JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Administrator's Procedures     Oracle Solaris 10 8/11 Information Library
search filter icon
search icon

Document Information


1.  Trusted Extensions Administration Concepts

2.  Trusted Extensions Administration Tools

3.  Getting Started as a Trusted Extensions Administrator (Tasks)

4.  Security Requirements on a Trusted Extensions System (Overview)

5.  Administering Security Requirements in Trusted Extensions (Tasks)

6.  Users, Rights, and Roles in Trusted Extensions (Overview)

7.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

8.  Remote Administration in Trusted Extensions (Tasks)

9.  Trusted Extensions and LDAP (Overview)

10.  Managing Zones in Trusted Extensions (Tasks)

11.  Managing and Mounting Files in Trusted Extensions (Tasks)

12.  Trusted Networking (Overview)

13.  Managing Networks in Trusted Extensions (Tasks)

14.  Multilevel Mail in Trusted Extensions (Overview)

15.  Managing Labeled Printing (Tasks)

16.  Devices in Trusted Extensions (Overview)

17.  Managing Devices for Trusted Extensions (Tasks)

18.  Trusted Extensions Auditing (Overview)

19.  Software Management in Trusted Extensions (Tasks)

Adding Software to Trusted Extensions

Oracle Solaris Security Mechanisms for Software

Evaluating Software for Security

Developer Responsibilities When Creating Trusted Programs

Security Administrator Responsibilities for Trusted Programs

Trusted Processes in the Window System

Adding Trusted CDE Actions

Managing Software in Trusted Extensions (Tasks)

How to Add a Software Package in Trusted Extensions

How to Install a Java Archive File in Trusted Extensions

A.  Quick Reference to Trusted Extensions Administration

B.  List of Trusted Extensions Man Pages


Trusted Processes in the Window System

In Solaris Trusted Extensions (CDE), the following window system processes are trusted:

The window system's trusted processes are available to everyone, but access to administrative actions is restricted to roles in the global zone.

In the File Manager, if an action is not in one of the account's profiles, the icon for the action is not visible. In the Workspace Menu, if an action is not in one of the account's profiles, the action is visible, but an error displays if the action is invoked.

In Trusted CDE, the window manager, dtwm, calls the Xtsolusersession script. This script works with the window manager to invoke actions that are started from the window system. The Xtsolusersession script checks the account's rights profiles when the account attempts to launch an action. In either case, if the action is in an assigned rights profile, the action is run with the security attributes that are specified in the profile.

Adding Trusted CDE Actions

The process of creating and using CDE actions in Trusted Extensions is similar to the process in the Oracle Solaris OS. Adding actions is described in the Chapter 4, Adding and Administering Applications, in Solaris Common Desktop Environment: Advanced User’s and System Administrator’s Guide.

As in the Oracle Solaris OS, the use of actions can be controlled by the rights profile mechanism. In Trusted Extensions, several actions have been assigned security attributes in the rights profiles of administrative roles. The security administrator can also use the Rights tool to assign security attributes to new actions.

The following table summarizes the main differences between an Oracle Solaris system and a Trusted Extensions system when you create and use actions.

Table 19-1 Constraints on CDE Actions in Trusted Extensions

Oracle Solaris CDE Actions
Trusted CDE Actions
New actions can be created by anyone within the originator's home directory.

A new action is automatically usable by its creator.

An action is usable only if the action is in a rights profile that is assigned to the user. The search path for actions differs. Actions in a user's home directory are processed last instead of first. Therefore, no one can customize existing actions.
Users can create a new action in their home directory, but the action might not be usable.
Users with the All profile can use an action that they create. Otherwise, the security administrator must add the name of the new action to one of the account's rights profiles.
To start the action, the user uses the File Manager. The system administrator can place actions in public directories.
Actions can be dragged and dropped to the Front Panel.
The Front Panel is part of the trusted path. The window manager recognizes only the administratively added actions that are located in the /usr/dt and /etc/dt subdirectories. Even with the All profile, a user cannot drag a new action to the Front Panel. Actions from a user's home directory are not recognized by the window manager. The manager only checks the public directories.
Actions can do privileged operations if they are run by root.
Actions can do privileged operations if the actions have been assigned privileges in a rights profile that has been assigned to a user.
Actions are not managed by the Solaris Management Console.
Actions are assigned to rights profiles in the Rights tool of the Solaris Management Console. If new actions are added, the security administrator can make the new actions available.