Go to main content

Developer's Guide to Oracle® Solaris 11.3 Security

Exit Print View

Updated: April 2020
 
 

About Authorizations

    Authorizations are stored in the /etc/security/auth_attr file. To create an application that uses authorizations, take the following steps:

  1. Scan the entries in the auth_attr database using the getent command as follows :

    $ getent auth_attr | sort | more

    The getent command retrieves a list of authorizations in the auth_attr database and sorts similar named authorizations together. The authorizations are retrieved in the order in which they were configured. See the getent(1M) man page for information on using the getent command.

  2. Check for the required authorization at the beginning of the program using the chkauthattr(3C) function.

      The chkauthattr() function searches for the authorization in order in the following locations:

    • AUTHS_GRANTED key in the policy.conf(4) database – AUTHS_GRANTED indicates authorizations that have been assigned by default.

    • PROFS_GRANTED key in the policy.conf(4) database – PROFS_GRANTED indicates rights profiles that have been assigned by default. chkauthattr() checks these rights profiles for the specified authorization.

    • The user_attr(4) database – This database stores security attributes that have been assigned to users.

    • The prof_attr(4) database – This database stores rights profiles that have been assigned to users.

    If chkauthattr() cannot find the right authorization in any of these places, then the user is denied access to the program. If the Stop profile is encountered by the chkauthattr() function, further authorizations and profiles including AUTHS_GRANTED, PROFS_GRANTED, and those found in the /etc/security/policy.conf are ignored. Hence the Stop profile can be used to override profiles that are listed using the PROFS_GRANTED and AUTHS_GRANTED key in the /etc/security/policy.conf file.

See Chapter 3, Assigning Rights in Oracle Solaris in Securing Users and Processes in Oracle Solaris 11.3 for information about how to use the provided security attributes, add new ones, and assign them to users and processes.

Note - Users can add entries to the auth_attr(), exec_attr(), and prof_attr() databases. However Oracle Solaris authorizations are not stored in these databases.
Example 5  Checking for Authorizations

The following code snippet demonstrates how the chkauthattr() function can be used to check a user's authorization. In this case, the program checks for the solaris.job.admin authorization. If the user has this authorization, the user is able to read or write to other users' files. Without the authorization, the user can operate on owned files only.

/* Define override privileges */
priv_set_t *override_privs = priv_allocset();

/* Clear privilege set before adding privileges. */
priv_set(PRIV_OFF, PRIV_EFFECTIVE, PRIV_FILE_DAC_READ,
			priv_FILE_DAC_WRITE, NULL);

priv_addset(override_privs, PRIV_FILE_DAC_READ);
priv_addset(override_privs, PRIV_FILE_DAC_WRITE);

if (!chkauthattr("solaris.jobs.admin", username)) {
    /* turn off privileges */
    setppriv(PRIV_OFF, PRIV_EFFECTIVE, override_privs);
}
/* Authorized users continue to run with privileges */
/* Other users can read or write to their own files only */
Copyright © 2000, 2020, Oracle and/or its affiliates. All rights reserved. 
Previous
Next