rad - remote administration daemon
/usr/lib/rad [-d] [-s] [-S fmri] [-M module [ -M module ]...] [-m moduledir [ -m moduledir ]...] [-t transpec [ -t transpec ]...] [-e timeout]
System Administration Commands rad(8)
NAME
rad - remote administration daemon
SYNOPSIS
/usr/lib/rad [-d] [-s] [-S fmri]
[-M module [ -M module ]...]
[-m moduledir [ -m moduledir ]...]
[-t transpec [ -t transpec ]...]
[-e timeout]
DESCRIPTION
rad is a facility that securely exposes programmatic system administra-
tive and monitoring interfaces to consumers in a variety of high-level
languages.
rad can be used in the following ways:
o As a service:
When run as a service, rad authenticates connections using
getpeerucred(3C) or pam(3PAM). When used in this way, con-
sumed APIs are run as the authenticated user. This mode of
operation is provided with both local consumers looking to
isolate execution of their privileged operations and remote
consumers in mind.
o As an unprivileged program:
When run as an unprivileged program, rad serves solely as a
bridge between its clients and the administrative APIs it
publishes. When used in this way, any interfaces consumed
will be run with the rights held by the rad process.
rad is modular. The APIs published by rad are delivered as shared
objects, as are the protocols it understands and the transports it can
communicate over. Multiple instances of rad can run simultaneously,
each functioning independently of the others, providing different ser-
vices to different consumers, and listening for different types of con-
nections on different ports or interfaces. rad obtains its configura-
tion from its command-line options, from smf(7), or from a combination
of the two.
OPTIONS
The following options are available for use on the command line:
-d
Emit verbose debugging output.
-e timeout
Specify a connection timeout in seconds. The default value is 180
seconds.
-m moduledir
Add moduledir to the list of directories to scan and load modules
from. The -m option can be used multiple times to add multiple mod-
ule directories.
-M module
Add module to the list of modules to load. module should be an
absolute pathname or a pathname relative to the current working
directory. Modules loaded with -M take precedence over modules
found using -m. The -M option can be used multiple times to add
multiple modules.
-t transpec
Instantiate a transport specified by transport specification
transpec. A transport specification has the following format:
transport[:option[=value][,option2[=value2]]...]
-s
Behave as an svc.startd(8) start method. This option has the fol-
lowing effects:
o If the -S option is not specified, rad will read its
configuration from the service identified by
scf_myname() (see scf_handle_create(3SCF)).
o rad will use smf_method(7)-compatible exit statuses.
o rad will daemonize, returning success only once it is
ready to handle requests.
-S fmri
Read configuration from the SMF service instance specified by fmri.
When the -s option is not specified, configured transports are not
read from the service to avoid endpoint conflicts with a running
service.
Module directories specified on the command line are searched
before module directories configured in SMF, permitting command
line configuration to override SMF configuration.
SMF CONFIGURATION
When rad reads its configuration from smf, it reads general configura-
tion from a property group called config of type application, and reads
configuration for each of an arbitrary number of transports from a
series of properties groups of type xport_XYZ where XYZ is replaced
with the name of the transport type. Multiple instances of a particular
transport type can be configured by creating multiple property groups
of the corresponding type. The names of the property groups used to
configure transports are not important.
The config property group contains the following properties:
moduledir
A list of astrings. The directories to scan and load modules from.
modules
A list of astrings. The file names of specific modules to load.
debug
A boolean. If true, rad will emit verbose debugging output.
Defaults to false.
timeout
An integer. The maximum time in seconds to wait for an individual
response from the client while authenticating. Defaults to 180.
Service Instances
Two instances of the svc:/system/rad SMF service are configured to run
/usr/lib/rad/rad:
svc:/system/rad:local
Configures rad to use the unix transport, with AF_UNIX sockets at:
o /system/volatile/rad/radsocket, for getpeeru-
cred(3C)-authenticated connections.
o /system/volatile/rad/radsocket-unauth, for
pam(3PAM)-authenticated connections.
o /system/volatile/rad/radsocket-http, for getpeeru-
cred(3C)-authenticated connections.
o /system/volatile/rad/radsocket-unauth-http, for
pam(3PAM)-authenticated connections.
Rad protocol interactions are supported over the first two sockets and
HTTP protocol interactions are supported over the second two sockets.
svc:/system/rad:remote
Configures rad to use the tls and gss transports. The TLS transport
provides ports for both the RAD RPC protocol (12302) and the RAD
HTTP/JSON protocol (6788).
Each service is configured with the following directories in its mod-
uledir setting:
/usr/lib/rad/module
content-specific modules
/usr/lib/rad/transport
transport modules
/usr/lib/rad/protocol
protocol modules
/usr/lib/rad/site-modules
site-specific modules
PROTOCOLS
Support for different protocols is delivered in module form. Modules
for the following protocols are delivered by default: rad (RAD RPC pro-
tocol), rad-http (HTTP/JSON). A rad instance can support multiple
transports, with each transport specifying which protocol it supports
through the proto option. For more information, see 'Transports' sec-
tion.
TRANSPORTS
Support for different transport types is delivered in module form. Mod-
ules for the following transports are supplied with the system: Pipes
(pipe), Generic Security Services API (gss), TCP sockets (tcp), TLS
sockets (tls), and Unix-domain sockets (unix). Each transport type has
a unique set of configuration properties. The options for an instance
of a transport type are configured either by defining properties in an
SMF property group or by supplying sub-options to a -t command-line
option.
The gss transport utilizes the GSS-API protocol to secure communication
between the client and server. It listens GSS-API connections on a TCP
socket. The gss transport has the following options:
proto An astring. The protocol to use with this transport
instance. Defaults to rad.
port An integer. The port to listen on for connections.
localonly A boolean. If true, rad will only listen for connections
from the local machine. Defaults to true.
pam_service An astring. The pam service name to use when authenti-
cating. Defaults to rad-gss. See the "Authenticating
with PAM" section below.
The pipe transport reads from and writes to a specific file descriptor,
as is needed when a process wishes to communicate with a child rad
process using a pipe. The pipe transport has the following options:
proto
An astring. The protocol to use with this transport instance.
Defaults to rad.
fd
An integer. The file descriptor to read from/write to.
exit
A boolean. If true, rad will exit when communication over the pipe
ends. Defaults to false.
The tcp transport listens for clear-text connections on a TCP socket.
The tcp transport has the following options:
proto
An astring. The protocol to use with this transport instance.
Defaults to rad.
port
An integer. The port to listen on for connections.
localonly
A boolean. If true, rad will only listen for connections from the
local machine. Defaults to true.
pam_service
An astring. The pam(3PAM) service name to use when authenticating.
Defaults to rad-tcp. See the "Authenticating with PAM" section
below.
The tls transport listens for TLS connections on a TCP socket. The tls
transport has the following options:
proto
An astring. The protocol to use with this transport instance.
Defaults to rad.
port
An integer. The port to listen on for connections.
localonly
A boolean. If true, rad will only listen for connections from the
local machine. Defaults to true.
certificate
An astring. The location of the PEM-formatted x509 certificate to
use.
privatekey
An astring. The location of the PEM-formatted private key to use.
pam_service
An astring. The pam(3PAM) service name to use when authenticating.
Defaults to rad-tls. See the "Authenticating with PAM" section
below.
The unix transport listens for connections on an AF_UNIX socket. The
unix transport has the following options:
proto
An astring. The protocol to use with this transport instance.
Defaults to rad.
path
An astring. The path to listen on.
peercred
A boolean. If true, rad will attempt to automatically authenticate
connections using getpeerucred(3C). Defaults to true.
pam_service
n astring. The pam(3PAM) service name to use when authenticating.
Defaults to rad-unix. See the "Authenticating with PAM" section
below.
AUTHENTICATING WITH PAM
When rad is run as a service, and getpeerucred(3C) is not applicable to
the transport being used, pam(3PAM) is used to authenticate connec-
tions. The PAM service name used is dependent on the transport:
rad-gss
when connecting by means of the gss transport
rad-tls
when connecting by means of the tls transport
rad-tcp
when connecting by means of the tcp transport
rad-unix
when connecting by means of the unix transport (and peercred is
false)
rad
when connecting by means of any other transport
In rare cases, administrators may need to override the PAM service name
used on a per-transport basis. For example, two rad TLS transports
serving a single rad instance, with one listening on a local (more
trusted) network and the other on a remote (less trusted) network,
could require different PAM configurations.
In such cases, administrators can specify the name of the PAM service
to use as a transport configuration property (see the "Transports" sec-
tion above).
As with all PAM services, PAM will for look for entries corresponding
to the PAM service for rad in /etc/pam.conf first and then
/etc/pam.d/service. If no entries are found PAM will look in
/etc/pam.conf for entries corresponding to the "other" service. If no
"other" entries are found PAM will finally look for entries in
/etc/pam.d/other.
FILES
/etc/rad/cert.pem
The location where the remote rad instance (svc:/system/rad:remote)
stores its certificate. This file is readable by all users.
/etc/rad/key.pem
The location where the remote rad instance (svc:/system/rad:remote)
stores its private key.
/system/volatile/rad/radsocket
The AF_UNIX socket where the local rad instance (svc:/sys-
tem/rad:local) accepts connections that are implicitly authenti-
cated with getpeerucred(3C).
/system/volatile/rad/radsocket-unauth
The AF_UNIX socket where the local rad instance (svc:/sys-
tem/rad:local) accepts connections that must explicitly authenti-
cate using pam(3PAM).
/system/volatile/rad/radsocket-http
The AF_UNIX socket where the local rad instance (svc:/sys-
tem/rad:local) accepts HTTP protocol (rad-http) connections that
are implicitly authenticated with getpeerucred(3C).
/system/volatile/rad/radsocket-unauth-http
The AF_UNIX socket where the local rad instance (svc:/sys-
tem/rad:local) accepts HTTP protocol (rad-http) connections that
must explicitly authenticate using pam(3PAM).
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| | |
| | |
|ATTRIBUTE TYPE |ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Availability |system/management/rad |
+-----------------------------+-----------------------------+
|Interface Stability |Private |
+-----------------------------+-----------------------------+
SEE ALSO
usermgr-1(3rad), radadrgen(1), pipe(2), getpeerucred(3C), pam(3PAM),
scf_handle_create(3SCF), attributes(7), smf(7), smf_method(7),
svc.startd(8)
Managing User Accounts and User Environments in Oracle Solaris 11.4
NOTES
Two instances of rad are delivered by the system and is enabled by
default.
svc:/system/rad:local listens to AF_UNIX connections at the paths:
o /system/volatile/rad/rad socket
o /system/volatile/rad/radsocket-unauth
o /system/volatile/rad/radsocket-http
o /system/volatile/rad/radsocket-unauth-http
The first and third AF_UNIX sockets will automatically authenticate the
connecting process using getpeerucred(3C), while the other two require
the connecting process to explicitly authenticate.
svc:/system/rad:remote listens for TLS connections on ports 12302 (RAD
RPC) and 6788 (HTTP/JSON) and for GSS-API (RAD RPC protocol) connec-
tions on port 6789. The service is disabled by default.
These ports require all clients to explicitly authenticate.
Other system components, including some desktop administrative user
interfaces, rely on the local instance of rad (svc:/system/rad:local).
Oracle Solaris 11.4 23 Feb 2018 rad(8)