The following databases store the data for rights in Oracle Solaris:
Extended user attributes database (user_attr) – Associates users and roles with authorizations, privileges, and rights profiles, among other keywords.
Rights profile attributes database (prof_attr) – Defines rights profiles and lists the profiles' assigned authorizations, privileges, and keywords
Authorization attributes database (auth_attr) – Defines authorizations and their attributes
Execution attributes database (exec_attr) – Identifies the commands with security attributes that are assigned to specific rights profiles
The policy.conf database contains authorizations, privileges, and rights profiles that are applied to all users. For more information, see policy.conf File. See also New Feature – Enabling the account-policy Service.
The name service scope of the rights databases is defined in the SMF service for the naming service switch, svc:/system/name-service/switch. The properties in this service for the rights databases are auth_attr, password, and prof_attr. The password property sets the naming service precedence for the passwd and user_attr databases. The prof_attr property sets the naming service precedence for the prof_attr and exec_attr databases.
In the following output, the auth_attr, password, and prof_attr entries are not listed. Therefore, the rights databases are using the files naming service.
# svccfg -s name-service/switch listprop config config application config/value_authorization astring solaris.smf.value.name-service.switch config/default astring files config/host astring "files ldap dns" config/printer astring "user files ldap"
The user_attr database contains user and role information that supplements the passwd and shadow databases. The attr field contains security attributes and the qualifier field contains attributes that qualify or limit the effect of security attributes to a system or group of systems.
The security attributes in the attr field can be set by using the roleadd, rolemod, useradd, usermod, and profiles commands. They can be set locally and in the LDAP naming scope.
For a user, the roles keyword assigns one or more defined roles.
For a role, the user value to the roleauth keyword enables the role to authenticate with the user password rather than with the role password. By default, the value is role.
For a user or role, the following attributes can be set:
access_times keyword – Specifies the days and times that specified applications and services can be accessed. For more information, see the getaccess_times(3C) man page.
access_tz keyword – Specifies the time zone to use when interpreting the times in access_times entries. For more information, see the pam_unix_account(7) man page.
annotation keyword – Specifies whether to prompt the user to annotate their login for the audit record. By default the user is not prompted. For more information, see New Feature – Annotating Reason for Access in the Audit Record in Managing Auditing in Oracle Solaris 11.4.
audit_flags keyword – Modifies the audit mask. For more information, see the audit_flags(7) man page.
auths keyword – Assigns authorizations. For more information, see the auths(1) man page.
auth_profiles keyword – Assigns authenticated rights profiles. For reference, see the profiles(1) man page.
defaultpriv keyword – Adds privileges or removes them from the default basic set of privileges.
limitpriv keyword – Adds privileges or removes them from the default limit set of privileges.
The defaultpriv and limitpriv privileges are always in effect because they are assigned to the user's initial process. For more information, see the privileges(7) man page and How Privileges Are Implemented.
idlecmd keyword – Logs out the user or locks the screen after idletime is reached.
idletime keyword – Sets the time that the system is available after no keyboard activity. Set idletime when you specify a value for idlecmd.
lock_after_retries keyword – If the value is yes, the system is locked after the number of retries exceeds the number that is allowed in the /etc/default/login file. For more information, see the login(1) man page. To unlock a locked account, see the passwd(1) man page.
pam_policy keyword – Specifies a per-user PAM policy. See the pam_user_policy(7) man page.
project keyword – Adds a default project. For more information, see the project(5) man page.
profiles keyword – Assigns rights profiles. For more information, see the profiles(1) man page.
unlock_after keyword – Specifies the time after which a locked account can be unlocked by a successful authentication . You can specify the time as a number of minutes, hours, days, or weeks. If a time for this attribute is not specified, the administrator must explicitly unlock the account. To unlock a locked account, see the passwd(1) man page.
The qualified attributes can be set for users and roles in the LDAP naming scope only. These qualifiers limit a user or role's attribute assignment, such as a rights profile, to one or more systems. For examples, see the useradd(8) and user_attr(5) man pages.
The qualifiers are host and netgroup:
host qualifier – Identifies the system where the user or role can perform specified actions.
netgroup qualifier – Lists systems where the user or role can perform specified actions. host assignments have priority over netgroup assignments.
For more information, see the user_attr(5) man page. To view the contents of this database, use the getent user_attr command. For more information, see the getent(8) man page and Listing Rights in Oracle Solaris.
The auth_attr database stores authorization definitions. Authorizations can be assigned to users, to roles, or to rights profiles. The preferred method is to place authorizations in a rights profile, then to assign the rights profile to a role or user.
To view the contents of this database, use the getent auth_attr command. For more information, see the getent(8) man page and Listing Rights in Oracle Solaris.
The prof_attr database stores the name, description, privileges, and authorizations that are assigned to rights profiles. The commands and security attributes that are assigned to rights profiles are stored in the exec_attr database. For more information, see exec_attr Database.
For more information, see the prof_attr(5) man page. To view the contents of this database, use the getent exec_attr command. For more information, see the getent(8) man page and Listing Rights in Oracle Solaris.
The exec_attr database defines commands that require security attributes to succeed. The commands are part of a rights profile. A command with its security attributes can be run by roles or users to whom the profile is assigned.
For more information, see the exec_attr(5) man page. To view the contents of this database, use the getent command. For more information, see the getent(8) man page and Listing Rights in Oracle Solaris.
The /etc/security/policy.conf file provides a way of granting specific rights profiles, specific authorizations, and specific privileges to all users of a system. The relevant entries in the file consist of key=value pairs:
AUTHS_GRANTED=authorizations – Refers to one or more authorizations.
AUTH_PROFS_GRANTED=rights profiles – Refers to one or more authenticated rights profiles.
PROFS_GRANTED=rights profiles – Refers to one or more rights profiles that are not authenticated.
CONSOLE_USER=Console User– Refers to the Console User rights profile. This profile is delivered with a convenient set of authorizations for the console user. You can customize this profile.
The following example shows some rights values from a policy.conf database:
## AUTHS_GRANTED= AUTH_PROFS_GRANTED= CONSOLE_USER=Console User PROFS_GRANTED=Basic Solaris User #PRIV_DEFAULT=basic #PRIV_LIMIT=all