About Authorizations

Language:

Authorizations are stored in the auth_attr database.

Note - If your administrator is using SMF to manage authorizations, then SMF property values indicate the current values of AUTHS_GRANTED, AUTH_PROFS_GRANTED, and PROFS_GRANTED, rather than the values in the /etc/security/policy.conf file. For more information, see Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4 and Security Attributes in Files and Their Corresponding SMF Properties in Securing Users and Processes in Oracle Solaris 11.4.

To create an application that uses authorizations, take the following steps:

Scan the entries in the auth_attr database using the getent command as follows:
```
$ getent auth_attr | sort | more
```
The getent command retrieves a list of authorizations from the auth_attr database and the sort command alphabetizes them. The authorizations are retrieved in the order in which they were configured. See the getent(8) man page for information about using the getent command.
Check for the required authorization at the beginning of the program using the chkauthattr(3C) function.
- AUTHS_GRANTED key in the policy.conf(5) database – AUTHS_GRANTED indicates authorizations that have been assigned by default.
- PROFS_GRANTED key in the policy.conf(5) database – PROFS_GRANTED indicates rights profiles that have been assigned by default. chkauthattr() checks these rights profiles for the specified authorization.
- The user_attr(5) database – This database stores security attributes that have been assigned to users.
- The prof_attr(5) database – This database stores rights profiles that have been assigned to users.
If chkauthattr() cannot find the right authorization in any of these places, then the user is denied access to the program. If the Stop profile is encountered by the chkauthattr() function, further authorizations and profiles including AUTHS_GRANTED, PROFS_GRANTED, and those found in the /etc/security/policy.conf are ignored. Hence the Stop profile can be used to override profiles that are listed using the PROFS_GRANTED and AUTHS_GRANTED key in the /etc/security/policy.conf file.

See Chapter 3, Assigning Rights in Oracle Solaris in Securing Users and Processes in Oracle Solaris 11.4 for information about how to use the provided security attributes, add new ones, and assign them to users and processes.

Note - Users can add entries to the auth_attr(), exec_attr(), and prof_attr() databases. However, Oracle Solaris authorizations are not stored in these databases.

Example 4 Checking for User Authorizations

The following code snippet demonstrates how the chkauthattr() function can be used to check a user's authorization. In this case, the program checks for the solaris.job.admin authorization. If the user has this authorization, the user is able to read or write to other users' files. Without the authorization, the user can operate on owned files only.

/* Define override privileges */
priv_set_t *override_privs = priv_allocset();

/* Clear privilege set before adding privileges. */
priv_set(PRIV_OFF, PRIV_EFFECTIVE, PRIV_FILE_DAC_READ,
			PRIV_FILE_DAC_WRITE, NULL);

priv_addset(override_privs, PRIV_FILE_DAC_READ);
priv_addset(override_privs, PRIV_FILE_DAC_WRITE);

if (!chkauthattr("solaris.jobs.admin", username)) {
    /* turn off privileges */
    setppriv(PRIV_OFF, PRIV_EFFECTIVE, override_privs);
}
/* Authorized users continue to run with privileges */
/* Other users can read or write to their own files only */