test

Trusted Solaris Administrator's Procedures

Adding Commands to /etc/init.d Scripts

In the default Trusted Solaris environment, the /etc/init.d scripts are modified to use the system shell, sysh(1M), instead of the Bourne shell, sh(1) when the service being started requires explicit privileges or other non-default security attributes that are defined in the boot profile. In the default boot scripts, /bin/sysh is used without the name of a profile argument because if no profile is specified, the system shell looks at the boot profile by default.

Caution - Caution -

Do not modify the commands already specified in the boot profile or modify the default /etc/init.d scripts. You can either add new scripts or change only scripts that may be added when a new application imported to the system.

When additional commands need to run during boot with non-default security attributes, the Security Administrator role specifies the commands with the needed attributes either by creating a new boot-time rights profile or by modifying the existing boot profile using the SMC Rights tool.

The role also needs do one of the following in /etc/init.d: modify an existing shell script, or create a new shell script so that the script starts with #!/sbin/sysh as the first line.

See the README in the /etc/init.d directory and in each /etc/rcn.d directory for guidelines about the numbering of the scripts that start system services.

As shown in the following example, a system shell boot script has #!/sbin/sysh as the first line. If the Security Administrator role has added the needed commands into the boot profile, there is no need to specify a profile name. If the Security Administrator role has created a new boot profile, the second line has the setprof argument followed by the name of the local_boot_profile. 


#!/sbin/sysh
 setprof local_boot_profile

For example, if a command needs a process label other than ADMIN_LOW, the profile needs to specify the label and if the command needs a UID of root, the profile needs to specify the required UID. See "To Run rc Scripts With Security Attributes".

Stopping or starting boot scripts in a Trusted Solaris environment requires privileges, so the script must be executed by the System Administrator Role in an administrative role workspace with the trusted path attribute, and the script's name must be in one of the account's rights profiles.

The toolbox from which the Rights tool is invoked should be running with the local FIles scope on the computer where the script is added to the /etc/init.d.