Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Rights Databases

    The following databases store the data for rights in Oracle Solaris:

  • Extended user attributes database (user_attr) Associates users and roles with authorizations, privileges, and rights profiles, among other keywords.

  • Rights profile attributes database (prof_attr) Defines rights profiles and lists the profiles' assigned authorizations, privileges, and keywords

  • Authorization attributes database (auth_attr) Defines authorizations and their attributes

  • Execution attributes database (exec_attr) Identifies the commands with security attributes that are assigned to specific rights profiles

The policy.conf database contains authorizations, privileges, and rights profiles that are applied to all users. For more information, see policy.conf File. See also New Feature – Enabling the account-policy Service.

Rights Databases and the Naming Services

The name service scope of the rights databases is defined in the SMF service for the naming service switch, svc:/system/name-service/switch. The properties in this service for the rights databases are auth_attr, password, and prof_attr. The password property sets the naming service precedence for the passwd and user_attr databases. The prof_attr property sets the naming service precedence for the prof_attr and exec_attr databases.

In the following output, the auth_attr, password, and prof_attr entries are not listed. Therefore, the rights databases are using the files naming service.

# svccfg -s name-service/switch listprop config
config                       application
config/value_authorization   astring       solaris.smf.value.name-service.switch
config/default               astring       files
config/host                  astring       "files ldap dns"
config/printer               astring       "user files ldap"

user_attr Database

The user_attr database contains user and role information that supplements the passwd and shadow databases. The attr field contains security attributes and the qualifier field contains attributes that qualify or limit the effect of security attributes to a system or group of systems.

    The security attributes in the attr field can be set by using the roleadd, rolemod, useradd, usermod, and profiles commands. They can be set locally and in the LDAP naming scope.

  • For a user, the roles keyword assigns one or more defined roles.

  • For a role, the user value to the roleauth keyword enables the role to authenticate with the user password rather than with the role password. By default, the value is role.

  • For a user or role, the following attributes can be set:

    • access_times keyword – Specifies the days and times that specified applications and services can be accessed. For more information, see the getaccess_times(3C) man page.

    • access_tz keyword – Specifies the time zone to use when interpreting the times in access_times entries. For more information, see the pam_unix_account(7) man page.

    • annotation keyword – Specifies whether to prompt the user to annotate their login for the audit record. By default the user is not prompted. For more information, see New Feature – Annotating Reason for Access in the Audit Record in Managing Auditing in Oracle Solaris 11.4.

    • audit_flags keyword – Modifies the audit mask. For more information, see the audit_flags(7) man page.

    • auths keyword – Assigns authorizations. For more information, see the auths(1) man page.

    • auth_profiles keyword – Assigns authenticated rights profiles. For reference, see the profiles(1) man page.

    • defaultpriv keyword – Adds privileges or removes them from the default basic set of privileges.

    • limitpriv keyword – Adds privileges or removes them from the default limit set of privileges.

      The defaultpriv and limitpriv privileges are always in effect because they are assigned to the user's initial process. For more information, see the privileges(7) man page and How Privileges Are Implemented.

    • idlecmd keyword – Logs out the user or locks the screen after idletime is reached.

    • idletime keyword – Sets the time that the system is available after no keyboard activity. Set idletime when you specify a value for idlecmd.

    • lock_after_retries keyword – If the value is yes, the system is locked after the number of retries exceeds the number that is allowed in the /etc/default/login file. For more information, see the login(1) man page. To unlock a locked account, see the passwd(1) man page.

    • pam_policy keyword – Specifies a per-user PAM policy. See the pam_user_policy(7) man page.

    • project keyword – Adds a default project. For more information, see the project(5) man page.

    • profiles keyword – Assigns rights profiles. For more information, see the profiles(1) man page.

    • unlock_after keyword – Specifies the time after which a locked account can be unlocked by a successful authentication . You can specify the time as a number of minutes, hours, days, or weeks. If a time for this attribute is not specified, the administrator must explicitly unlock the account. To unlock a locked account, see the passwd(1) man page.


Note -  Because the access_times and access_tz attributes are PAM attributes, they are checked during authentication. Therefore, they must be assigned either directly to a user or role, or in an authenticated rights profile. They are ignored in a regular rights profile.

The qualified attributes can be set for users and roles in the LDAP naming scope only. These qualifiers limit a user or role's attribute assignment, such as a rights profile, to one or more systems. For examples, see the useradd(8) and user_attr(5) man pages.

    The qualifiers are host and netgroup:

  • host qualifier – Identifies the system where the user or role can perform specified actions.

  • netgroup qualifier – Lists systems where the user or role can perform specified actions. host assignments have priority over netgroup assignments.

For more information, see the user_attr(5) man page. To view the contents of this database, use the getent user_attr command. For more information, see the getent(8) man page and Listing Rights in Oracle Solaris.

auth_attr Database

The auth_attr database stores authorization definitions. Authorizations can be assigned to users, to roles, or to rights profiles. The preferred method is to place authorizations in a rights profile, then to assign the rights profile to a role or user.

To view the contents of this database, use the getent auth_attr command. For more information, see the getent(8) man page and Listing Rights in Oracle Solaris.

prof_attr Database

The prof_attr database stores the name, description, privileges, and authorizations that are assigned to rights profiles. The commands and security attributes that are assigned to rights profiles are stored in the exec_attr database. For more information, see exec_attr Database.

For more information, see the prof_attr(5) man page. To view the contents of this database, use the getent exec_attr command. For more information, see the getent(8) man page and Listing Rights in Oracle Solaris.

exec_attr Database

The exec_attr database defines commands that require security attributes to succeed. The commands are part of a rights profile. A command with its security attributes can be run by roles or users to whom the profile is assigned.

For more information, see the exec_attr(5) man page. To view the contents of this database, use the getent command. For more information, see the getent(8) man page and Listing Rights in Oracle Solaris.

policy.conf File


Note -  This file is superseded by the SMF account-policy service. For more information, see New Feature – Enabling the account-policy Service and the account-policy(8S) man page.

    The /etc/security/policy.conf file provides a way of granting specific rights profiles, specific authorizations, and specific privileges to all users of a system. The relevant entries in the file consist of key=value pairs:

  • AUTHS_GRANTED=authorizations – Refers to one or more authorizations.

  • AUTH_PROFS_GRANTED=rights profiles – Refers to one or more authenticated rights profiles.

  • PROFS_GRANTED=rights profiles – Refers to one or more rights profiles that are not authenticated.

  • CONSOLE_USER=Console User– Refers to the Console User rights profile. This profile is delivered with a convenient set of authorizations for the console user. You can customize this profile.

  • PRIV_DEFAULT=privileges – Refers to one or more privileges.

  • PRIV_LIMIT=privileges – Refers to all privileges.

The following example shows some rights values from a policy.conf database:

## 
AUTHS_GRANTED=
AUTH_PROFS_GRANTED=
CONSOLE_USER=Console User
PROFS_GRANTED=Basic Solaris User
#PRIV_DEFAULT=basic
#PRIV_LIMIT=all