Developer's Guide to Oracle Solaris Security

About Authorizations

    Authorizations are stored in the /etc/security/auth_attr file. To create an application that uses authorizations, take the following steps:

  1. Scan the /etc/security/auth_attr for one or more appropriate authorizations.

  2. Check for the required authorization at the beginning of the program using the chkauthattr(3SECDB) function.

    The chkauthattr() function searches for the authorization in order in the following locations:

    • AUTHS_GRANTED key in the policy.conf(4) database – AUTHS_GRANTED indicates authorizations that have been assigned by default.

    • PROFS_GRANTED key in the policy.conf(4) database – PROFS_GRANTED indicates rights profiles that have been assigned by default. chkauthattr() checks these rights profiles for the specified authorization.

    • The user_attr(4) database – This database stores security attributes that have been assigned to users.

    • The prof_attr(4) database – This database stores rights profiles that have been assigned to users.

    If chkauthattr() cannot find the right authorization in any of these places, then the user is denied access to the program.

  3. Let the administrator know which authorizations are required for this application. You can inform the administrators through man pages or other documentation.

Example 2–3 Checking for Authorizations

The following code snippet demonstrates how the chkauthattr() function can be used to check a user's authorization. In this case, the program checks for the solaris.job.admin authorization. If the user has this authorization, the user is able to read or write to other users' files. Without the authorization, the user can operate on owned files only.

/* Define override privileges */
priv_set_t *override_privs = priv_allocset();

/* Clear privilege set before adding privileges. */

priv_addset(override_privs, PRIV_FILE_DAC_READ);
priv_addset(override_privs, PRIV_FILE_DAC_WRITE);

if (!chkauthattr("", username)) {
    /* turn off privileges */
    setppriv(PRIV_OFF, PRIV_EFFECTIVE, override_privs);
/* Authorized users continue to run with privileges */
/* Other users can read or write to their own files only */