test

Trusted Solaris Administrator's Procedures

Adding New Authorizations

Adding a new authorization consists of:

  1. Adding a header entry for the site's authorizations into the auth_attr(4) database.

  2. Adding a grant authorization into the auth_attr database that enables a role to assign the new authorization to others.

  3. Adding the new authorization entry to the auth_attr database.

  4. If you are running a name service, adding the new entries to the name service auth_attr database.

  5. Writing or modifying an application to check for the new authorization.

    In a default Trusted Solaris system, only the device allocation mechanism accepts new authorizations. Of course, a site can write other applications that check for new authorizations.

    The example detailed in "To Add an Authorization to the Environment" makes use of the fact that the device allocation authorization is configurable.

  6. Assigning the new authorization to user or role accounts.

The format for an entry in the auth_attr(4) file is: 


name:res1:res2:short_desc:long_desc:attr

The short_desc field is a brief description of the activity permitted by the authorization. The long_desc is used by the Solaris Management Console when it displays authorizations. A help file, which is specified in the attr field using the keyword value pair help=filename, displays in the online help. filename must be located in the directory ending with the name of the locale: /usr/lib/help/auths/locale/localename.

The following screen shows the default device allocation authorization in the auth_attr file in the C locale. The help file in the C locale is /usr/lib/help/auths/locale/C/DevAllocate.html.


solaris.device.allocate:::Allocate Device::help=DevAllocate.html

The example below shows two finer-grained device allocation authorizations that could be used to replace the default one above, one for tape devices and one for floppy devices. In the example, the authorizations' names start with the Internet domain name of the NewCo company.


com.newco.device.allocate.tape:::Allocate Tape Device::help=TapeAllocate.html
com.newco.device.allocate.floppy:::Allocate Floppy Device::help=FloppyAllocate.html

The next example shows the solaris.allocate.device authorization replaced in the device_allocate(4) file entry for floppy_0 with com.newco.device.allocate.floppy. This change would be made by the Security Administrator role using the Device Allocation Manager, as described in "To Add an Authorization to the Environment". After this substitution, any user attempting to allocate the floppy device must have the new authorization.


floppy_0;fd;0x00000000000000000000000000000000000000000000000000000000000000000
000;0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff;com.
newco.device.allocate.floppy;/etc/security/lib/disk_clean