Solaris 7 Security Features

Most of the security features from SunOS release 4.x systems are also available in the Solaris 7 operating environment. These include:

• Internet security

• .rhosts and.rhosts.equiv files

• Secure RPC and NFS

RPC has been modified based on the GSS-API. This increases security integrity and confidentiality, and NFS services are no longer tied to a specific or a single security mechanism. Also, NIS+ enhances NIS+ security by increasing the authentication key length from 192 bits to 640 bits.

NFS Administration Guide documents secure NFS and the .rhosts files. TCP/IP and Data Communications Administration Guide describes administering Internet security.

Security for local SunOS release 5.7 systems includes storing encrypted passwords in a separate file, controlling login defaults, and restricted shells. Equivalent NIS+ security, described in NIS+ Transition Guide and NFS Administration Guide, controls network-wide access to systems.

The subsections below summarize security features under local system control.

/etc/passwd and /etc/shadow Files

The SunOS release 5.7 passwd command stores encrypted versions of passwords in a separate file, /etc/shadow, and allows only root access to it. This prevents general access to the encrypted passwords that formerly appeared in the /etc/passwd file, which anyone could read.

The /etc/shadow file also includes entries that force password aging for individual user login accounts. The mechanism for changing entries to the passwd and shadow files is described in System Administration Guide, Volume II.

/etc/default Files

Several files that control default system access are stored in the /etc/default directory. These files limit access to specific systems on a network. Table 5-1 summarizes the files in the /etc/default directory.

Table 5-1 Files in /etc/default Directory

/etc/default/login	Controls system login policies, including root access. The default is to limit root access to the console.
/etc/default/passwd	Controls default policy on password aging
/etc/default/su	Controls which root (su) access to the system will be logged and where it will be displayed

Restricted Shells

System administrators can use restricted versions of the Korn shell (rksh) and Bourne shell (rsh) to limit the operations allowed for a particular user account.

Restricted shells do not allow the following operations:

• Changing directories

• Setting the $PATH variable

• Specifying path or command names beginning with "/"

• Redirecting output

See the ksh and sh man pages for a description of these shells.

Note that the restricted shell and the remote shell have the same command name (rsh) with different path names:

• /usr/lib/rsh is the restricted shell

• /usr/bin/rsh is the remote shell