JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Developer's Guide to Oracle Solaris Security     Oracle Solaris 11 Express 11/10
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

1.  Oracle Solaris Security for Developers (Overview)

2.  Developing Privileged Applications

Privileged Applications

About Privileges

How Administrators Assign Privileges

How Privileges Are Implemented

Permitted Privilege Set

Inheritable Privilege Set

Limit Privilege Set

Effective Privilege Set

Compatibility Between the Superuser and Privilege Models

Privilege Categories

Programming with Privileges

Privilege Data Types

Privilege Interfaces

setppriv(): for Setting Privileges

priv_str_to_set() for Mapping Privileges

Privilege Coding Example

Privilege Bracketing in the Superuser Model

Privilege Bracketing in the Least Privilege Model

Guidelines for Developing Privileged Applications

About Authorizations

3.  Writing PAM Applications and Services

4.  Writing Applications That Use GSS-API

5.  GSS-API Client Example

6.  GSS-API Server Example

7.  Writing Applications That Use SASL

8.  Introduction to the Oracle Solaris Cryptographic Framework

9.  Writing User-Level Cryptographic Applications and Providers

10.  Introduction to the Oracle Solaris Key Management Framework

A.  Sample C-Based GSS-API Programs

B.  GSS-API Reference

C.  Specifying an OID

D.  Source Code for SASL Example

E.  SASL Reference Tables

F.  Packaging and Signing Cryptographic Providers

Glossary

Index

About Authorizations

Authorizations are stored in the /etc/security/auth_attr file. To create an application that uses authorizations, take the following steps:

  1. Scan the /etc/security/auth_attr for one or more appropriate authorizations.

  2. Check for the required authorization at the beginning of the program using the chkauthattr(3SECDB) function.

    The chkauthattr() function searches for the authorization in order in the following locations:

    • AUTHS_GRANTED key in the policy.conf(4) database – AUTHS_GRANTED indicates authorizations that have been assigned by default.

    • PROFS_GRANTED key in the policy.conf(4) database – PROFS_GRANTED indicates rights profiles that have been assigned by default. chkauthattr() checks these rights profiles for the specified authorization.

    • The user_attr(4) database – This database stores security attributes that have been assigned to users.

    • The prof_attr(4) database – This database stores rights profiles that have been assigned to users.

    If chkauthattr() cannot find the right authorization in any of these places, then the user is denied access to the program.

  3. Let the administrator know which authorizations are required for this application. You can inform the administrators through man pages or other documentation.

Example 2-3 Checking for Authorizations

The following code snippet demonstrates how the chkauthattr() function can be used to check a user's authorization. In this case, the program checks for the solaris.job.admin authorization. If the user has this authorization, the user is able to read or write to other users' files. Without the authorization, the user can operate on owned files only.

/* Define override privileges */
priv_set_t *override_privs = priv_allocset();

/* Clear privilege set before adding privileges. */
priv_set(PRIV_OFF, PRIV_EFFECTIVE, PRIV_FILE_DAC_READ,
            priv_FILE_DAC_WRITE, NULL);

priv_addset(override_privs, PRIV_FILE_DAC_READ);
priv_addset(override_privs, PRIV_FILE_DAC_WRITE);

if (!chkauthattr("solaris.jobs.admin", username)) {
    /* turn off privileges */
    setppriv(PRIV_OFF, PRIV_EFFECTIVE, override_privs);
}
/* Authorized users continue to run with privileges */
/* Other users can read or write to their own files only */
Copyright © 2000, 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next