System Administration Guide: Security Services

Device Allocation Reference

Device allocation protects removable media from unauthorized use. You can require that a user allocate a device. You can deny a user permission to use a device. Such allocation measures can protect your site from loss of data, computer viruses, and other security breaches. The following section provides information about device allocation.

Components of the Device-Allocation Mechanism

The components of the device-allocation mechanism are as follows:

The allocate, deallocate, dminfo, and list_devices commands. For more information, see Using the Device Allocation Commands.
The /etc/security/device_allocate file. See the device_allocate(4) man page.
The /etc/security/device_maps file. See the device_maps(4) man page.
A lock file in the /etc/security/dev directory for each allocatable device.
The changed attributes of the device-special files that are associated with each allocatable device.
Device-clean scripts for each allocatable device.

The device_allocate file, the device_maps file, and the lock files are local configuration files. These files are not administered as name service databases because tape drives, diskette drives, and printers connect to specific machines.

Using the Device Allocation Commands

This section describes some of the options to the allocate, deallocate, and list_devices commands that are for use by administrators. Only root or a role of equivalent power can access these options. The commands are detailed on their respective man pages.

Table 23–8 Administrative Options to the Device Allocation Commands


Command With Option	Description
`allocate` `-F` `device_special_filename`	Reallocates the specified device. This option is often used with the `-U` option to reallocate the specified device to the specified user. Without the `-U` option, the device is allocated to `root`.
`allocate` `-U` `username`	Causes the device to be allocated to the user who is specified rather than to the current user. This option allows you to allocate a device for another user, without having to assume that user's identity.
`deallocate` `-F` `device_special_filename`	Forces the deallocation of a device. Devices that a user has allocated are not automatically deallocated when the process terminates or when the user logs out. When a user forgets to deallocate a tape drive, you can force deallocation by using the `-F` option.
`deallocate` `-I`	Forces the deallocation of all allocatable devices. This option should be used only at system initialization.
`list_devices`	Lists all the device-special files that are associated with any device that is listed in the `device_maps` file.
`list_devices` `-U` `username`	Lists the devices that are allocatable or allocated to the user ID that is associated with the specified user name. This option allows you to check which devices are allocatable or allocated to another user.

The Allocate Error State

An allocatable device is in the allocate error state if it is owned by user bin and group bin with a device-special file mode of 0100. If a user wants to allocate a device that is in the allocate error state, you can try to force the deallocation of the device. The deallocate command with the -F option forces deallocation. Or, you can use allocate -U to assign the device to the user. Once the device is allocated, you can investigate any error messages that appear. After any problems with the device are corrected, you must use the force option, -F to clear the allocate error state from the device.

The `device_maps` File

You can examine the /etc/security/device_maps file to determine the device names, device types, and device-special files that are associated with each allocatable device. See the device_maps(4) man page. Device maps are created when you set up device allocation. A rudimentary device_maps file is created by bsmconv when the BSM is enabled. This initial device_maps file should be used only as a starting point. You can then augment and customize the device_maps file for your site.

The device_maps file defines the device-special file mappings for each device, which in many cases is not intuitive. This file allows various programs to discover which device-special files map to which devices. You can use the dminfo command, for example, to retrieve the device name, the device type, and the device-special files to specify when you set up an allocatable device. The dminfo command uses the device_maps file to report this information.

Each device is represented by a one-line entry of the form:

device-name:device-type:device-list

Lines in the device_maps file can end with a backslash (\) to continue an entry on the next line. Comments can also be included. A “#” makes a comment out of all subsequent text until the next newline not immediately preceded by a backslash. Leading and trailing blanks are allowed in any field.

Table 23–9 Description of Fields in a device_maps Entry


Field	Description
`device-name`	Specifies the name of the device, for example `st0`, `fd0`, or `audio`. The device name that is specified here must correspond to the name of the lock file that is used in the `/etc/security/dev` directory.
`device-type`	Specifies the generic device type. The generic name is the name for the class of devices, such as `st`, `fd`, and `audio`. The `device-type` field logically groups related devices.
`device-list`	Lists of the device-special files that are associated with the physical device. The `device-list` must contain all of the special files that allow access to a particular device. If the list is incomplete, a malevolent user can still obtain or modify private information. Valid entries for the `device-list` field are either the real device files located under `/devices` or the symbolic links that are in `/dev`. The symbolic links in the `/dev` directory are provided for binary compatibility.

The following is an example of entries in a device_maps file for SCSI tape st0 and diskette fd0.

fd0:\
	fd:\
	/dev/fd0 /dev/fd0a /dev/fd0b /dev/rfd0 /dev/rfd0a /dev/rfd0b:\
					.
					.
					.
st0:\
	st:\
	/dev/rst0 /dev/rst8 /dev/rst16 /dev/nrst0 /dev/nrst8 /dev/nrst16:\

The `device_allocate` File

You can modify the device_allocate file to change devices from allocatable to nonallocatable, or to add new devices. A sample device_allocate file follows.

st0;st;;;;/etc/security/lib/st_clean
fd0;fd;;;;/etc/security/lib/fd_clean
sr0;sr;;;;/etc/security/lib/sr_clean
audio;audio;;;*;/etc/security/lib/audio_clean

You define which devices should be allocatable during initial BSM configuration. You can decide to accept the default devices and their defined characteristics, as shown in the preceding sample device_allocate file. Whenever you add a device to any machine after the system is up and running, you must decide whether to make the new device allocatable.

After installation, you can modify the entries for devices in the device_allocate file. Any device that needs to be allocated before use must be defined in the device_allocate file on each machine. Currently, cartridge tape drives, diskette drives, CD-ROM devices, and audio chips are considered allocatable. These device types have device-clean scripts.

Note –

Xylogics^TM tape drives or Archive tape drives also use the st_clean script that is supplied for SCSI devices. You need to create your own device-clean scripts for other devices, such as modems, terminals, graphics tablets, and other allocatable devices. The script must fulfill object-reuse requirements for that type of device.

An entry in the device_allocate file does not mean that the device is allocatable, unless the entry specifically states that the device is allocatable. In the sample device_allocate file, note the asterisk (*) in the fifth field of the audio device entry. An asterisk in the fifth field indicates to the system that the device is not allocatable. That is, the system administrator does not require a user to allocate the device before it is used nor to deallocate it afterward. Any other string placed in this field indicates that the device is allocatable.

In the device_allocate file, you represent each device by a one-line entry of the form:

device-name;device-type;reserved;reserved;alloc;device-clean

For example, the following line shows the entry for device name st0:

st0;st;;;;;/etc/security/lib/st_clean

Lines in the device_allocate file can end with a “\” to continue an entry on the next line. Comments can also be included. A “#” makes a comment out of all subsequent text until the next newline not immediately preceded by a “\”. Leading and trailing blanks are allowed in any field.

The following table describes each field in the device_allocate file.

Table 23–10 Description of Fields in a device_allocate Entry


Field	Description
`device-name`	Specifies the name of the device, for example, `st0`, `fd0`, or `sr0`. When you make a device allocatable, retrieve the `device-name` from the `device-name` field in the `device_maps` file. You can also use the `dminfo` command. Note that the name is also the DAC file name for the device.
`device-type`	Specifies the generic device type. The generic name is the name for the class of devices, such as `st`, `fd`, and `sr`. This field groups related devices. When you make an allocatable device, retrieve the `device-type` from the `device-type` field in the `device_maps` file, or use the `dminfo` command.
`reserved`	Sun reserves the two fields that are marked `reserved` for future use.
`alloc`	Specifies whether the device is allocatable. An asterisk () in this field indicates that the device is not* allocatable. Any other string, or an empty field, indicates that the device is allocatable.
`device-clean`	Supplies the path name of a script to be invoked for special handling, such as cleanup and object-reuse protection during the allocation process. The `device-clean` script is run any time that the device is acted on by the `deallocate` command, such as when a device is forcibly deallocated with `deallocate` `-F`.

Device-Clean Scripts

The device-clean scripts address the security requirement that all usable data be purged from a physical device before reuse. By default, cartridge tape drives, diskette drives, CD-ROM devices, and audio devices require device-clean scripts, which are provided. This section describes what device-clean scripts do.

Object Reuse

Device allocation satisfies part of the object-reuse requirement. The device-clean scripts make sure that data that is left on a device by one user is cleared. The data is cleared before the device is allocatable by another user.

Device-Clean Script for Tapes

The st_clean device-clean script supports three tape devices. The supported tape devices are as follows:

SCSI 1/4-inch tape
Archive 1/4-inch tape
Open-reel 1/2-inch tape

The st_clean script uses the rewoffl option to the mt command to affect the device cleanup. For more information, see the mt(1) man page. If the script runs during system boot, the script queries the device. The script determines if the device is online. If the device is online, the script determines if the device has media in it. The 1/4-inch tape devices that have media in them are placed in the allocate error state. The allocate error state forces the administrator to clean up the device manually.

During normal system operation, when the allocate or deallocate command is executed in interactive mode, the user is prompted to remove the media. The script pauses until the media is removed from the device.

Device-Clean Scripts for Diskettes and CD-ROM Devices

The following table shows the device-clean scripts for diskettes and CD-ROM devices.

Table 23–11 Device-Clean Scripts for Diskettes and CD-ROM Devices


Disk Device Type	Device-Clean Script
Diskette	`fd_clean`
CD-ROM	`sr_clean`

The scripts use the eject command to remove the media from the drive. See the eject(1) man page. If the eject command fails, the device is placed in the allocate error state.

Device-Clean Script for Audio

Audio devices are cleaned up with an audio-clean script. The script performs an AUDIO_DRAIN ioctl system call to flush the device. The script then performs an AUDIO_SETINFO ioctl system call to reset the device configuration to the default. In addition, the script retrieves the audio chip registers by using the AUDIOGETREG ioctl system call. Any registers that deviate from the default settings are reset by using the AUDIOSETREG ioctl system call.

Writing New Device-Clean Scripts

If you add more allocatable devices to the system, you might need to create your own device-clean scripts. The deallocate command passes a parameter to the device-clean scripts. The parameter, shown here, is a string that contains the device name. See the device_allocate(4) man page for more information.

st_clean -[I|F|S] device-name

Device-clean scripts must return “0” for success and greater than “0” for failure. The options -I, -F, and -S help the script determine its running mode. The following table describes the options.

Table 23–12 Options for Device-Clean Scripts


Option	Description
`-I`	The `-I` option is needed during system boot only. All output must go to the system console. Failure or inability to forcibly eject the media must put the device in the allocate error state.
`-F`	The `-F` option is for forced cleanup. The option is interactive. The option assumes that the user is available to respond to prompts. A script with this option must attempt to complete the cleanup if one part of the cleanup fails.
`-S`	The `-S` option is for standard cleanup. The option is interactive. The option assumes that the user is available to respond to prompts.

How the Device Allocation Mechanism Works

This section gives an example of how the device-allocate mechanism works.

The allocate command first checks for the presence of a lock file under the device name for the specified device in the /etc/security/dev directory. If the file is owned by allocate, then the ownership of the lock file is changed to the name of the user who initiated the allocate command.

The allocate command then checks for an entry for the device in the device_allocate file. The command further checks that the entry shows that the device as allocatable.

The first listing in the following example shows that a lock file exists with owner bin, group bin, and mode 600 for the st0 device in /etc/security/dev. The second listing shows that the associated device-special files are set up properly, with owner bin, group bin, and mode 000.

untouchable% ls -lg /etc/security/dev/st0
-rw------- 1 bin bin      		      0 Dec 6 15:21 /etc/security/dev/st0
untouchable% ls -lg /devices/sbus@1,f8000000/esp@0,800000
c--------- 1 bin bin		       18,  4 May 12 13:11 st@4,0:
c--------- 1 bin bin	       18, 20 May 12 13:11 st@4,0:b
c--------- 1 bin bin	       18, 28 May 12 13:11 st@4,0:bn
c--------- 1 bin bin	       18, 12 May 12 13:11 st@4,0:c
					 .
					 .
					 .
c--------- 1 bin bin	       18,  0 May 12 13:11 st@4,0:u
c--------- 1 bin bin	       18, 16 May 12 13:11 st@4,0:ub
c--------- 1 bin bin	       18, 24 May 12 13:11 st@4,0:ubn
c--------- 1 bin bin	       18,  8 May 12 13:11 st@4,0:un

In this example, the user vanessa allocates device st0.

untouchable% whoami
vanessa
untouchable% allocate st0

When the user vanessa runs the allocate command to allocate the tape st0, allocate first checks for the existence of an /etc/security/dev/st0 file. If no lock file exists or if the lock file is owned by a user other than allocate, then user vanessa could not allocate the device.

If the allocate command finds the lock file for the device with the correct ownership and permissions, the command then checks to make sure that the device has an entry in the device_allocate file. The command also checks that the entry specifies that the device is allocatable.

In this example, the default device_allocate entry for the st0 device specifies that the device is allocatable. Because the allocate command finds that all these conditions are met, the device is allocated to user vanessa.

The allocate command changes the ownership and permissions of the device-special files that are associated with the device in the /dev directory. To allocate the st0 device to the user vanessa, the mode on its associated device-special files is changed to 600 and the owner is changed to vanessa.

The allocate command also changes the ownership of the lock file that is associated with the device in the /etc/security/dev directory. To allocate the st0 device to the user vanessa, the owner of /etc/security/dev/st0 is changed to vanessa.

In the following example, after the user vanessa executes the allocate command with the device name st0, the owner of /etc/security/dev/st0 is changed to vanessa and the owner of the associated device-special files is now also vanessa. Lastly, user vanessa now has permission to read and write the files.

untouchable% whoami
vanessa
untouchable% allocate st0
untouchable% ls -lg /etc/security/dev/st0
-rw------- 1 vanessa staff 		      0 Dec 6 15:21 /etc/security/dev/st0
untouchable% ls -la /devices/sbus@1,f8000000/esp@0,800000
.
.
.
crw------- 1 vanessa 18,  4 May 12 13:11 st@4,0:
crw------- 1 vanessa 18, 12 May 12 13:11 st@4,0:b
crw------- 1 vanessa 18, 12 May 12 13:11 st@4,0:bn
crw------- 1 vanessa 18, 12 May 12 13:11 st@4,0:c
.
.
.
crw------- 1 vanessa 18,  4 May 12 13:11 st@4,0:u
crw------- 1 vanessa 18, 12 May 12 13:11 st@4,0:ub
crw------- 1 vanessa 18, 12 May 12 13:11 st@4,0:ubn
crw------- 1 vanessa 18, 12 May 12 13:11 st@4,0:un