Trusted Solaris software modifies network installation commands and procedures that require greater security. For example, the Volume Manager adds a mounting-user directory when mounting devices in the Trusted Solaris environment.
Table 7-1 Trusted Solaris Differences in Network Installation
Solaris Software |
Trusted Solaris Software |
---|---|
You can log in as root. |
There is no superuser. You log in as a user who can assume the root role, or as a user who can assume the admin or secadmin role, depending on the task. Then, assume the role to perform the task. |
Processes and files do not have a label. |
All processes and files are labeled. Commands and actions are run at a particular label. Most administrative tasks are run at the label |
Administrators can often use a command line interface, even if a corresponding GUI equivalent exists. |
Many administrative commands are run from a GUI, which calls checking and synchronizing functions. |
Administrators can run an administrative command from a CD-ROM or diskette. |
Commands that are on a diskette or CD-ROM, or are accessible from an NFS mount, may need to be added to the admin role's profile before they can be run. |
Allows you to use a CD-ROM or diskette without allocating it. |
Requires you to allocate a peripheral device at a particular label before its use. Before removing the medium, you must deallocate it. |
The following commands and actions are used when installing Solaris software or Trusted Solaris software over a network, and their use is modified in the Trusted Solaris environment. The following listing describes the additional procedures or security requirements. Commands that do not require a change in procedure are not listed. See the "Preparing to Install Solaris Software Over the Network" in Solaris 8 Advanced Installation Guide for the installation procedures themselves.
Table 7-2 Modified Network Commands
Network Command or GUI |
Trusted Solaris Modification in its Use |
---|---|
setup_install_server(1M) add_install_client(1M) add_to_install_server(1M) rm_install_client(1M) |
You must be in the admin role, at label If the admin role does not have this /pathname/*install* command in its assigned profiles, the secadmin role, at label For the procedure, see "Modifying a Role's Rights". |
mount(1M) |
The admin role, at label If you are mounting a CD-ROM or diskette on an installed system, the admin role must allocate the device at a particular label, usually |