NAME | DESCRIPTION | COMMAND SYNTAX | Rules for the Display and Entering of Labels | EXAMPLES | TRUSTED SOLARIS DIFFERENCES | SUMMARY OF TRUSTED SOLARIS CHANGES | ATTRIBUTES | SEE ALSO | DIAGNOSTICS | NOTES |
This section describes Trusted SolarisTM commands that are used chiefly for system maintenance and administration. The Trusted Solaris environment includes the following commands:
Commands that are unique to and originate in the Trusted Solaris environment, such as adminvi(1M), which enables administrators and other users to edit files while preventing certain vi actions that present a security risk.
SunOS
5.8 commands that have been modified to work within the Trusted Solaris security policy, such as mount(1M). Man pages for modified
commands have been rewritten to remove information that is not accurate for how the command behaves within the Trusted Solaris environment. Modified man pages also add descriptions for any new features, options, and arguments.
SunOS
5.8 commands that remain unchanged from the Solaris 8 release, such as ln.
In the Trusted Solaris environment, even if a particular command is installed, not all users may be configured to use that command. Your site's security administrator may restrict the use of any command and may change any command's security attributes using execution profiles. Note: In Trusted Solaris 8 and later releases, execution profiles are known as rights or rights profiles. (Security attributes, rights profiles, and other new Trusted Solaris terms are defined in the DEFINITIONS section of Intro(1) and explained further in the Trusted Solaris Administration Overview and Trusted Solaris Administrator's Procedures guides. Users who do not have a particular command in any of their rights profiles cannot use that command. If any of the commands described in this section does not work at all or does not work as expected, check with your security administrator.
Because of command restructuring for the Virtual File System architecture, there are several instances of multiple manual pages that begin with the same name. For example, there are multiple mount pages - mount(1M), mount_hsfs(1M), mount_nfs(1M), mount_tmpfs(1M), and mount_ufs(1M). In each such case the first of the multiple pages describes the syntax and options of the generic command, that is, those options applicable to all FSTypes (file system types). The succeeding pages describe the functionality of the FSType-specific modules of the command. These pages list the command followed by an underscore ( _ ) and the FSType to which they pertain. Note that the administrator should not attempt to call these modules directly. The generic command provides a common interface to all of them. Thus the FSType-specific manual pages should not be viewed as describing distinct commands, but rather as detailing those aspects of a command that are specific to a particular FSType.
Information labels (ILs) are not supported in Trusted Solaris 7 and later releases. Trusted Solaris software interprets any ILs on communications and files from systems running earlier releases as ADMIN_LOW
.
Objects still have CMW labels, and CMW labels still include the IL component: IL[SL]; however, the IL component is fixed at ADMIN_LOW
.
As a result, Trusted Solaris 7 and later releases have the following characteristics:
ILs do not display in window labels; SLs (Sensitivity Labels) display alone within brackets.
ILs do not float.
Setting an IL on an object has no effect.
Getting an object's IL will always return ADMIN_LOW
.
Although certain utilities, library functions, and system calls can manipulate IL strings, the resulting ILs cannot be set on any objects.
Sensitivity labels, not information labels, display on printer banners.
IL-related privileges are no longer used.
In auditing, the ilabel token is recorded as ADMIN_LOW
, when it is recorded. The audit event numbers 519 (AUE_OFLOAT), 520 (AUE_SFLOAT), and 9036 (AUE_iil_change) continue to be reserved, but those events are no longer recorded.
name [option(s)] [cmdarg(s)]
The name of an executable file.
- noargletter(s) or,
- argletter<>optarg
where <> is optional white space.
A single letter representing an option without an argument.
A single letter representing an option requiring an argument.
Argument (character string) satisfying preceding argletter.
Pathname (or other command argument) not beginning with - or, - by itself indicating the standard input.
When entering labels on the command line in a UNIX shell, follow these rules. For rules for entering labels in graphical user interfaces, see Rules for the Display and Entering of Labels. For rules for entering labels in configuration files, see RULES FOR INCLUDING LABELS IN A CONFIGURATION FILE in Intro(4).
Enter a sensitivity label (SL), information label (IL), or clearance, in text in the form:
{ + } { classification } { { +|- }word } ... |
The system always displays labels in uppercase. Users may enter labels in any combination of uppercase and lowercase.
The classification part of the label must be a valid classification name as defined in label_encodings(4). Classification names may contain embedded blanks or punctuation, if they are so defined in label_encodings. Short and long forms of classification names may be used interchangeably.
The words (compartments and markings) used in labels must be valid words as defined in label_encodings. Words may contain embedded blanks or punctuation if they are so defined in label_encodings.
Short and long forms of words may be used interchangeably. Words may be specified in any order; however they are processed left to right, so that where words conflict with each other, the word furthest to the right takes precedence.
You may used plus and minus signs when modifying an existing label to turn on or off the compartments and markings associated with the words.
A CMW label is represented in text in the form:
{ INFORMATION LABEL } { [ SENSITIVITY LABEL ] } |
Items in curly brackets are optional. Leading and trailing white space is ignored. Items may be separated by blanks, tabs, commas, or slashes (/). Note that information labels are no longer supported -- see Trusted Solaris Information Label Changes in Intro(1) for a fuller discussion.
On the command line, enclose any label with more than one word in double quotes because, without quotes, a second word or letter separated by a space is interpreted as a second argument. Enclose labels containing [ and ] characters in quotes to suppress the shell's use of those characters in filename substitution.
$ setlabel "[ts a b]" somefile $ setlabel "[ts,a,b]" somefile $ setlabel "[ts/a b]" somefile |
Use any combination of upper and lowercase letters. You may separate items in a label with blanks, tabs, commas or slashes (/). Do not use any other punctuation.
$ setlabel -s SECRET somefile |
When entering an SL with a command option that sets the SL, you do not need to use brackets around the SL.
$ setlabel -s "TOP SECRET A B" somefile |
To set somefile's SL to SECRET A.
$ setlabel "[Secret a]" somefile |
To turn on compartment B in somefile's SL.
$ setlabel -s +b somefile |
To turn off compartment A in somefile's SL.
$ setlabel -s -A somefile |
The responsibilities and privileges of the superuser have been divided among several administrative roles. When a man page that has not been modified for the Trusted Solaris system states that superuser is required to execute a certain command or option, remember that one or more privileges are required instead. The site's security administrator can perform privilege debugging [see runpd(1M)] to find out which privileges are needed and can then decide to give the privilege to the command after assessing whether the command and any users set up to use that command can make use of the privilege in a manner that does not violate the site's security policy.
The ability of the UNIX superuser to bypass access restrictions, to execute restricted commands, and to use some command options not available to other users has been replaced with the profile mechanism, which allows the security administrator to assign to various users different
sets of commands and to assign different privileges to the commands using rights profiles. When a command or one of its options needs a privilege in order to succeed, that privilege is a required privilege; if the required privilege is not given to the command in a user's rights profile by the security administrator, the command will not work. Required privileges are indicated on
the man page with the words "must have," as shown in this sentence: "The ifconfig(1M) command must have the sys_net_config
privilege to modify network
interfaces."
In other cases, when the command is designed to work within security policy and it fails when certain DAC or MAC checks are not passed, an override privilege may be assigned at the security administrator's discretion. On man pages, the names of privileges that may be used to override access restrictions are given in the ERRORS section. The override privileges that may be given to bypass DAC or MAC restrictions on files or directories are given below:
The DAC override privileges are file_dac_read
and file_dac_write
. If a user does not have DAC access to a file, the security administrator may assign one or both of these privileges
to the command, depending on whether read or write access or both are desired. The MAC override privileges are file_mac_read
and file_mac_write
. If a user does not have MAC access
to a file, the security administrator may assign one or both of these privileges to the command, depending on whether read or write access or both are desired.
Besides being able to assign an override privilege, the security administrator has other options. For example, to avoid the use of privilege the security administrator may specify that the command will execute with another user's ID (usually the root ID 0) or group ID, one that allows access to the file or directory based on its permissions or its ACL.
To find out how privileges are made available to commands and to find out exactly which tasks, commands, and privileges are assigned to each of the roles by means of rights profiles shipped with the default system, see the Trusted Solaris Administrator's Procedures.
Also, check with your security administrator to find out which roles are configured at your site and if any of the roles have been reconfigured to suit your site's security policy.
Commands may not work as expected in the Trusted Solaris environment because Trusted Solaris administrators may limit the conditions under which commands may be accessed by each user or restrict commands from being accessed by certain users.
The printed Trusted Solaris 8 Reference Manual contains only the Trusted Solaris original and modified (from the Solaris environment) man pages. The online set of man pages viewed by the man command accesses all man pages; AnswerBook2TM can access all man pages in the AnswerBook2 collections. For a fuller description, see Trusted Solaris Manual Page Display in Intro(1). The SEE ALSO man page heading has been subdivided to help users of the printed manual locate a referenced man page.
Besides the usual UNIX DAC checks performed when a process acting on behalf of a user attempts to access a file or directory, mandatory access checks also must be passed. For each possible type of access failure, a specific override privilege may be assigned to the command at the security administrator's discretion.
When a SUMMARY OF TRUSTED SOLARIS CHANGES is provided on a modified man page, it is intended as a convenience to summarize for you the major changes all in one place. Do not rely on the SUMMARY OF TRUSTED SOLARIS CHANGES alone, but also read the entire man page.
See attributes(5) in the SunOS 5.8 Reference Manual for a discussion of the attributes listed in this section.
Commands that are listed under the Trusted Solaris 8 Reference Manual heading in the SEE ALSO section are commands that have been changed or added in the Trusted Solaris environment. Commands that are listed under the SunOS 5.8 Reference Manual heading in the SEE ALSO section are commands that are unchanged in the Trusted Solaris environment. If you are using printed manuals, refer to the SunOS 5.8 Reference Manual for Solaris commands that are unchanged in the Trusted Solaris environment.
Upon termination, each command returns 0 for normal termination and non-zero to indicate troubles such as erroneous parameters, bad or inaccessible data, or other inability to cope with the task at hand. It is called variously ``exit code,'' ``exit status,'' or ``return code,'' and is described only where special conventions are involved.
Unfortunately, not all commands adhere to the standard syntax.
Description
Accept or reject print requests
Add entries to allocation databases and create ancillary file
Add a new device driver to the system
Edit text with restrictions
Device allocation
Address resolution display and control
Convert a character-coded label to its hexadecimal equivalent
Control the behavior of the audit daemon
Audit subsystem initialization script
Audit daemon warning script
Configure auditing
Audit daemon
Merge and select audit records from audit trail files
Display kernel audit statistics
Install automatic mount points
autofs mount/unmount daemon
Configures lists of automatically pushed STREAMS modules
Enable or disable the Basic Security Module (BSM)
See bsmconv(1M)
Check the label encodings file syntax
Change root directory for a command
Display a list of commands in a profile shell
core file administration
Clock daemon
Device deallocation
administration command for
See devfsadm(1M)
Device clean programs
Configure device policy
Display mounted resource information
List available resources from remote or local systems
Process scheduler administration
Inform the kernel that a machine is in the state of disklessly booting or in the normal state
See dl_booting(1M)
Report information about a device entry in a device maps file
Configure the
Summarize disk usage
EEPROM display and load utility
Disk partitioning and maintenance utility
ufs File System Debugger
See in.ftpd(1M)
Identify processes using a file or file structure
Display file system security attributes
Display file system security attributes
Stop the processor
Convert a hexadecimal label to its character-coded equivalent
Configure network interface parameters
File transfer protocol server
Internet domain name server
DARPA Reverse Address Resolution Protocol server
Network router discovery daemon
Remote execution server
Remote login server
Network routing daemon
Remote shell server
Internet Trivial File Transfer Protocol server
Internet services daemon
Process control initialization
start and stop the CIM Boot Manager
Install commands
List allocatable devices
Network lock daemon
Configure the LP print service
Administer filters used with the LP print service
Administer forms used with the LP print service
Move print requests
Start the LP print service
Stop the LP print service
Register remote systems with the print service
Set printing queue priorities
Make device_allocate entries
Make device_maps entries
Load a kernel module
Unload a module
Mount or unmount file systems and remote resources
Mount hsfs file systems
Mount remote NFS resources
Mount pcfs file systems
Mount tmpfs file systems
Mount ufs file systems
Mount, unmount multiple file systems
Server for NFS mount requests and NFS access checks
See in.named(1M)
Get and set driver configuration parameters
Show network status
See setfsattr(1M)
NFS daemon
NFS statistics
NIS+ utility to cache location information about NIS+ servers
initialize NIS+ credentials for NIS+ principals
See rpc.nisd(1M)
Populate the NIS+ tables in a NIS+ domain
Initialize a NIS+ domain
Name service cache daemon
Query name servers interactively
Control and query bindings of processes to processors
Profile shell
Check package installation accuracy
See halt(1M)
Print contents of an audit trail file
Print system configuration
Change processor operational status
See in.rarpd(1M)
Set system date from a remote host
See in.rdisc(1M)
Restart the operating system
See accept(1M)
Remove a device driver from the system
Remove entries from allocation databases and delete ancillary file
See in.rexecd(1M)
See in.rlogind(1M)
removable media mounter for CD-ROM and floppy
Manually manipulate the routing tables
See in.routed(1M)
Boot parameter server
Getpeerinfo service daemon
NIS+ service daemon
NIS+ service daemon
NIS+ password update daemon
Trusted Solaris boot parameter server
Server for modifying NIS password file
server for changing NIS information
Universal addresses to RPC program number mapper
Report RPC information
See in.rshd(1M)
Run a command for privilege debugging
Write to all users over a network
Send mail over the internet
Run a command with the audit mask set
Set security attributes on an existing or newly created file system
Change machine information
Make local resource available for mounting by remote systems
Make local NFS file systems available for mounting by remote systems
Share, unshare multiple resources
Show all remote mounts
start the Solaris Management Console (SMC)
Manage jobs in the crontab database
manage entries in the exec_attr database
manage group entries
Manage entries in the hosts database
manage email alias entries
manage bulk operations on user accounts
Manage entries in the interface database
Manage entries in the network template database
Manage entries in the networks database
manage profiles in the prof_attr and exec_attr databases
manage roles and users in role accounts
manage user entries
Capture and inspect network packets
Spray packets
Network status monitor
become a non-role user
Swap administrative interface
Output system definition
System shell
Send a request to rpc.tbootparamd to inform it that a host is in normal (labeled) state now
See init(1M)
See in.tftpd(1M)
Check file syntax of trusted network databases
Configure Trusted Solaris network-daemon control parameters
Trusted network daemon
Print information and statistics about kernel-level network
Configure token-mapping daemon
Token-mapping daemon
Print the route packets take to network host
Administrative control
See mount(1M)
See mountall(1M)
Make local resource unavailable for mounting by remote systems
Make local NFS file systems unavailable for mounting by remote systems
See shareall(1M)
Update the home directory copy and link files for the current label
Write an audit record
NIS binder process
NIS server and binder processes
transfer NIS map from a NIS server to host
See ypxfr(1M)
See ypxfr(1M)
See ypxfr(1M)
See ypserv(1M)
NAME | DESCRIPTION | COMMAND SYNTAX | Rules for the Display and Entering of Labels | EXAMPLES | TRUSTED SOLARIS DIFFERENCES | SUMMARY OF TRUSTED SOLARIS CHANGES | ATTRIBUTES | SEE ALSO | DIAGNOSTICS | NOTES |