Configuring and Administering Network Components in Oracle® Solaris 11.2

Exit Print View

Updated: September 2014
 
 

Security Requirements for Using Profile-Based Network Configuration

The netcfgd daemon controls the repository that stores all of the network configuration information. The netcfg command, the network administration GUI, and the nwamd daemon each send requests to the netcfgd daemon to access the repository..

    The current network configuration implementation uses the following authorizations to perform specific tasks:

  • solaris.network.autoconf.read – Enables the reading of network profile data, which is verified by the netcfgd daemon.

  • solaris.network.autoconf.write – Enables the writing of network profile data, which is verified by the netcfgd daemon.

  • solaris.network.autoconf.select – Enables new configuration data to be applied, which is verified by the nwamd daemon.

  • solaris.network.autconf.wlan – Enables the writing of Known WLAN configuration data.

These authorizations are registered in the auth_attr database. See the auth_attr(4) man page.

The solaris.network.autoconf.read authorization is included in the Basic Solaris User rights profile, which is assigned to all users by default. Anyone with this authorization is therefore able to view the current state of the network and the contents of all network profiles.

Two additional rights profiles are provided: Network Autoconf User and Network Autoconf Admin. The Network Autoconf User profile has read, select, and wlan authorizations. The Network Autoconf Admin profile adds the write authorization. The Network Autoconf User profile is assigned to the Console User profile. By default, anyone who is logged into the console can view, enable, and disable profiles. Because the Console User profile is not assigned the solaris.network.autoconf.write authorization, a user with this authorization cannot create or modify NCPs, NCUs, locations, or ENMs. However, the Console User profile can view, create, and modify WLANs.

The netcfg and netadm commands can be used to view network profiles by anyone who has the Basic Solaris User rights profile. This profile is assigned to all users by default.

The netadm command can also be used to enable profiles by any user who has the Network Autoconf User or Console User profile. The Console User profile is automatically assigned to the user who is logged into the system from /dev/console.

To modify network profiles by using the netcfg command, you need the solaris.network.autoconf.write authorization or the Network Autoconf Admin profile.

For example, you would determine the privileges that are associated with the Console User rights profile as follows:

$ profiles -p "Console User" info
	name=Console User
	desc=Manage System as the Console User
	auths=solaris.system.shutdown,solaris.device.cdrw,solaris.devinde.mount.removable,
	solaris.smf.manage.vbiosd,solaris.smf.value.vbiosd
	profiles=Suspend To RAM,Suspend To Disk,Brightness,CPU
	Power Management,Network Autoconf User,Desktop Removable Media User
	help=RtConsUser.html