Network Configuration Security and Authorizations

Security for reactive network configuration encompasses the following components:

• CLI (netcfg and netadm commands)

• Network administration GUI

• Network profile repository daemon (netcfgd)

• Network management daemon (nwamd)

• Network configuration management library (libnwam)

The netcfgd daemon controls the repository where all of the network configuration information is stored. The netcfg command, the network administration GUI, and the nwamd daemon send requests to the netcfgd daemon to access the repository. These functional components make requests through the network configuration management library, libnwam.

Authorizations and Profiles Related to Network Configuration

The current network configuration implementation uses the following authorizations to perform specific tasks:

• solaris.network.autoconf.read – Enables the reading of network profile data, which is verified by the netcfgd daemon

• solaris.network.autoconf.write – Enables the writing of network profile data, which is verified by the netcfgd daemon

• solaris.network.autoconf.select – Enables new configuration data to be applied, which is verified by the nwamd daemon

• solaris.network.autconf.wlan – Enables the writing of known WLAN configuration data

These authorizations are registered in the auth_attr database. For more information, see the auth_attr(4) man page.

The solaris.network.autoconf.read authorization is included in the Basic Solaris User rights profile, which is assigned to all users by default. Any user with this authorization is therefore able to view the current network state and the contents of all network profiles.

Two additional rights profiles are provided: Network Autoconf User and Network Autoconf Admin. The Network Autoconf User profile has read, select, and wlan authorizations. The Network Autoconf Admin profile adds the write authorization. The Network Autoconf User profile is assigned to the Console User profile. Therefore, by default, anyone who is logged in to the console can view, enable, and disable profiles. Because the Console User profile is not assigned the solaris.network.autoconf.write authorization, any user with this authorization cannot create or modify NCPs, NCUs, locations, or ENMs. However, the Console User profile can view, create, and modify WLANs.

Authorizations Required to Use the User Interfaces

The netcfg and netadm commands can be used to view network profiles by any user who has the Basic Solaris User rights profile. This profile is assigned to all users by default.

The netadm command can also be used to enable network profiles by any user who has the Network Autoconf User or Console User profile. The Console User profile is automatically assigned to the user who is logged in to the system from /dev/console.

To modify network profiles by using the netcfg command, you need the solaris.network.autoconf.write authorization or the Network Autoconf Admin profile.

You can determine the privileges that are associated with a rights profile by using the profiles command with the profile name. For more information, see the profiles(1) man page.

For example, to determine privileges that are associated with the Console User rights profile, use the following command:

$ profiles -p "Console User" info
Found profile in files repository.
    name=Console User
    desc=Manage System as the Console User
    auths=solaris.system.shutdown,solaris.device.cdrw,solaris.smf.manage.vbiosd,
    solaris.smf.value.vbiosd
    profiles=Suspend To RAM,Suspend To Disk,Brightness,CPU Power Management,
    Network Autoconf User,Desktop Removable Media User
    help=RtConsUser.html

The network administration GUI includes the following components, which are not privileged. These components are granted authorizations, depending on how they are started and the tasks they need to perform.

• Network configuration and status panel presence

  This component is the panel applet in the desktop that enables a user to interact with the network configuration. The panel can be run by any user and is used to monitor the autoconfiguration of the system and handle event notifications. The panel can also be used to perform some basic network configuration tasks, for example, selecting a WiFi network or manually switching locations. To perform these types of tasks, the Network Autoconf User rights profile is required. This rights profile is available in the default configuration, because the panel is running with the authorizations of the user who is logged in from /dev/console, and hence has the Console User profile.

• Network administration GUI

  The network administration GUI (previously known as NWAM GUI) is the primary means for interacting with the network configuration from the desktop. The GUI is used to view the network status, to create and modify NCPs and Location profiles, and to start and stop configured ENMs. Interaction with the GUI requires four of the solaris.network.autoconf authorizations or the Network Autoconf Admin profile. By default, the Console User profile has sufficient authorizations to view the network status and profiles by using the GUI. In addition, you require the solaris.network.autoconf.write authorization or the Network Autoconf Admin profile to modify profiles by using the GUI.

You can obtain additional authorizations in one of the following ways:

• Assign the Network Autoconf Admin profile to a specific user.

  You can assign appropriate authorizations, or rights profiles, directly to a given user by editing the /etc/user_attr file for that user.

• Assign the Network Autoconf Admin profile to the Console User profile.

  You can assign this profile to the Console User profile instead of the Network Autoconf User profile that is assigned by default. To assign this profile, edit the entry in the /etc/security/prof_attr file.