Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Listing Rights and Their Definitions

The commands in this section enable you to find rights that are defined on the system, and list the rights that are in effect on a user's process.

Listing All Rights Assigned to a User


Note -  useradm is the CLI for the User Manager GUI. Load the useradm package to access this command.
  • useradm list username – Lists the direct rights assignments of username

  • useradm list -S [files|ldap] username – Lists the direct rights assignments of username in the specified naming service.

  • useradm list -q qualifier username – Lists the qualified attributes of username

Example 56  Listing a User's Rights in LDAP

This user has different rights in LDAP and in files. For comparison, see Example 57, Listing a Local User's Rights.

$ useradm list -S ldap jdoe
inactive = 0
userID = 1234
groupName = staff
defaultShell = /bin/bash
username = jdoe
description = Jane Doe
groups  =
        docusers
        test_src
        web_publish
accountStatus = Unknown
homeDirectory = /home/jdoe
groupID = 123
Example 57  Listing a Local User's Rights

This user has different rights in files and in LDAP. For comparison, see Example 56, Listing a User's Rights in LDAP.

$ useradm -S files jdoe
inactive = 0
Profiles  =
        Compliance Assessor
userID = 1234
groupName = staff
defaultShell = /bin/bash
username = jdoe
description = Jane Doe
accountStatus = Unknown
homeDirectory = /home/jdoe
groupID = 123

Listing Authorizations

  • auths – Lists the current user's authorizations

  • auths list – Lists the current user's authorizations, one authorization per line

  • auths list -u username – Lists the authorizations for username

  • auths list -x – Lists the current user's authorizations that require authentication

  • auths list -xu username – Lists the username's authorizations that require authentication

  • auths info – Lists all authorization names in the naming service

  • getent auth_attr – Lists the full definition of all authorizations in the naming service

Example 58  Listing All Authorizations
$ auths info
    solaris.account.activate
    solaris.account.setpolicy
    solaris.admin.edit
...
    solaris.zone.login
    solaris.zone.manage
Example 59  Listing the Content of the Authorizations Database
$ getent auth_attr | more
solaris.:::All Solaris Authorizations::
solaris.account.:::Account Management::
...
solaris.zone.login:::Zone Login::
solaris.zone.manage:::Zone Deployment::
Example 60  Listing the Default Authorizations of Users

The following authorizations are included in the rights profiles that are assigned to all users by default.

$ auths
solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq
solaris.network.autoconf.read,solaris.admin.wusb.read
solaris.smf.manage.vbiosd,solaris.smf.value.vbiosd

Listing Rights Profiles

  • profiles – Lists the current user's rights profiles

  • profiles -a – Lists all rights profiles names

  • profiles -l – Lists the full definition of the current user's rights profiles

  • profiles username – Lists the rights profiles for username

  • profiles -x – Lists the current user's rights profiles that require authentication

  • profiles -x username – Lists the username's rights profiles that require authentication

  • profiles -p profile-name info – Pretty prints the contents of specified rights profile

  • getent prof_attr – Lists the full definition of all rights profiles in the naming service

Example 61  Listing the Names of All Rights Profiles
$ profiles -a
        Console User
        CUPS Administration
        Desktop Removable Media User
...
        VSCAN Management
        WUSB Management
Example 62  Listing the Contents of the Rights Profiles Database
$ getent prof_attr | more
All:::Execute any command as the user or role:
Audit Configuration:::Configure Solaris Audit:auths=solaris.smf.value.audit;
...
Zone Management:::Zones Virtual Application Environment Administration:
Zone Security:::Zones Virtual Application Environment Security:auths=solaris.zone.*,
solaris.auth.delegate;...
Example 63  Listing the Default Rights Profiles of Users

List your rights profiles. The following rights profiles are assigned to all users by default.

$ profiles
Basic Solaris User
All
Example 64  Listing the Rights Profiles of the Initial User

The initial user is assigned several rights profiles.

$ profiles Initial user
System Administrator
Audit Review
...
CPU Power Management
Basic Solaris User
All

To show all the security attributes that are assigned to the initial user's profiles, use the –l option.

$ profiles -l Initial user | more
Initial user:
System Administrator
	profiles=Install Service Management,Audit Review,Extended Accounting 
Flow Management,Extended Accounting Net Management,Extended Accounting Process 
Management,Extended Accounting Task Management,Printer Management,Cron Management,
Device Management,File System Management,Log Management,Mail Management,
Maintenance and Repair,Media Catalog,Name Service Management,Network Management,
Project Management,RAD Management,Service Operator,Shadow Migration Monitor,
Software Installation,System Configuration,User Management,ZFS Storage Management
          /usr/sbin/gparted          uid=0
Install Service Management
	auths=solaris.autoinstall.service
	profiles=Install Manifest Management,Install Profile Management,
Install Client Management
...
Example 65  Listing the Contents of an Assigned Rights Profile

The initial user lists the rights that are granted by the Audit Review profile.

$ profiles -l
Audit Review
  solaris.audit.read
  
  /usr/sbin/auditreduce  euid=0
  /usr/sbin/auditstat    privs=proc_audit
  /usr/sbin/praudit      privs=file_dac_read
Example 66  Listing the Security Attributes of a Command in a Rights Profile

This variant of the profiles command is useful for viewing the security attributes of a command in a rights profile that is not assigned to you.

First, list the commands in the profile.

$ profiles -p "Audit Review" info
	name=Audit Review
	desc=Review Solaris Auditing logs
	cmd=/usr/sbin/auditreduce
	cmd=/usr/sbin/auditstat
	cmd=/usr/sbin/praudit

Then, list the security attributes of one of the commands in the profile.

$ profiles -p "Audit Review" "select cmd=/usr/sbin/praudit ; info; end;"
select: command is read-only
	id=/usr/sbin/praudit
	privs=file_dac_read
end: command is read-only
Example 67  Listing the Contents of Rights Profiles That Are Recently Created

The –less option displays the most recently added rights profiles first. This variant of the profiles command is useful when you create or modify rights profiles at your site. The following output shows the contents of the profile that was added in Example 38, Assigning Security Attributes to a Legacy Application. A regular user can run this command.

$ profiles -la | less
LegacyApp
          /opt/legacy-app/bin/legacy-cmd 
                                     euid=0
OpenLDAP...

Listing Roles

  • roles – Lists the current user's roles

  • roles username – Lists the roles for username

  • logins -r – Lists all available roles

Example 68  Listing Your Assigned Roles

The root role is assigned to the initial user by default. No roles indicates that you are not assigned a role.

$ roles
root

Listing Privileges

  • man privileges – Lists privilege definitions and their names as they are used by developers

  • ppriv -vl – Lists privilege definitions and their names as they are used by administrators

  • ppriv -vl basic – Lists names and definitions of privileges in the basic set of privileges

  • ppriv $$ – Lists the privileges in the current shell ($$)

  • getent exec_attr – Lists all commands that have security attributes (setuid or privileges) by rights profile name

$ getent exec_attr | more
All:solaris:cmd:::*:
Audit Configuration:solaris:cmd:::/usr/sbin/auditconfig:privs=sys_audit
...
Zone Security:solaris:cmd:::/usr/sbin/txzonemgr:uid=0
Zone Security:solaris:cmd:::/usr/sbin/zonecfg:uid=0 ...
Example 69  Listing All Privileges and Their Definitions

The privilege format described in the privileges(7) man page is used by developers.

$ man privileges
Standards, Environments, and Macros                 privileges(7)

NAME
     privileges - process privilege model
...
     The defined privileges are:

     PRIV_CONTRACT_EVENT

         Allow a process to request reliable delivery  of  events
         to an event endpoint.

         Allow a process to include events in the critical  event
         set  term  of  a  template  which  could be generated in
         volume by the user.
...
Example 70  Listing Privileges That Are Used in Privilege Assignment

The ppriv command lists all privileges by name. For a definition, use the –v option.

This privilege format is used to assign privileges to users and roles with the useradd, roleadd, usermod, and rolemod commands, and to rights profiles with the profiles command.

$ ppriv -lv | more
contract_event
	Allows a process to request critical events without limitation.
	Allows a process to request reliable delivery of all events on
	any event queue.
...
win_upgrade_sl
        Allows a process to set the sensitivity label of a window
        resource to a sensitivity label that dominates the existing
        sensitivity label.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.
Example 71  Listing the Privileges in Your Current Shell

Every user is assigned the basic privilege set by default. The default limit set is all privileges.

The single letters in the output refer to the following privilege sets:

E

Effective privilege set

I

Inheritable privilege set

P

Permitted privilege set

L

Limit privilege set

$ ppriv $$
1200:   -bash
flags = <none>
        E: basic
        I: basic
        P: basic
        L: all
$ ppriv -v $$
1200:   -bash
flags = <none>
	E: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,
           proc_info,proc_session,sys_ib_info
	I: file_link_any,file_read,...,sys_ib_info
	P: file_link_any,file_read,...,sys_ib_info
	L: contract_event,contract_identity,...,sys_time

The double dollar sign ($$) passes the process number of the parent shell to the command. This listing does not include privileges that are restricted to commands in an assigned rights profile.

Example 72  Listing the Basic Privileges and Their Definitions
$ ppriv -vl basic
file_link_any
	Allows a process to create hardlinks to files owned by a uid
	different from the process' effective uid.
file_read
	Allows a process to read objects in the filesystem.
file_write
	Allows a process to modify objects in the filesystem.
net_access
	Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.
proc_exec
	Allows a process to call execve().
proc_fork
	Allows a process to call fork1()/forkall()/vfork()
proc_info
	Allows a process to examine the status of processes other
	than those it can send signals to.  Processes which cannot
	be examined cannot be seen in /proc and appear not to exist.
proc_session
	Allows a process to send signals or trace processes outside its
	session.
sys_ib_info
	Allows a process to perform read InfiniBand MAD (Management Datagram)
	operations.
Example 73  Listing the Commands With Security Attributes in Your Rights Profiles

The Basic Solaris User profile includes commands that enable users to read and write to CD-ROMs.

$ profiles -l
  Basic Solaris User
...
   /usr/bin/cdrecord.bin   privs=file_dac_read,sys_devices,
     proc_lock_memory,proc_priocntl,net_privaddr
   /usr/bin/readcd.bin     privs=file_dac_read,sys_devices,net_privaddr
   /usr/bin/cdda2wav.bin   privs=file_dac_read,sys_devices,
     proc_priocntl,net_privaddr
  All
   * 

Listing Qualified Attributes

  • man user_attr – Defines qualifiers of security attributes

  • getent – Lists qualified security attributes of a user or role on the system where the command is run

  • ldapaddent – Lists all qualified security attributes of a user or role

Example 74  Listing a User's Qualified Attributes on This System
system1$ getent user_attr | grep jdoe:
jdoe:system1:::lock_after_retries=no;profiles=System Administrator
Example 75  Listing All Qualified Attributes for a User in LDAP
system1$ ldapaddent -d user_attr | grep ^jdoe:
jdoe:system1:::lock_after_retries=no;profiles=System Administrator
jdoe:sysopgroup:::lock_after_retries=no;profiles=System Operator