NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | ENVIRONMENT VARIABLES | EXIT STATUS | FILES | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO
The smrole command manages roles and adds or deletes users in role accounts. To set audit classes, the administrator must have the solaris.admin.usermgr.audit
authorization.
smrole subcommands are:
Adds a new role entry. To add an entry, the administrator must have the solaris.role.write
authorization.
Deletes one or more roles. To delete an entry, the administrator must have the solaris.role.write
authorization.
Lists one or more roles. If you do not specify a role name, all roles are listed. To list an entry, the administrator must have the solaris.admin.usermgr.read
authorization.
Adds or deletes users from a role account. To modify an entry, the administrator must have the solaris.role.write
authorization.
The smrole authentication arguments, auth_args, are derived from the smc(1M) arg set and are the same regardless of which subcommand you use.The smrole command requires the Solaris Management Console to be initialized for the command to succeed (see smc(1M)). After rebooting the Solaris Management Console server, the first smc connection might time out, so you might need to retry the command.
The subcommand-specific options, subcommand_args, must come after the auth_args and must be separated from them by the - - option.
The valid auth_args are -D, -H, -l, -p, -r, and -u; they are all optional. If no auth_args are specified, certain defaults will be assumed and the user may be prompted for additional information, such as a password for authentication purposes. These letter options can also be specified by their equivalent option words preceded by a double dash. For example, you can use either -D or - -domain with the domain argument.
Specifies the default domain that you want to manage. The syntax of domain is type:/host_name/domain_name, where type is nis, nisplus, dns, ldap, or file; host_name is the name of the machine that serves the domain; and domain_name is the name of the domain you want to manage. (Note: Do not use nis+ for nisplus.)
If you do not specify this option, the Solaris Management Console assumes the file default domain on whatever server you choose to manage, meaning that changes are local to the server. Toolboxes can change the domain on a tool-by-tool basis; this option specifies the domain for all other tools.
Specifies the host_name and port to which you want to connect. If you do not specify a port, the system connects to the default port, 898. If you do not specify host_name:port, the Solaris Management Console connects to the local host on port 898. You may still have to choose a toolbox to load into the console. To override this behavior, use the smc(1M) -B option, or set your console preferences to load a “home toolbox” by default.
Specifies the password for the role_name. If you specify a role_name but do not specify a role_password, the system prompts you to supply a role_password. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.
Specifies the password for the user_name. If you do not specify a password, the system prompts you for one. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.
Specifies a role name for authentication. If you do not specify this option, no role is assumed.
Specifies the user name for authentication. If you do not specify this option, the user identity running the console process is assumed.
This option is required and must always follow the preceding options. If you do not enter the preceding options, you must still enter the - - option.
Note: Descriptions and other arg options that contain white spaces must be enclosed in double quotes.
(Optional) Specifies the user name(s) to add to the new role.
(Optional) Includes a short description of the role. Consists of a string of up to 256 printable characters, excluding the colon (:).
(Optional) Specifies the home directory of the new role, limited to 1024 characters.
(Optional) Specifies the full, descriptive name of the role. The full_name must be unique within a domain, and can contain alphanumeric characters and spaces. If you use spaces, you must enclose the full_name in double quotes.
(Optional) Specifies the new role's supplementary group membership in the system group database with the character string names of one or more existing groups. Note: You cannot assign a primary group to a role. A role's primary group is always sysadmin (group 14).
(Optional) Displays the command's usage statement.
Specifies the name of the role you want to create.
(Optional) Specifies the profile(s) to add to the role. To assign a profile to a role, the administrator must have the solaris.profmgr.assign
or solaris.profmgr.delegate
authorization.
(Optional) Specifies the role's password. The password can contain up to eight characters. If you do not specify a password, the system prompts you for one. Note: When you specify a password using the -P option, you type the password in plain text. Specifying a password using this method introduces a security gap while the command is running. However, if you do not specify a password (and the system prompts you for one), the echo
is turned off when you type in the password. To set the password, the administrator must have the solaris.admin.usermgr.pswd
authorization.
(Optional) Specifies the full pathname of the program used as the role's shell on login. Valid entries are /bin/pfcsh (C shell), /bin/pfksh (Korn shell), and /bin/pfsh (Bourne shell), the default.
(Optional) Specifies the ID of the role you want to add. If you do not specify this option, the system assigns the next available unique ID greater than 100.
(Optional) Sets the role's home directory. The home directory path in the password entry is set to /home/login name.
(Optional) Specifies the role's clearance. clearanceval can be a string value or a hex value. If this option is not specified,
the default is admin_high
. To set the clearance, the administrator must have the solaris.admin.usermgr.labels
authorization.
(Optional) Specifies the role's minimum label. labelval can be a string label or a hex label. If this option is not specified, the default
is admin_low
. To set the minimum label, the administrator must have the solaris.admin.usermgr.labels
authorization.
(Optional) Specifies the second part of the labelview key value pair. If SHOW is specified, labelview=*showsl will be recorded. If HIDE is specified, labelview=*hidesl will be recorded. * can be “internal,”, “external,”, or ““. If this option is not specified, the default is SHOW.
(Optional) Sets the permissions on the role's home directory. perm is interpreted as an octal number. If this option is not specified, the default is 0775.
(Optional) Specifies how the password is changed by the user. If the AUTO option is specified, passwd=automatic will be recorded in user_attr. If MANUAL is specified, passwd=manual will be recorded in user_attr. If this option is not specified, the default is MANUAL.
(Optional) If -D is nis, nisplus, or ldap, use this option to specify the name of the server where the user's home directory resides. Users created in a local scope must have their home directory server created on their local machines.
(Optional) Specifies the label view type for the labelview in user_attr. If INTERNAL is specified, labelview=internal will be recorded; if EXTERNAL is specified, labelview=external will be recorded; if DEFAULT is specified, nothing will be recorded to user_attr. If this option is not specified, the default is INTERNAL.
(Optional) Displays the command's usage statement.
Specifies the name of the role(s) you want to delete.
(Optional) Displays the command's usage statement.
(Optional) Displays the output for each user in a block of key:value pairs (for example, user name:root), followed by a blank line that delimits each user block. Each key:value pair is displayed on a separate line. The keys are: autohome setup, comment, home directory, login shell, primary group, secondary groups, server, user ID (UID), and user name.
(Optional) Specifies the role(s) that you want to list. If you do not specify a role name, all roles are listed.
(Optional) Specifies the user name(s) to add to the role.
(Optional) Includes a short description of the role. Consists of a string of up to 256 printable characters, excluding the colon (:).
(Optional) Specifies the home directory of the new role, limited to 1024 characters.
(Optional) Specifies the full, descriptive name of the role. The full_name must be unique within a domain, and can contain alphanumeric characters and spaces. If you use spaces, you must enclose the full_name in double quotes.
(Optional) Specifies the new role's secondary group membership in the system group database with the character string names of one or more existing groups. Note: You cannot assign a primary group to a role. A role's primary group is always sysadmin (group 14).
(Optional) Displays the command's usage statement.
Specifies the name of the role you want to modify.
(Optional) Specifies the new name of the role.
(Optional) Specifies the profile(s) to add to the role. To assign a profile to a role, the administrator must have the solaris.profmgr.assign
or solaris.profmgr.delegate
authorization.
(Optional) Specifies the role's password. The password can contain up to eight characters. Note: When you specify a password, you type the password
in plain text. Specifying a password using this method introduces a security gap while the command is running. To set the password, the administrator must have the solaris.admin.usermgr.pswd
authorization.
(Optional) Specifies the profile(s) to delete from the role.
(Optional) Specifies the user name(s) to delete from the role.
(Optional) Specifies the full pathname of the program used as the role's shell on login. Valid entries are /bin/pfcsh (C shell), /bin/pfksh (Korn shell), and /bin/pfsh (Bourne shell), the default.
(Optional) Sets the role's home directory. The home directory path in the password entry is set to /home/login_name.
(Optional) Specifies the role's clearance. clearanceval can be a string value or a hex value. If this option is not specified,
the default is admin_high
. To set the clearance, the administrator must have the solaris.admin.usermgr.labels
authorization.
(Optional) Specifies the role's minimum label. labelval can be a string label or a hex label. If this option is not specified, the default
is admin_low
. To set the minimum label, the administrator must have the solaris.admin.usermgr.labels
authorization.
(Optional) Specifies the second part of the labelview key value pair. If SHOW is specified, labelview=*showsl will be recorded. If HIDE is specified, labelview=*hidesl will be recorded. * can be “internal,”, “external,”, or ““. If this option is not specified, the default is SHOW.
(Optional) Sets the permissions on the role's home directory. perm is interpreted as an octal number. If this option is not specified, the default is 0775.
(Optional) Specifies how the password is changed by the user. If the AUTO option is specified, passwd=automatic will be recorded in user_attr. If MANUAL is specified, passwd=manual will be recorded in user_attr. If this option is not specified, the default is MANUAL.
(Optional) Specifies the label view type for the labelview in user_attr. If INTERNAL is specified, labelview=internal will be recorded; if EXTERNAL is specified, labelview=external will be recorded; if DEFAULT is specified, nothing will be recorded to user_attr. If this option is not specified, the default is INTERNAL.
The admin role connects to port 898 (which happens to be the default) of the aviary server on the nisplus:/eagle/accipitridae.sun.com domain, and adds the singer role account with a full name of Kaori Mochida and a password of $jPoP213 on the local file system, and assigns users kmochida and migarashi to the role. This role has Name Service Security and Audit Review profiles, a clearance of Top Secret Able Baker, a minimum label of confidential, the labelview is set to show the label, the password update is set to provide a list from which the user must choose for the new password, and the label view is EXTERNAL. The system assigns the next available unique UID greater than 100. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smrole add -D nisplus:/eagle/accipitridae.sun.com \ -H aviary:898 -- -n singer -F "Kaori Mochida" -P $jPoP213 -a kmochida -a migarashi -p "Name Service Security" \ -p "Audit Review" -x clear="TS A B" -x label=confidential \ -x labelview=SHOW -x pwupdate=AUTO -x view=EXTERNAL |
The admin role deletes the singer and musician role accounts from the local file system. Since no authorization arguments were specified, the administrator connects to port 898 of the local host on the local server with the file domain type, which are the defaults. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smrole delete -- -n singer -n musician |
The admin role connects to the nisplus:/eagle/accipitridae.sun.com domain and lists all role accounts on the local file system in summary form. Since the host and port were not specified, the local host and port 898 are used by default. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smrole list \ -D nisplus:/eagle/accipitridae.sun.com -- |
The admin role connects to port 898 of the aviary server and modifies the singer role account so the role defaults to the Korn shell, includes the iito account, does not include the migarashi account, changes the clearance to Secret Able, and the label view is changed to INTERNAL. Since the domain was not specified, the file domain type and local server are used by default. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smrole modify -H aviary:898 -- -n singer \ -s /bin/pfksh -a iito -r migarashi -x clear "S A" -x view=internal |
See environ(5) for a description of the JAVA_HOME environment variable, which affects the execution of the smrole command. If this environment variable is not specified, the /usr/java location is used. See smc(1M).
The following exit values are returned:
Successful completion.
Invalid command syntax. A usage message displays.
An error occurred while executing the command. An error message displays.
The following files are used by the smrole command:
Mail aliases. See aliases(4).
Automatic mount points. See automount(1M).
Group file. See group(4).
Password file. See passwd(4).
Configuration file for security policy. See policy.conf(4).
Shadow password file. See shadow(4).
Extended user attribute database. See user_attr(4).
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWmga |
To set audit classes, the administrator must have the solaris.admin.usermgr.audit
authorization. To add, modify, or delete an entry, the administrator must have the solaris.role.write
authorization. To list an entry,
the administrator must have the solaris.admin.usermgr.read
authorization. To set the clearance or minimum label, the administrator must have the solaris.admin.usermgr.labels
authorization. To set the password, the administrator
must have the solaris.admin.usermgr.pswd
authorization. To assign a profile to a user, the administrator must have the solaris.profmgr.assign
or solaris.profmgr.delegate
authorization.
Additional -x security options may be specified for the add and modify subcommands.
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | ENVIRONMENT VARIABLES | EXIT STATUS | FILES | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO