Intro(1M)

NAME | DESCRIPTION | COMMAND SYNTAX | Rules for the Display and Entering of Labels | EXAMPLES | TRUSTED SOLARIS DIFFERENCES | SUMMARY OF TRUSTED SOLARIS CHANGES | ATTRIBUTES | SEE ALSO | DIAGNOSTICS | NOTES |

NAME

Intro- Introduction to maintenance commands and application programs

DESCRIPTION

This section describes Trusted Solaris^TM commands that are used chiefly for system maintenance and administration purposes. These commands can be:

• Commands that are unique to and originate in the Trusted Solaris environment, such as adminvi(1M), which enables administrators and other users to edit files while preventing certain vi actions that present a security risk.

• SunOS 5.7 commands that have been modified to work within the Trusted Solaris security policy, such as mount(1M). Man pages for modified commands have been rewritten to remove information that is not accurate for how the command behaves within the Trusted Solaris environment. Modified man pages also add descriptions for any new features, options, and arguments.

• SunOS 5.7 commands that remain unchanged from the Solaris 7 release, such as ln(1).

---

Note -

In the Trusted Solaris environment, even if a particular command is installed, not all users may be configured to use that command. Your site's security administrator may restrict the use of any command and may change any command's security attributes using execution profiles. (Security attributes, execution profiles, and other new Trusted Solaris terms are defined in the DEFINITIONS section of Intro(1) and explained further in the Trusted Solaris Administration Overview and Trusted Solaris Administrator's Procedures manuals.) Users who do not have a particular command in any of their execution profiles cannot use that command. Even if a command is in one of a user's execution profiles, that command still may not work as expected because the label range or another of the command's security attributes specified in the execution profile may limit how the command can be used. If any of the commands described in this section does not work at all or does not work as expected, check with your security administrator.

---

Because of command restructuring for the Virtual File System architecture, there are several instances of multiple manual pages that begin with the same name. For example, the mount, pages - mount(1M), mount_hsfs(1M), mount_nfs(1M), mount_tmpfs(1M), and mount_ufs(1M). In each such case the first of the multiple pages describes the syntax and options of the generic command, that is, those options applicable to all FSTypes (file system types). The succeeding pages describe the functionality of the FSType-specific modules of the command. These pages list the command followed by an underscore ( _ ) and the FSType to which they pertain. Note that the administrator should not attempt to call these modules directly. The generic command provides a common interface to all of them. Thus the FSType-specific manual pages should not be viewed as describing distinct commands, but rather as detailing those aspects of a command that are specific to a particular FSType.

Trusted Solaris Information Label Changes

Information labels (ILs) are not supported in Trusted Solaris 7 and later releases. Trusted Solaris software interprets any ILs on communications and files from systems running earlier releases as ADMIN_LOW.

Objects still have CMW labels, and CMW labels still include the IL component: IL[SL]; however, the IL component is fixed at ADMIN_LOW.

As a result, Trusted Solaris 7 has the following characteristics:

• ILs do not display in window labels; SLs (Sensitivity Labels) display alone within brackets.

• ILs do not float.

• Setting an IL on an object has no effect.

• Getting an object's IL will always return ADMIN_LOW.

• Although certain utilities, library functions, and system calls can manipulate IL strings, the resulting ILs cannot be set on any objects.

• Sensitivity labels, not information labels, display on printer banners.

• Options related to information labels in the label_encodings(4) file can be ignored:

  Markings Name= Marks; 
  Float Process Information Label;

• IL-related privileges are no longer used.

• In auditing, the ilabel token is recorded as ADMIN_LOW, when it is recorded. The audit event numbers 519 (AUE_OFLOAT), 520 (AUE_SFLOAT), and 9036 (AUE_iil_change) continue to be reserved, but those events are no longer recorded.

COMMAND SYNTAX

Unless otherwise noted, commands described in this section accept options and other arguments according to the following syntax:

---

name [option(s)] [cmdarg(s)]

---

where:

name

The name of an executable file.

option

- noargletter(s) or,

- argletter<>optarg

where <> is optional white space.

noargletter

A single letter representing an option without an argument.

argletter

A single letter representing an option requiring an argument.

optarg

Argument (character string) satisfying preceding argletter.

cmdarg

Pathname (or other command argument) not beginning with - or, - by itself indicating the standard input.

Rules for the Display and Entering of Labels

When entering labels on the command line in a UNIX shell, follow these rules. For rules for entering labels in graphical user interfaces, see Rules for the Display and Entering of Labels. For rules for entering labels in configuration files, see RULES FOR INCLUDING LABELS IN A CONFIGURATION FILE in Intro(4).

Enter a sensitivity label (SL), information label (IL), or clearance, in text in the form:

{ + } { classification } { { +|- }word } ...

Items in curly brackets are optional. A vertical bar (|) represents a choice between two items. Items followed by an ellipsis may be repeated zero or more times. Leading and trailing white space is ignored. Items may be separated by blanks, tabs, commas or slashes (/).

The system always displays labels in uppercase. Users may enter labels in any combination of uppercase and lowercase.

The classification part of the label must be a valid classification name as defined in label_encodings(4). Classification names may contain embedded blanks or punctuation, if they are so defined in label_encodings. Short and long forms of classification names may be used interchangeably.

The words (compartments and markings) used in labels must be valid words as defined in label_encodings. Words may contain embedded blanks or punctuation if they are so defined in label_encodings.

Short and long forms of words may be used interchangeably. Words may be specified in any order; however they are processed left to right, so that where words conflict with each other, the word furthest to the right takes precedence.

You may used plus and minus signs when modifying an existing label to turn on or off the compartments and markings associated with the words.

A CMW label is represented in text in the form:

{ INFORMATION LABEL } { [ SENSITIVITY LABEL ] }

Items in curly brackets are optional. Leading and trailing white space is ignored. Items may be separated by blanks, tabs, commas, or slashes (/). Note that information labels are no longer supported -- see Trusted Solaris Information Label Changes in Intro for a fuller discussion.

EXAMPLES

---

Example 1 Using quotes in labels




On the command line, enclose any label with more than one word in double quotes because, without quotes, a second word or letter separated by a space is interpreted as a second argument. Enclose labels containing [ and ] characters in quotes to suppress the shell's use of those characters in filename substitution.

$ setlabel "ADMIN_LOW[ts a b]" somefile $ setlabel "admin_low[ts,a,b]" somefile $ setlabel "admin_low[ts/a b]" somefile

---

---

Example 2 Using case in labels




Use any combination of upper and lowercase letters. You may separate items in a label with blanks, tabs, commas or slashes (/). Do not use any other punctuation.

$ setlabel -s SECRET somefile

---

---

Example 3 Using brackets in labels




When entering a full CMW label, enter the IL first, followed by the SL in brackets.

Information Label[Sensitivity Label]

When entering an SL with a command option that sets the SL, you do not need to use brackets around the SL.

$ setlabel -s "TOP SECRET A B" somefile

---

---

Example 4 Setting a label




To set somefile's SL to SECRET A.

$ setlabel "[Secret a]" somefile

To turn on compartment B in somefile's SL.

$ setlabel -s +b somefile

To turn off compartment A in somefile's SL.

$ setlabel -s -A somefile

---

TRUSTED SOLARIS DIFFERENCES

The responsibilities and privileges of the super-user have been divided among several administrative roles. When a man page that has not been modified for the Trusted Solaris system states that super-user is required to execute a certain command or option, remember that one or more privileges are required instead. The site's security administrator can perform privilege debugging [see runpd(1M)] to find out which privileges are needed and can then decide to give the privilege to the command after assessing whether the command and any users set up to use that command can make use of the privilege in a manner that does not violate the site's security policy.

The ability of the UNIX super-user to bypass access restrictions, to execute restricted commands, and to use some command options not available to other users has been replaced with the profile mechanism, which allows the security administrator to assign to various users different sets of commands and to assign different privileges to the commands using execution profiles. When a command or one of its options needs a privilege in order to succeed, that privilege is a required privilege; if the required privilege is not given to the command in a user's execution profile by the security administrator, the command will not work. Required privileges are indicated on the man page with the words "must have," as shown in this sentence: "The ifconfig(1M) command must have the sys_net_config privilege to modify network interfaces."

In other cases, when the command is designed to work within security policy and it fails when certain DAC or MAC checks are not passed, an override privilege may be assigned at the security administrator's discretion. On man pages, the names of privileges that may be used to override access restrictions are given in the ERRORS section. The override privileges that may be given to bypass DAC or MAC restrictions on files or directories are given below:

The DAC override privileges are file_dac_read and file_dac_write. If a user does not have DAC access to a file, the security administrator may assign one or both of these privileges to the command, depending on whether read or write access or both are desired. The MAC override privileges are file_mac_read and file_mac_write. If a user does not have MAC access to a file, the security administrator may assign one or both of these privileges to the command, depending on whether read or write access or both are desired.

Besides being able to assign an override privilege, the security administrator has other options. For example, to avoid the use of privilege the security administrator may specify that the command will execute with another user's ID (usually the root ID 0) or group ID, one that allows access to the file or directory based on its permissions or its ACL.

To find out how privileges are made available to commands and to find out exactly which tasks, commands, and privileges are assigned to each of the roles by means of execution profiles shipped with the default system, see the Trusted Solaris Administrator's Procedures.

Also, check with your security administrator to find out which roles are configured at your site and if any of the roles have been reconfigured to suit your site's security policy.

SUMMARY OF TRUSTED SOLARIS CHANGES

Commands may not work as expected in the Trusted Solaris environment because Trusted Solaris administrators may limit the conditions under which commands may be accessed by each user or restrict commands from being accessed by certain users.

The printed Trusted Solaris 7 Reference Manual contains only the Trusted Solaris original and modified (from the Solaris environment) man pages. The online set of man pages viewed by the man command accesses all man pages; AnswerBook2^TM can access all man pages in the AnswerBook2 collections. For a fuller description, see Trusted Solaris Manual Page Display in Intro(1). The SEE ALSO man page heading has been subdivided to help users of the printed manual locate a referenced man page.

Besides the usual UNIX DAC checks performed when a process acting on behalf of a user attempts to access a file or directory, mandatory access checks also must be passed. For each possible type of access failure, a specific override privilege may be assigned to the command at the security administrator's discretion.

---

Note -

When a SUMMARY OF TRUSTED SOLARIS CHANGES is provided on a modified man page, it is intended as a convenience to summarize for you the major changes all in one place. Do not rely on the SUMMARY OF TRUSTED SOLARIS CHANGES alone, but also read the entire man page.

---

ATTRIBUTES

See attributes(5) in the SunOS 5.7 Reference Manual for a discussion of the attributes listed in this section.

SEE ALSO

Commands that are listed under the Trusted Solaris 7 Reference Manual heading in the SEE ALSO section are commands that have been changed or added in the Trusted Solaris environment. Commands that are listed under the SunOS 5.7 Reference Manual heading in the SEE ALSO section are commands that are unchanged in the Trusted Solaris environment. If you are using printed manuals, refer to the SunOS 5.7 Reference Manual for Solaris commands that are unchanged in the Trusted Solaris environment.

Trusted Solaris 7 Reference Manual

runpd(1M)

Trusted Solaris Administration Overview, Trusted Solaris Administrator's Procedures

SunOS 5.7 Reference Manual

getopt(1), getopt(3C), attributes(5)

DIAGNOSTICS

Upon termination, each command returns 0 for normal termination and non-zero to indicate troubles such as erroneous parameters, bad or inaccessible data, or other inability to cope with the task at hand. It is called variously ``exit code,'' ``exit status,'' or ``return code,'' and is described only where special conventions are involved.

NOTES

Unfortunately, not all commands adhere to the standard syntax.

Name

Description

accept(1M)

Accept or reject print requests

add_allocatable(1M)

Add entries to allocation databases and create ancillary file

add_drv(1M)

Add a new device driver to the system

adminvi(1M)

Edit text with restrictions

allocate(1M)

Device Allocation

arp(1M)

Address resolution display and control

atohexlabel(1M)

Convert a character-coded label to its hexadecimal equivalent

audit(1M)

Control the behavior of the audit daemon

audit_startup(1M)

Audit subsystem initialization script

audit_warn(1M)

Audit daemon warning script

auditconfig(1M)

Configure auditing

auditd(1M)

Audit daemon

auditreduce(1M)

Merge and select audit records from audit trail files

auditstat(1M)

Display kernel audit statistics

automount(1M)

Install automatic mount points

automountd(1M)

Autofs mount/unmount daemon

autopush(1M)

Configures lists of automatically pushed STREAMS modules

bootparamd(1M)

See rpc.bootparamd(1M)

bsmconv(1M)

Enable or disable the Basic Security Module (BSM)

bsmunconv(1M)

See bsmconv(1M)

chk_encodings(1M)

Check the label encodings file syntax

chroot(1M)

Change root directory for a command

clist(1M)

See pfsh(1M)

cron(1M)

Clock daemon

deallocate(1M)

Device deallocation

device_clean(1M)

Device clean programs

devpolicy(1M)

Configure device policy

dfmounts(1M)

Display mounted resource information

dfshares(1M)

list available resources from remote or local systems

dispadmin(1M)

Process scheduler administration

dl_booting(1M)

Inform the kernel that a machine is in the state of disklessly booting or in the normal state

dl_restore(1M)

See dl_booting(1M)

dminfo(1M)

Report information about a device entry in a device maps file

drvconfig(1M)

Configure the /devices directory

du(1M)

Summarize disk usage

eeprom(1M)

EEPROM Display and Load Utility

format(1M)

Disk partitioning and maintenance utility

fsdb_ufs(1M)

ufs File System Debugger

ftpd(1M)

See in.ftpd(1M)

fuser(1M)

Identify processes using a file or file structure

getfsattr(1M)

Display file system security attributes

getfsattr_ufs(1M)

Display file system security attributes

halt(1M)

Stop the processor

hextoalabel(1M)

Convert a hexadecimal label to its character-coded equivalent

ifconfig(1M)

Configure network interface parameters

in.ftpd(1M)

File transfer protocol server

in.named(1M)

Internet domain name server

in.rarpd(1M)

DARPA Reverse Address Resolution Protocol server

in.rdisc(1M)

Network router discovery daemon

in.rexecd(1M)

Remote execution server

in.rlogind(1M)

Remote login server

in.routed(1M)

Network routing daemon

in.rshd(1M)

Remote shell server

in.tftpd(1M)

Internet Trivial File Transfer Protocol server

inetd(1M)

Internet services daemon

init(1M)

Process control initialization

install(1M)

Install commands

list_devices(1M)

List allocatable devices

lockd(1M)

Network lock daemon

lpadmin(1M)

Configure the LP print service

lpfilter(1M)

Administer filters used with the LP print service

lpforms(1M)

Administer forms used with the LP print service

lpmove(1M)

Move print requests

lpsched(1M)

Start the LP print service

lpshut(1M)

Stop the LP print service

lpsystem(1M)

Register remote systems with the print service

lpusers(1M)

Set printing queue priorities

modload(1M)

Load a kernel module

modunload(1M)

Unload a module

mount(1M)

Mount or unmount file systems and remote resources

mount_hsfs(1M)

Mount hsfs file systems

mount_nfs(1M)

Mount remote NFS resources

mount_pcfs(1M)

Mount pcfs file systems

mount_tmpfs(1M)

Mount tmpfs file systems

mount_ufs(1M)

Mount ufs file systems

mountall(1M)

Mount, unmount multiple file systems

mountd(1M)

Server for NFS mount requests and NFS access checks

named(1M)

See in.named(1M)

ndd(1M)

Get and set driver configuration parameters

netstat(1M)

Show network status

newsecfs(1M)

See setfsattr(1M)

nfsd(1M)

NFS daemon

nfsstat(1M)

NFS statistics

nis_cachemgr(1M)

NIS+ utility to cache location information about NIS+ servers

nisd(1M)

See rpc.nisd(1M)

nisd_resolv(1M)

See rpc.nisd_resolv(1M)

nispasswdd(1M)

See rpc.nispasswdd(1M)

nispopulate(1M)

Populate the NIS+ tables in a NIS+ domain

nissetup(1M)

Initialize a NIS+ domain

nscd(1M)

Name service cache daemon

nslookup(1M)

Query name servers interactively

nstest(1M)

DNS test shell

pbind(1M)

Control and query bindings of processes to processors

pfsh(1M)

Profile shell

poweroff(1M)

See halt(1M)

praudit(1M)

Print contents of an audit trail file

prtconf(1M)

Print system configuration

psradm(1M)

Change processor operational status

rarpd(1M)

See in.rarpd(1M)

rdate(1M)

Set system date from a remote host

rdisc(1M)

See in.rdisc(1M)

reboot(1M)

Restart the operating system

reject(1M)

See accept(1M)

rem_drv(1M)

Remove a device driver from the system

remove_allocatable(1M)

Remove entries from allocation databases and delete ancillary file

rexecd(1M)

See in.rexecd(1M)

rlogind(1M)

See in.rlogind(1M)

route(1M)

Manually manipulate the routing tables

routed(1M)

See in.routed(1M)

rpc.bootparamd(1M)

Boot parameter server

rpc.getpeerinfod(1M)

Getpeerinfo service daemon

rpc.nisd(1M)

NIS+ service daemon

rpc.nisd_resolv(1M)

NIS+ service daemon

rpc.nispasswdd(1M)

NIS+ password update daemon

rpc.tbootparamd(1M)

Trusted Solaris boot parameter server

rpcbind(1M)

Universal addresses to RPC program number mapper

rpcinfo(1M)

Report RPC information

rshd(1M)

See in.rshd(1M)

runpd(1M)

Run a command for privilege debugging

rwall(1M)

Write to all users over a network

sendmail(1M)

Send mail over the internet

setaudit(1M)

Run a command with the audit mask set

setfsattr(1M)

Set security attributes on an existing or newly created file system

setmnt(1M)

Establish mount table

setuname(1M)

Change machine information

share(1M)

Make local resource available for mounting by remote systems

share_nfs(1M)

Make local NFS file systems available for mounting by remote systems

shareall(1M)

Share, unshare multiple resources

showmount(1M)

Show all remote mounts

snoop(1M)

Capture and inspect network packets

spray(1M)

Spray packets

statd(1M)

Network status monitor

swap(1M)

Swap administrative interface

sysdef(1M)

Output system definition

sysh(1M)

System shell

tbootparam(1M)

Send a request to rpc.tbootparamd to inform it that a host is in normal (labeled) state now

telinit(1M)

See init(1M)

tftpd(1M)

See in.tftpd(1M)

tnchkdb(1M)

Check file syntax of trusted network databases

tnctl(1M)

Configure Trusted Solaris network-daemon control parameters

tnd(1M)

Trusted network daemon

tninfo(1M)

Print information and statistics about kernel-level network

tokmapctl(1M)

Configure token-mapping daemon

tokmapd(1M)

Token-mapping daemon

traceroute(1M)

Print the route packets take to network host

uadmin(1M)

Administrative control

umount(1M)

See mount(1M)

umountall(1M)

See mountall(1M)

unshare(1M)

Make local resource unavailable for mounting by remote systems

unshare_nfs(1M)

Make local NFS file systems unavailable for mounting by remote systems

unshareall(1M)

See shareall(1M)

updatehome(1M)

Update the home directory copy and link files for the current label

writeaudit(1M)

Write an audit record

NAME | DESCRIPTION | COMMAND SYNTAX | Rules for the Display and Entering of Labels | EXAMPLES | TRUSTED SOLARIS DIFFERENCES | SUMMARY OF TRUSTED SOLARIS CHANGES | ATTRIBUTES | SEE ALSO | DIAGNOSTICS | NOTES |