|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Administration: Network Interfaces and Network Virtualization Oracle Solaris 11 Express 11/10|
Security for NWAM is designed to encompass the following components:
CLI (nwamcfg and nwamadm commands)
Common repository daemon (netcfgd)
Policy engine daemon (nwamd)
NWAM library (libnwam)
The netcfgd daemon controls the repository where all of the network configuration is stored. The nwamcfg command, the NWAM GUI, and the nwamd daemon all send requests to thenetcfgd daemon to access the repository. These functional components make requests through the NWAM library, libnwam.
The nwamd daemon is the policy engine that receives system events, configures the network, and reads network configuration information. The NWAM GUI and the nwamcfg command are configuration tools that can be used to view and modify the network configuration. These components are also used to refresh the NWAM service when a new configuration needs to be applied to the system.
In the current NWAM implementation, the solaris.network.autoconf authorization is split into more specific components:
solaris.network.autoconf.read – Enables the reading of NWAM configuration data, which is verified by the netcfgd daemon
solaris.network.autoconf.write – Enables the writing of NWAM configuration data, which is verified by the netcfgd daemon
solaris.network.autoconf.select – Enables new configuration data to be applied, which is verified by the nwamd daemon
solaris.network.autconf.wlan – Enables the writing of known WLAN configuration data
These authorizations are registered in the auth_attr database. For more information, see the auth_attr(4) man page.
The initial NWAM implementation also introduced the Network Autoconf profile, which is assigned the solaris.network.autoconf authorization. There are now two profiles: Network Autoconf User and Network Autoconf Admin. The User profile has read, select, and wlan authorizations. The Admin profile adds the write authorization. The Network Autoconf User profile is assigned to the Console User profile. Therefore, by default, anyone who logged in to the console can view, enable, and disable profiles. Because the Console User is not assigned the solaris.network.autoconf.write authorization, this user cannot create or modify NCPs, NCUs, locations, or ENMs. However, the Console User can view, create, and modify WLANs.
The NWAM command-line utilities, nwamcfg and nwamadm, can be used by anyone who has Console User privileges. These privileges are automatically assigned to any user who is logged in to the system from /dev/console. For more information about the privileges that are included in the Console User profile, see Console User Rights Profile in System Administration Guide: Security Services.
The NWAM GUI includes the following three components, which are not privileged. These components are granted authorizations, depending on how they are started and the tasks they need to perform:
NWAM-specific panel presence
This component is the panel applet in the desktop that enables a user to interact with NWAM. The panel can be run by any user and is used to monitor the autoconfiguration of the system and handle event notifications. The panel can also be used to perform some basic network configuration tasks, for example, selecting a WiFi network or manually switching locations. To perform these types of tasks, the Network Autoconf user profile is required, as the panel is running with the authorizations of the user who is logged in from /dev/console, which is the case in the default configuration.
The NWAM GUI is the primary means for interacting with NWAM from the desktop. The GUI is used to view network status, create and modify NCPs and Location profiles, as well as to start and stop configured ENMs. Interaction with the GUI requires four of the solaris.network.autoconf authorizations or the Network Autoconf Admin profile. By default, the Console User profile does not include all of these authorizations. Therefore, users are required to have additional authorizations to modify NWAM configuration by using the GUI.
You can obtain additional authorization in one of the following ways:
Log in as a user who has the Primary Administrator profile assigned.
This profile includes the Solaris Autoconf Admin profile, and thus will have the additional authorizations that are required to create and modify NWAM profiles.
Edit the /etc/user_attr file of the specified user.
You can assign appropriate authorizations or profiles directly to a given user by editing the /etc/user_attr file of that user.
Assign the Solaris Autoconf Admin profile to the Console User.
You can assign this profile to the Console User instead of the Solaris Autoconf User profile that is assigned by default. To assign this profile, edit the entry in the/etc/security/prof_attr file.