The following databases store the data for rights in Oracle Solaris:
The policy.conf database contains authorizations, privileges, and rights profiles that are applied to all users. For more information, see policy.conf File. See also New Feature – Enabling the account-policy Service.
The name service scope of the rights databases is defined in the SMF service for the naming service switch, svc:/system/name-service/switch. The properties in this service for the rights databases are auth_attr, password, and prof_attr. The password property sets the naming service precedence for the passwd and user_attr databases. The prof_attr property sets the naming service precedence for the prof_attr and exec_attr databases.
In the following output, the auth_attr, password, and prof_attr entries are not listed. Therefore, the rights databases are using the files naming service.
# svccfg -s name-service/switch listprop config config application config/value_authorization astring solaris.smf.value.name-service.switch config/default astring files config/host astring "files ldap dns" config/printer astring "user files ldap"
The user_attr database contains user and role information that supplements the passwd and shadow databases. The attr field contains security attributes and the qualifier field contains attributes that qualify or limit the effect of security attributes to a system or group of systems.
The security attributes in the attr field can be set by using the roleadd, rolemod, useradd, usermod, and profiles commands. They can be set locally and in the LDAP naming scope.
For a user, the roles keyword assigns one or more defined roles.
For a role, the user value to the roleauth keyword enables the role to authenticate with the user password rather than with the role password. By default, the value is role.
For a user or role, the following attributes can be set:
access_times keyword – Specifies the days and times that specified applications and services can be accessed. For more information, see the getaccess_times(3C) man page.
access_tz keyword – Specifies the time zone to use when interpreting the times in access_times entries. For more information, see the pam_unix_account(7) man page.
annotation keyword – Specifies whether to prompt the user to annotate their login for the audit record. By default the user is not prompted. For more information, see New Feature – Annotating Reason for Access in the Audit Record in Managing Auditing in Oracle Solaris 11.4.
audit_flags keyword – Modifies the audit mask. For more information, see the audit_flags(7) man page.
auths keyword – Assigns authorizations. For more information, see the auths(1) man page.
auth_profiles keyword – Assigns authenticated rights profiles. For reference, see the profiles(1) man page.
defaultpriv keyword – Adds privileges or removes them from the default basic set of privileges.
The defaultpriv and limitpriv privileges are always in effect because they are assigned to the user's initial process. For more information, see the privileges(7) man page and How Privileges Are Implemented.
lock_after_retries keyword – If the value is yes, the system is locked after the number of retries exceeds the number that is allowed in the /etc/default/login file. For more information, see the login(1) man page. To unlock a locked account, see the passwd(1) man page.
pam_policy keyword – Specifies a per-user PAM policy. See the pam_user_policy(7) man page.
project keyword – Adds a default project. For more information, see the project(5) man page.
profiles keyword – Assigns rights profiles. For more information, see the profiles(1) man page.
unlock_after keyword – Specifies the time after which a locked account can be unlocked by a successful authentication . You can specify the time as a number of minutes, hours, days, or weeks. If a time for this attribute is not specified, the administrator must explicitly unlock the account. To unlock a locked account, see the passwd(1) man page.
The qualified attributes can be set for users and roles in the LDAP naming scope only. These qualifiers limit a user or role's attribute assignment, such as a rights profile, to one or more systems. For examples, see the useradd(8) and user_attr(5) man pages.
The qualifiers are host and netgroup:
For more information, see the user_attr(5) man page. To view the contents of this database, use the getent user_attr command. For more information, see the getent(8) man page and Listing Rights in Oracle Solaris.
The auth_attr database stores authorization definitions. Authorizations can be assigned to users, to roles, or to rights profiles. The preferred method is to place authorizations in a rights profile, then to assign the rights profile to a role or user.
The prof_attr database stores the name, description, privileges, and authorizations that are assigned to rights profiles. The commands and security attributes that are assigned to rights profiles are stored in the exec_attr database. For more information, see exec_attr Database.
For more information, see the prof_attr(5) man page. To view the contents of this database, use the getent exec_attr command. For more information, see the getent(8) man page and Listing Rights in Oracle Solaris.
The exec_attr database defines commands that require security attributes to succeed. The commands are part of a rights profile. A command with its security attributes can be run by roles or users to whom the profile is assigned.
For more information, see the exec_attr(5) man page. To view the contents of this database, use the getent command. For more information, see the getent(8) man page and Listing Rights in Oracle Solaris.
The /etc/security/policy.conf file provides a way of granting specific rights profiles, specific authorizations, and specific privileges to all users of a system. The relevant entries in the file consist of key=value pairs:
The following example shows some rights values from a policy.conf database:
## AUTHS_GRANTED= AUTH_PROFS_GRANTED= CONSOLE_USER=Console User PROFS_GRANTED=Basic Solaris User #PRIV_DEFAULT=basic #PRIV_LIMIT=all