NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | FILES | CAVEATS | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO
/etc/security/exec_attr
/etc/security/exec_attr is a local database that specifies the execution attributes associated with rights profiles. The exec_attr file can be used with other sources for rights profiles, including the exec_attr NIS map and NIS+ table. Programs use the getexecattr(3SECDB) routines to access this information.
The search order for multiple rights profile sources is specified in the /etc/nsswitch.conf file, as described in the nsswitch.conf(4) man page. The search order follows the entry for prof_attr(4).
A rights profile is a logical grouping of authorizations, CDE actions, and commands that is interpreted by a profile shell to form a secure execution environment. The shells that interpret profiles are pfcsh, pfksh, and pfsh. See the pfexec(1) man page. Each user's account is assigned zero or more profiles in the user_attr(4) database file.
Each entry in the exec_attr database consists of one line of text containing seven fields separated by colons (:). Line continuations using the backslash (\) character are permitted. The basic format of each entry is:
name:policy:type:res1:res2:cmdid:attr
name:policy:type:res1:res2:actid;argclass;argtype;argmode;argcount:attr
The name of the profile. Profile names are case-sensitive.
The policy that is associated with the profile entry. The only valid policies are suser and tsol.
The type of object defined in the profile. There are two valid types: cmd and act.
Reserved for future use.
Reserved for future use.
A string that uniquely identifies the command described by the profile or an asterisk (*) used as a wildcard. cmdid is either the full path to the command or a wildcard indicating all commands. You can also use a wildcard with a pathname to indicate all files in a particular directory. To specify arguments, the pathname should point to a shell script written to execute the command with the desired arguments.
A string that uniquely identifies the CDE action described by the profile or an asterisk (*) used as a wildcard. If an individual action is specified, there are four additional semicolon-separated fields used to define an argument for the action. These fields can be empty but the semicolons are required.
Specifies the argument class (for example, FILE or SESSION.) Corresponds to ARG_CLASS for CDE actions.
Specifies the data type for the argument. Corresponds to ARG_TYPE for CDE actions.
Specifies read or write mode for the argument. Corresponds to ARG_MODE for CDE actions.
Specifies the number of arguments that the action can accept. Corresponds to ARG_COUNT for CDE actions.
An optional list of semicolon-separated (;) key-value pairs that describe the security attributes to apply to the object upon execution. Zero or more keys may be specified. The list of valid keywords depends on the policy enforced. The following keywords are valid: privs, clearance, label, euid, uid, egid, and gid.
The privs key contains a comma-separated list of privilege numbers that will be effective when the command or action is run.
The clearance key contains the maximum label at which the process can run.
The label key contains the minimum label at which the process can run.
euid and uid contain a single user name or a numeric user ID. Commands designated with euid run with the effective UID indicated, which is similar to setting the setuid bit on an executable file. Commands designated with uid run with both the real and effective UIDs. Setting uid may be more appropriate than setting the euid on privileged shell scripts.
egid and gid contain a single group name or a numeric group ID. Commands designated with egid run with the effective GID indicated, which is similar to setting the setgid bit on a file. Commands designated with gid run with both the real and effective GIDs. Setting gid may be more appropriate than setting guid on privileged shell scripts.
The following example shows how the audit command in the Audit Control profile is specified to execute with an effective user ID of root (0) and effective group ID of bin (3):
Audit Control:suser:cmd:::/etc/init.d/audit:euid=0;egid=3 |
The following example shows how the Tar action in the Media Backup profile is specified to execute with a set of privileges. (Note that privilege names are mapped to integer values in /usr/include/sys/tsol/priv_names.h.)
Media Backup:tsol:act:::Tar;*;TAR,MAGTAPE;*;>0:privs=1,4,5,8,10,11,12,19,71; |
Configuration file for the name service switch.
Local source of extended attributes associated with users and roles.
Local source for execution attributes associated with rights profiles.
When deciding which authorization source to use (see DESCRIPTION), keep in mind that NIS+ provides stronger authentication than NIS.
Because the list of legal keys is likely to expand, any code that parses this database must be written to ignore unknown key-value pairs without error. When any new keywords are created, the names should be prefixed with a unique string, such as the company's stock symbol, to avoid potential naming conflicts.
The following characters are used in describing the database format and must be escaped with a backslash if used as data: colon (:), semicolon (;), equals (=), and backslash (\).
In the Trusted Solaris environment, the exec_attr file contains actions (including four arguments) as well as commands. In addition, both actions and commands can have privileges, clearances, and labels as security attributes.
auths(1), profiles(1), roles(1), getauusernam(3BSM), getauthattr(3SECDB), prof_attr(4), priv_desc(4)
NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | FILES | CAVEATS | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO