Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Commands for Administering Rights

This section lists commands that are used to administer rights. It also includes a table of commands whose access can be controlled by authorizations.

Commands That Manage Authorizations, Rights Profiles, and Roles

The commands listed in the following table retrieve and set rights on user processes.

Table 3  Rights Administration Commands
Command
Description
SMF stencil for system security policy.
Displays authorizations for a user. Creates new authorizations.
Lists the contents of the rights databases.
Name service cache daemon, useful for caching the rights databases. Use the svcadm command to restart the daemon.
Role account management module for PAM. Checks for the authorization to assume a role.
UNIX account management module for PAM. Checks for account restrictions, such as time restrictions and inactivity.
Used to create a profile shell process that can evaluate rights.
Used to edit administrative files.
Used to execute a command with security attributes.
Displays rights profiles for a specified user. Creates or modifies a rights profile.
Displays roles that a specified user can assume.
Adds a role to a local system or to an LDAP network.
Adds a role to a local system or to an LDAP network.
Modifies a role's properties on a local system or on an LDAP network.
Displays the value of a specific right that is assigned to a user or role account.
Displays all the rights that are directly assigned to a user or role account. Requires installation of the useradm package.
Adds a user account to the system or to an LDAP network. The –R option assigns a role to a user's account.
Deletes a user's login from the system or from an LDAP network.
Modifies a user's account properties on the system.

Selected Commands That Require Authorizations

The following table provides examples of how authorizations are used to limit command options on an Oracle Solaris system. For more discussion of authorizations, see Authorizations Reference.

Table 4  Commands and Associated Authorizations
Command
Authorization Requirements
solaris.jobs.user required for all options (when neither at.allow nor at.deny files exist)
solaris.jobs.admin required for all options
solaris.device.cdrw required for all options, which is granted by default in the policy.conf file
solaris.jobs.user required for the option to submit a job (when neither crontab.allow nor crontab.deny files exist)
solaris.jobs.admin required for the options to list or modify other users' crontab files
solaris.device.allocate (or other authorization as specified in device_allocate file) required to allocate a device
solaris.device.revoke (or other authorization as specified in device_allocate file) required to allocate a device to another user (–F option)
solaris.device.allocate (or other authorization as specified in device_allocate file) required to deallocate another user's device
solaris.device.revoke (or other authorization as specified in device_allocate) required to force deallocation of the specified device (–F option) or all devices (–I option)
solaris.device.revoke required to list another user's devices (–U option)
solaris.user.manage required to create a role. solaris.account.activate required to set the initial password. solaris.account.setpolicy required to set password policy, such as account locking and password aging.
solaris.passwd.assign authorization required to delete the password.
solaris.passwd.assign authorization required to change the password. solaris.account.setpolicy required to change password policy, such as account locking and password aging.
solaris.mail required to access mail subsystem functions; solaris.mail.mailq required to view mail queue
solaris.user.manage required to create a user. solaris.account.activate required to set the initial password. solaris.account.setpolicy required to set password policy, such as account locking and password aging.
solaris.passwd.assign authorization required to delete the password.
solaris.passwd.assign authorization required to change the password. solaris.account.setpolicy required to change password policy, such as account locking and password aging.