auth_desc(4)
NAME | SYNOPSIS | DESCRIPTION | FILES | ATTRIBUTES | NOTES | SEE ALSO
NAME
- auth_desc- Descriptions of defined authorizations
SYNOPSIS
#include <tsol/auth.h>
DESCRIPTION
- Manifest Constant
-
TSOL_AUTH_ENABLE_LOGIN - Name
-
enable logins
Allows a user to enable logins on a machine that was just booted. Until logins are enabled there is no interactive use of the machine's resources.
- Manifest Constant
-
TSOL_AUTH_REMOTE_LOGIN - Name
-
remote login
Allows a user to remotely login, using programs such as TELNET, or FTP, in a way that requires entering identification and authentication information. Such a login is different from extending an existing login from one machine to another without re-authentication because the trusted path is not guaranteed for these methods.
- Manifest Constant
-
TSOL_AUTH_TERMINAL_LOGIN - Name
-
terminal login
Allows a user to login via a serial port. Such a login is different from extending an existing login from one machine to another without re-authentication because there is no trusted path presented for entering either the identification or authentication information.
- Manifest Constant
-
TSOL_AUTH_FILE_AUDIT - Name
-
set/get file audit flags
Allows a user to specify or view the auditing preselection information or public object flag to be associated with access to a file or directory. The auditing preselection information may override the preselection information associated with a user's access to a file or directory. The public object flag may override the successful read/search access preselection information associated with a user's access to a file or directory.
- Manifest Constant
-
TSOL_AUTH_FILE_DOWNGRADE_SL - Name
-
downgrade file sensitivity label
Allows a user to specify the Sensitivity Label to set on a file that does not dominate the file's existing Sensitivity Label.
- Manifest Constant
-
TSOL_AUTH_FILE_UPGRADE_SL - Name
-
upgrade file sensitivity label
Allows a user to specify the Sensitivity Label to set on a file that dominates the file's existing Sensitivity Label.
- Manifest Constant
-
TSOL_AUTH_FILE_OWNER - Name
-
act as file owner
Allows a user to act as a file's owner. This includes the ability to change the permission bits and ACL, to downgrade the Sensitivity Label, and set privileges (if further authorized by set file privileges) of files not owned. Also included is the ability to read and search directories, copy, move, and delete files not owned.
- Manifest Constant
-
TSOL_AUTH_FILE_CHOWN - Name
-
change file owner
Allows a user to change the ownership and group of a file.
- Manifest Constant
-
TSOL_AUTH_FILE_SETPRIV - Name
-
set file privileges
Allows a user to specify the allowed and forced privileges to be associated with a the execution of a program file.
- Manifest Constant
-
TSOL_AUTH_ALLOCATE - Name
-
allocate device
Allows a user to allocate a device and specify the CMW label to associate with information imported from it, or exported to it.
- Manifest Constant
-
TSOL_AUTH_CONFIG_DEVICE - Name
-
configure device attributes
Allows an administrator to configure a device. Device configuration includes such things as setting the device name, type, label range, allocatable status, and allocation authorization list.
- Manifest Constant
-
TSOL_AUTH_REVOKE_DEVICE - Name
-
revoke or reclaim device
Allows an administrator to deallocate a currently allocated device or reset the allocate error state to make a device allocatable again.
- Manifest Constant
-
TSOL_AUTH_WIN_DOWNGRADE_SL - Name
-
paste to a downgraded window
Allows a user to paste selected information to a window whose Sensitivity Label does not dominate the selected information's Sensitivity Label.
- Manifest Constant
-
TSOL_AUTH_WIN_UPGRADE_SL - Name
-
paste to an upgraded window
Allows a user to paste selected information to a window whose Sensitivity Label dominates the selected information's Sensitivity Label.
- Manifest Constant
-
TSOL_AUTH_SYS_ACCRED_SET - Name
-
use all defined labels
Allows a user to use all the available labels on the system rather than to be restricted to just the labels in the label encodings defined user accreditation range. Using a label implies the ability to specify that label for any of the label building interfaces which include those to re-label files and create workspaces.
- Manifest Constant
-
TSOL_AUTH_BYPASS_FILE_VIEW - Name
-
bypass file view
Allows a user to drag and drop a file without viewing that file's contents.
- Manifest Constant
-
TSOL_AUTH_SHUTDOWN - Name
-
shut down the system
Allows a user to shut down the system via the Trusted Path menu. When the system is a CDE X Terminal, the CDE X Terminal is shut down, not the server. Unless the ``abort_enable'' system variable (see /etc/system) is set to 0, this authorization can be bypassed by entering the keyboard abort sequence, gaining entry to the PROM, and rebooting from the PROM.
- Manifest Constant
-
TSOL_AUTH_USER_INDENT - Name
-
set user identity
Allows an administrator to set the security information related to the user's identity. The user name, primary group, secondary groups, comment, and login shell may all be set via the User Manager. This authorization is needed to add, copy, or delete a user.
- Manifest Constant
-
TSOL_AUTH_USER_PASSWORD - Name
-
set user password
Allows an administrator to set password information pertaining to a user. The password, type of password, life time, expiration date, warning days, and the permission to set up the credentials table may all be set via the User Manager.
- Manifest Constant
-
TSOL_AUTH_USER_SELF - Name
-
permit self-modification
Allows an administrator to modify his or her own user attributes.
- Manifest Constant
-
TSOL_AUTH_USER_LABELS - Name
-
set user labels
Allows an administrator to set various label-related pieces of information associated with a particular user. A user's minimum login label, clearance, label view, and label translation attributes may be set via the User Manager.
- Manifest Constant
-
TSOL_AUTH_USER_AUDIT - Name
-
set user audit flags
Allows an administrator to set the per user audit flags.
- Manifest Constant
-
TSOL_AUTH_USER_PROFILES - Name
-
set user profiles
Allows an administrator to assign profiles to a user.
- Manifest Constant
-
TSOL_AUTH_USER_IDLE - Name
-
set idle time
Allows an administrator to set the idle time and determine which action to take when a workstation has been idle for too long. The idle time and idle command can be set via the User Manager.
- Manifest Constant
-
TSOL_AUTH_USER_ROLES - Name
-
set roles list
Allows an administrator to select which roles a user may assume. When a user assumes a role he or she may use all commands and actions granted to that role.
- Manifest Constant
-
TSOL_AUTH_USER_HOME - Name
-
set home directory attributes
Allows an administrator to determine such things as location, permissions, and initial contents of a user's home directory.
- Manifest Constant
-
TSOL_AUTH_PRINT_ADMIN - Name
-
administer printing
Allows a user to perform Trusted Printing System administration. Allows a user to start and stop printing daemons, list and cancel other users' print jobs, etc.
- Manifest Constant
-
TSOL_AUTH_PRINT_CANCEL - Name
-
cancel any print job
Allows user to cancel a print request queued by any user.
- Manifest Constant
-
TSOL_AUTH_PRINT_LIST - Name
-
list all print jobs
Allows a user to get a list of queued print jobs for all users.
- Manifest Constant
-
TSOL_AUTH_PRINT_MAC_OVERRIDE - Name
-
bypass print system mac check
Allows a user to cancel or list print jobs at any sensitivity label.
- Manifest Constant
-
TSOL_AUTH_PRINT_NOBANNER - Name
-
print without banners
Allows a user to submit a print request to the Trusted Printing System that specifies (by means of the 'lp -o nobanner' option) that the print job's banner and trailer pages should be suppressed.
- Manifest Constant
-
TSOL_AUTH_PRINT_POSTSCRIPT - Name
-
print a PostScript file
Allows a user to print a PostScript file with the Trusted Printing System.
- Manifest Constant
-
TSOL_AUTH_PRINT_UNLABELED - Name
-
print without labels
Allows a user to submit a print request to the Trusted Printing System that specifies (by means of the 'lp -o nolabels' option) that the body pages of the print job should have the top and bottom labels suppressed.
- Manifest Constant
-
TSOL_AUTH_DB_ALIASES - Name
-
modify aliases
Allows a user to edit the aliases databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_AUTO_HOME - Name
-
modify auto_home
Allows a user to edit the auto_home databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_BOOTPARAMS - Name
-
modify bootparams
Allows a user to edit the bootparams databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_ETHERS - Name
-
modify ethers
Allows a user to edit the ethers databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_HOSTS - Name
-
modify hosts
Allows a user to edit the hosts databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_LOCALE - Name
-
modify locale
Allows a user to edit the locale databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_NETGROUP - Name
-
modify netgroup
Allows a user to edit the netgroup databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_NETMASKS - Name
-
modify netmasks
Allows a user to edit the netmasks databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_NETWORKS - Name
-
modify networks
Allows a user to edit the networks databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_PASSWD - Name
-
modify password
Allows a user to edit the password databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_PROTOCOLS - Name
-
modify protocols
Allows a user to edit the protocols databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_RPC - Name
-
modify rpc
Allows a user to edit the rpc databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_SERVICES - Name
-
modify services
Allows a user to edit the services databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_TIMEZONE - Name
-
modify timezone
Allows a user to edit the timezone databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_TNIDB - Name
-
modify tnidb
Allows a user to edit the tnidb databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_TNRHDB - Name
-
modify tnrhdb
Allows a user to edit the tnrhdb databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_DB_TNRHTP - Name
-
modify tnrhtp
Allows a user to edit the tnrhtp databases via the Database Manager.
- Manifest Constant
-
TSOL_AUTH_CRON_ADMIN - Name
-
modify cron admin
Allows a user to modify and list crontab files of role users and users named in /etc/cron.d/cron.admin.
- Manifest Constant
-
TSOL_AUTH_CRON_USER - Name
-
modify cron users
Allows a user to modify and list crontab files of non-administrative users.
- Manifest Constant
-
TSOL_AUTH_AT_ADMIN - Name
-
modify at admin
Allows a user to remove and list at jobs of role users and users named in /etc/cron.d/at.admin.
- Manifest Constant
-
TSOL_AUTH_AT_USER - Name
-
modify at users
Allows a user to remove and list all jobs of non-administrative users.
Every defined authorization has a manifest constant for use in programs, a name for use in user interfaces, and a description displayed by certain administrative tools. A set of authorizations is assigned to an execution profile, and the execution profile is assigned to a user or role. The user or role to which the execution profile is assigned has the authority to perform the tasks allowed by the authorizations in the execution profile. Authorizations are interpreted by utility and desktop tools. The manifest constant, name, and description for each authorization defined on this system follow.
FILES
- /usr/lib/tsol/locale/locale/auth_name
-
Authorizations descriptions
- </usr/include/tsol/auth_names.h>
-
Manifest constant and ID value definitions
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|---|---|
| Availability | SUNWtsu |
NOTES
-
ILs do not display in window labels; SLs (Sensitivity Labels) display alone within brackets.
-
ILs do not float.
-
Setting an IL on an object has no effect.
-
Getting an object's IL will always return
ADMIN_LOW. -
Although certain utilities, library functions, and system calls can manipulate IL strings, the resulting ILs are always
ADMIN_LOW, and cannot be set on any objects. -
Options related to information labels in the label_encodings(4) file can be ignored:
Markings Name= Marks; Float Process Information Label;
Information labels (ILs) are not supported in Trusted Solaris 7 and later releases. Trusted Solaris software interprets any ILs on communications and files from systems running earlier releases as ADMIN_LOW.
Objects still have CMW labels, and CMW labels still include the IL component: IL[SL]; however, the IL component is fixed at ADMIN_LOW.
As a result, Trusted Solaris 7 has the following characteristics:
SEE ALSO
Trusted Solaris 7 Reference Manual
Intro(3), auth_to_str(3), chkauth(3), auth_name(4)
Trusted Solaris administrator's document set, Trusted Solaris Developer's Guide
SunOS 5.7 Reference Manual
NAME | SYNOPSIS | DESCRIPTION | FILES | ATTRIBUTES | NOTES | SEE ALSO
- © 2010, Oracle Corporation and/or its affiliates