Commands for Administering Rights
This section lists commands that are used to administer rights. It also includes a table
of commands whose access can be controlled by authorizations.
Commands That Manage Authorizations, Rights Profiles, and Roles
The commands listed in the following table retrieve and set rights on user
processes.
Table 3 Rights Administration Commands
|
|
|
SMF stencil for system security policy.
|
|
Displays authorizations for a user. Creates new authorizations.
|
|
Lists the contents of the rights databases.
|
|
|
|
Name service cache daemon, useful for caching the rights databases.
Use the svcadm command to restart the daemon.
|
|
Role account management module for PAM. Checks for the authorization
to assume a role.
|
|
UNIX account management module for PAM. Checks for account
restrictions, such as time restrictions and inactivity.
|
|
Used to create a profile shell process that can evaluate
rights.
|
|
Used to edit administrative files.
|
|
Used to execute a command with security attributes.
|
|
Displays rights profiles for a specified user. Creates or modifies a
rights profile.
|
|
Displays roles that a specified user can assume.
|
|
Adds a role to a local system or to an LDAP network.
|
|
Adds a role to a local system or to an LDAP network.
|
|
Modifies a role's properties on a local system or on an LDAP
network.
|
|
Displays the value of a specific right that is assigned to a user or
role account.
|
|
Displays all the rights that are directly assigned to a user or role
account. Requires installation of the useradm package.
|
|
Adds a user account to the system or to an LDAP network. The
–R option assigns a role to a user's account.
|
|
Deletes a user's login from the system or from an LDAP network.
|
|
Modifies a user's account properties on the system.
|
|
Selected Commands That Require Authorizations
The following table provides examples of how authorizations are used to limit command
options on an Oracle Solaris system. For more discussion of authorizations, see Authorizations Reference.
Table 4 Commands and Associated Authorizations
|
|
|
solaris.jobs.user required for all options (when
neither at.allow nor at.deny files
exist)
|
|
solaris.jobs.admin required for all options
|
|
solaris.device.cdrw required for all options, which
is granted by default in the policy.conf file
|
|
solaris.jobs.user required for the option to submit
a job (when neither crontab.allow nor
crontab.deny files exist)
solaris.jobs.admin required for the options to list or
modify other users' crontab files
|
|
solaris.device.allocate (or other authorization as
specified in device_allocate file) required to allocate a
device
solaris.device.revoke (or other authorization as
specified in device_allocate file) required to allocate a
device to another user ( –F option)
|
|
solaris.device.allocate (or other authorization as
specified in device_allocate file) required to deallocate
another user's device
solaris.device.revoke (or other authorization as specified
in device_allocate) required to force deallocation of the
specified device (–F option) or all devices (–I
option)
|
|
solaris.device.revoke required to list another
user's devices ( –U option)
|
|
solaris.user.manage required to create a role.
solaris.account.activate required to set the initial
password. solaris.account.setpolicy required to set password policy, such as account locking
and password aging.
|
|
solaris.passwd.assign authorization required to delete the
password.
|
|
solaris.passwd.assign authorization required to change the
password. solaris.account.setpolicy required to change password
policy, such as account locking and password aging.
|
|
solaris.mail required to access mail subsystem
functions; solaris.mail.mailq required to view mail
queue
|
|
solaris.user.manage required to create a user.
solaris.account.activate required to set the initial
password. solaris.account.setpolicy required to set password
policy, such as account locking and password aging.
|
|
solaris.passwd.assign authorization required to delete the
password.
|
|
solaris.passwd.assign authorization required to change the
password. solaris.account.setpolicy required to change password
policy, such as account locking and password aging.
|
|