Rights in Oracle Solaris exist on every process. You can add rights to users and roles, and remove rights. Rights include privileges on the user's process, privileges or special IDs on a command that the user runs, and authorizations to perform a particular action. To ease the administrative burden of assigning rights, Oracle Solaris collects rights for services and administrative actions into rights profiles. Rather than assign individual rights to users and roles, you can collect rights in a rights profile. You can then assign the rights profiles to users and roles.
Roles give a name to the administrative task that a user can perform, such as auditadm. To perform an administrative action, the user assumes an assigned role to perform the action. Roles can be required by security policy and they can simply be convenient. You can create roles or you can install the armor package which creates seven roles and their local home directories. For more information about roles, see User and Process Rights Provide an Alternative to the Superuser Model.
You can also assign rights to a system, whereby all users who log in to the system are granted those rights. Typically, administrators remove rights from specialized systems, such as kiosks or systems designed only to administer other systems. The preferred method of changing the rights on a system is to enable the account-policy Service Management Facility (SMF) service and modify the system's security attributes as SMF properties. The legacy method is to edit individual files in the /etc directory.
example-11u4 $ pfbash svccfg -s account-policy:default \ setprop config/etc_security_policyconf/disabled = boolean: false example-11u4 $ svccfg -s svc:/system/account-policy:default \ setprop rbac/default_privileges astring: = "basic,!file_link_any"
The preceding commands replace this legacy method:
example-11u3 $ pfexec vim /etc/security/policy.conf PRIV_DEFAULT=basic,!file_link_any
For more information, see account-policy(8S) and Modifying System-Wide Privileges, Authorizations, and Rights Profiles.