user_attr(4)
NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | FILES | NOTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO
NAME
- user_attr- extended user attributes database
SYNOPSIS
/etc/user_attr
DESCRIPTION
- user
-
The name of the user as specified in the passwd(4) database.
- qualifier
-
Reserved for future use.
- res1
-
Reserved for future use.
- res2
-
Reserved for future use.
- attr
-
An optional list of semicolon-separated (;) key-value pairs that describe the security attributes to apply to the user. Zero or more keys may be specified. These are the keys currently interpreted bythe system:
- auths
-
Specifies a comma-separated list of authorization names chosen from those names defined in the auth_attr(4) database. Authorization names may be specified using the asterisk (*) character as a wildcard. For example, solaris.printer.* means all of Sun's printer authorizations.
- profiles
-
Contains an ordered, comma-separated list of profile names chosen from prof_attr(4). Profiles are used by the profile shells, pfcsh, pfksh, and pfsh. (See pfexec(1).)
- roles
-
Can be assigned a comma-separated list of role names from the set of user accounts in this database whose type field indicates the account is a role. If the roles key value is not specified, the user is not permitted to assume any role.
- type
-
Can be assigned one of these strings: normal, indicating that this account is for a normal user, one who logs in; or role, indicating that this account is for a role. Roles can only be assumed by a normal user after the user has logged in.
- lock_after_retries
-
Specifies whether or not an account is locked after the count of failed logins for a user equals or exceeds the allowed number of retries as defined by RETRIES in /etc/default/login. Possible values are yes or no.
- gen
-
Contains either of the strings: automatic or manual. automatic specifies that a user must choose a machine-generated password to change a password. manual specifies that a user may devise a password of his or her choice.
- idletime
-
Contains a number representing the number of seconds a workstation may remain idle before the window manager attempts the task specified in idlecmd. A zero in this field specifies that the idlecmd command is never executed.
- idlecmd
-
Contains one of two keywords that the window manager interprets when a workstation is idle for too long. The keyword lock specifies that the workstation is to be locked (and thus requires the user to provide a password to resume the session). The keyword logout specifies that session is to be terminated (thus killing the user's processes launched in the current session).
- labelview
-
Contains comma-separated keywords. Supported keyword pairs are internal|external and showsl|hidesl. internal specifies that the user may see the
ADMIN_LOWandADMIN_HIGHlabels displayed by various commands and applications, and external specifies that the user may not see the labels. showsl indicates that labels are displayed, and hidesl indicates that sensitivity labels are not displayed. - labeltrans
-
Contains a hexadecimal number representing the process attribute flags that control label translation.
- clearance
-
Contains the maximum sensitivity label at which the user may operate. This label is given as hexadecimal string. See atohexlabel(1M).
- min_label
-
Contains the minimum sensitivity label at which the user may log in. This label is given as hexadecimal string. See atohexlabel(1M).
/etc/user_attr is a local source of extended attributes associated with users and roles. user_attr can be used with other user attribute sources, including the user_attr NIS map and NIS+ table. Programs use the getuserattr(3SECDB) routines to gain access to this information.
The search order for user_attr sources follows the order specified for passwd(4) in the nsswitch.conf(4) file. No entry should be made for user_attr.
Each entry in the user_attr databases consists of a single line with five fields separated by colons (:). Line continuations using the backslash (\) character are permitted. Each entry has the form:
user:qualifier:res1:res2:attr
EXAMPLES
Example 1 Assigning a profile to root
The following example entry assigns to root the All profile, which allows root to use all commands in the system, and also assigns two authorizations:
root::::auths=solaris.*,solaris.grant;profiles=All;type=role |
The solaris.* wildcard authorization shown above gives root all the solaris authorizations; and the solaris.grant authorization gives root the right to grant to others any solaris authorizations that root has. The combination of authorizations enables root to grant to others all the solaris authorizations. See auth_attr(4) for more about authorizations.
FILES
- /etc/nsswitch.conf
-
Configuration file for the name service switch.
- /etc/user_attr
-
Defines extended user attributes.
NOTES
When deciding which authorization source to use (see DESCRIPTION), keep in mind that NIS+ provides stronger authentication than NIS.
The root user is usually defined in local databases for a number of reasons, including the fact that root needs to be able to log in and do system maintenance in single-user mode, before the network name service databases are available. An entry should exist for root in the local user_attr file.
Because the list of legal keys is likely to expand, any code that parses this database must be written to ignore unknown key-value pairs without error. When any new keywords are created, the names should be prefixed with a unique string, such as the company's stock symbol, to avoid potential naming conflicts.
In the attr field, escape the following symbols with a backslash (\) if you use them in any value: colon (:), semicolon (;), carriage return (\n), equals (=), or backslash (\).
SUMMARY OF TRUSTED SOLARIS CHANGES
In addition to auths, profiles, roles, and types, the following keywords are used in the Trusted Solaris environment: lock, gen, idletime, idlecmd, labelview, labeltrans, clearance, and min_label.
lock_after_retries specifies whether or not an account is locked after the count of failed logins for a user equals or exceeds the allowed number of retries as defined by RETRIES in /etc/default/login. Possible values are yes or no.
SEE ALSO
Trusted Solaris 8 Last Revised 28 Jul 2000NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | FILES | NOTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO
- © 2010, Oracle Corporation and/or its affiliates