System Administration Guide: Security Services

Managing Device Allocation (Tasks)

You can use device allocation to decrease the security risk that is associated with various removable media.

Adding an Allocatable Device (Task Map)

The following task map describes the major steps that are required to define a new allocatable device.

Task	Description	For Instructions
1. Create or change an entry in the `device_allocate` file	Defines which devices are controlled by the device-allocation mechanism.	How to Change Which Devices Can Be Allocated
2. Create a lock file	Enables the device allocation mechanism to work on a specific device.	How to Set Up Lock Files for an Allocatable Device
3. (Optional) Create a device-clean script	Purges data from a physical device.	Device-Clean Scripts
4. Allocate the device	Adds a device to the device-allocation mechanism.	How to Allocate a Device
5. (Optional) Deallocate the device	Removes a device from use.	How to Deallocate a Device

How to Set Up Lock Files for an Allocatable Device

The lock files are zero-length files that are created in the /etc/security/dev directory. One file is created for each allocatable device. If no lock file exists for a device, the device cannot be allocated, so no one can access the device.

Become superuser or assume an equivalent role.

Obtain the device name for the device from its entry in the device_maps file by using the dminfo command.

See The device_maps File and the dminfo(1M) and device_maps(4) man pages. For example, the device name for device type st is st0. In the next step, you use the device name as the name of the lock file.

Create an empty lock file for the device by using the touch command.

Use the device name for the file name in place of device-name.

# cd /etc/security/dev
# touch device-name
# chmod 600 device-name
# chown bin device-name
# chgrp bin device-name

How to Change Which Devices Can Be Allocated

This procedure defines which devices can be used with the device allocation mechanism.

Become superuser or assume an equivalent role.

Determine which devices are listed in the /etc/security/device_allocate file.

Decide if there are devices that are not in the device_allocate file, yet should be made allocatable.

Edit the device_allocate file and add the new device.

Each entry should use the following format:
device-name;device-type;;;;program
device-name

Specifies the name of the device

device-type

Specifies the device type

program

Specifies the purge program to be run

How to Allocate a Device

Become superuser or assume an equivalent role.

Use the allocate command with a device that is specified by device name.
sar1% allocate st0

You can also allocate a device by device type by using the -g option to the allocate command.

If the command cannot allocate the device, an error message is displayed in the console window. For a list of allocation error messages, see the allocate(1) man page.

Example—Allocating a Printer

Only the user who ran the allocate command can use the printer.

sarl% allocate /dev/lp/chestnut

How to Deallocate a Device

Deallocation enables other users to allocate and use the device when you are finished.

Deallocate a device by using the deallocate command followed by the device file name.
sar1% deallocate st0

Example—Deallocating a Printer

To deallocate a printer that is named chestnut, type the following command:

# deallocate /dev/lp/chestnut

Example—Forcing a Deallocation

Devices that a user has allocated are not automatically deallocated when the process terminates or when this user logs out. You most commonly need to use the following form of the deallocate command when a user forgets to deallocate a specific device. The following command deallocates the device so that others users can allocate the device.

# deallocate -F st0

Example—Deallocating All Devices

Caution –

You can deallocate all devices only at system initialization time.

# deallocate -I