used

In the following example, no peripheral device can be used. The fifth field in every device entry in the device_allocate file has been changed to an asterisk (*).


$ whoami
devicesec
$ vi /etc/security/device_allocate
audio;audio;reserved;reserved;*;/etc/security/lib/audio_clean
fd0;fd;reserved;reserved;*;/etc/security/lib/fd_clean
sr0;sr;reserved;reserved;*;/etc/security/lib/sr_clean
…

ProcedureHow to Audit Device Allocation

By default, the device allocation commands are in the other audit class.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Preselect the ot class for auditing.

    Add the ot class to the flags line of the audit_control file. The file would appear similar to the following:


    # audit_control file
    dir:/var/audit
    flags:lo,ot
    minfree:20
    naflags:lo

    For detailed instructions, see How to Modify the audit_control File.