Execution Profiles (System Administration Guide, Volume 2)

System Administration Guide, Volume 2

Execution Profiles

An execution profile is a bundling mechanism for grouping authorizations and commands with special attributes, and assigning them to users or roles. The special attributes include real and effective UIDs and GIDs. The most common attribute is setting the real or effective UID to root. The definitions of execution profiles are stored in the prof_attr database.

The fields in the prof_attr database are separated by colons:

profname:res1:res2:desc:attr

The fields are described in the following table.

Field Name	Description
`profname`	The name of the profile. Profile names are case-sensitive.
`res1`	Reserved for future use.
`res2`	Reserved for future use.
`desc`	A long description. This field should explain the purpose of the profile, including what type of user would be interested in using it. The long description should be suitable for displaying in the help text of an application.
`attr`	An optional list of key-value pairs separated by semicolons (;) that describe the security attributes to apply to the object upon execution. Zero or more keys may be specified. There are two valid keys, `help` and `auths`. The keyword `help` identifies a help file in HTML. Help files can be accessed from the `index.html` file in the `/usr/lib/help/auths/locale/C` directory. `auths` specifies a comma-separated list of authorization names chosen from those names defined in the auth_attr(4) database. Authorization names may be specified using the asterisk (*) character as a wildcard.

A prof_attr database with some typical values is shown in the following example.

The relationship between the prof_attr and the user_attr databases is illustrated in the following example. The Device Management profile, which is defined in the prof_attr database, is assigned to the sysadmin role in the user_attr database.

The relationship between the prof_attr and the auth_attr databases is illustrated in the following example. The Device Management profile is defined in the prof_attr database as having all authorizations beginning with the solaris.device. string assigned to it. These authorizations are defined in the auth_attr database.