rad - remote administration daemon
/usr/lib/rad [-d] [-s] [-S fmri] [-M module [ -M module ]...] [-m moduledir [ -m moduledir ]...] [-t transpec [ -t transpec ]...] [-e timeout]
System Administration Commands rad(8) NAME rad - remote administration daemon SYNOPSIS /usr/lib/rad [-d] [-s] [-S fmri] [-M module [ -M module ]...] [-m moduledir [ -m moduledir ]...] [-t transpec [ -t transpec ]...] [-e timeout] DESCRIPTION rad is a facility that securely exposes programmatic system administra- tive and monitoring interfaces to consumers in a variety of high-level languages. rad can be used in the following ways: o As a service: When run as a service, rad authenticates connections using getpeerucred(3C) or pam(3PAM). When used in this way, con- sumed APIs are run as the authenticated user. This mode of operation is provided with both local consumers looking to isolate execution of their privileged operations and remote consumers in mind. o As an unprivileged program: When run as an unprivileged program, rad serves solely as a bridge between its clients and the administrative APIs it publishes. When used in this way, any interfaces consumed will be run with the rights held by the rad process. rad is modular. The APIs published by rad are delivered as shared objects, as are the protocols it understands and the transports it can communicate over. Multiple instances of rad can run simultaneously, each functioning independently of the others, providing different ser- vices to different consumers, and listening for different types of con- nections on different ports or interfaces. rad obtains its configura- tion from its command-line options, from smf(7), or from a combination of the two. OPTIONS The following options are available for use on the command line: -d Emit verbose debugging output. -e timeout Specify a connection timeout in seconds. The default value is 180 seconds. -m moduledir Add moduledir to the list of directories to scan and load modules from. The -m option can be used multiple times to add multiple mod- ule directories. -M module Add module to the list of modules to load. module should be an absolute pathname or a pathname relative to the current working directory. Modules loaded with -M take precedence over modules found using -m. The -M option can be used multiple times to add multiple modules. -t transpec Instantiate a transport specified by transport specification transpec. A transport specification has the following format: transport[:option[=value][,option2[=value2]]...] -s Behave as an svc.startd(8) start method. This option has the fol- lowing effects: o If the -S option is not specified, rad will read its configuration from the service identified by scf_myname() (see scf_handle_create(3SCF)). o rad will use smf_method(7)-compatible exit statuses. o rad will daemonize, returning success only once it is ready to handle requests. -S fmri Read configuration from the SMF service instance specified by fmri. When the -s option is not specified, configured transports are not read from the service to avoid endpoint conflicts with a running service. Module directories specified on the command line are searched before module directories configured in SMF, permitting command line configuration to override SMF configuration. SMF CONFIGURATION When rad reads its configuration from smf, it reads general configura- tion from a property group called config of type application, and reads configuration for each of an arbitrary number of transports from a series of properties groups of type xport_XYZ where XYZ is replaced with the name of the transport type. Multiple instances of a particular transport type can be configured by creating multiple property groups of the corresponding type. The names of the property groups used to configure transports are not important. The config property group contains the following properties: moduledir A list of astrings. The directories to scan and load modules from. modules A list of astrings. The file names of specific modules to load. debug A boolean. If true, rad will emit verbose debugging output. Defaults to false. timeout An integer. The maximum time in seconds to wait for an individual response from the client while authenticating. Defaults to 180. Service Instances Two instances of the svc:/system/rad SMF service are configured to run /usr/lib/rad/rad: svc:/system/rad:local Configures rad to use the unix transport, with AF_UNIX sockets at: o /system/volatile/rad/radsocket, for getpeeru- cred(3C)-authenticated connections. o /system/volatile/rad/radsocket-unauth, for pam(3PAM)-authenticated connections. o /system/volatile/rad/radsocket-http, for getpeeru- cred(3C)-authenticated connections. o /system/volatile/rad/radsocket-unauth-http, for pam(3PAM)-authenticated connections. Rad protocol interactions are supported over the first two sockets and HTTP protocol interactions are supported over the second two sockets. svc:/system/rad:remote Configures rad to use the tls and gss transports. The TLS transport provides ports for both the RAD RPC protocol (12302) and the RAD HTTP/JSON protocol (6788). Each service is configured with the following directories in its mod- uledir setting: /usr/lib/rad/module content-specific modules /usr/lib/rad/transport transport modules /usr/lib/rad/protocol protocol modules /usr/lib/rad/site-modules site-specific modules PROTOCOLS Support for different protocols is delivered in module form. Modules for the following protocols are delivered by default: rad (RAD RPC pro- tocol), rad-http (HTTP/JSON). A rad instance can support multiple transports, with each transport specifying which protocol it supports through the proto option. For more information, see 'Transports' sec- tion. TRANSPORTS Support for different transport types is delivered in module form. Mod- ules for the following transports are supplied with the system: Pipes (pipe), Generic Security Services API (gss), TCP sockets (tcp), TLS sockets (tls), and Unix-domain sockets (unix). Each transport type has a unique set of configuration properties. The options for an instance of a transport type are configured either by defining properties in an SMF property group or by supplying sub-options to a -t command-line option. The gss transport utilizes the GSS-API protocol to secure communication between the client and server. It listens GSS-API connections on a TCP socket. The gss transport has the following options: proto An astring. The protocol to use with this transport instance. Defaults to rad. port An integer. The port to listen on for connections. localonly A boolean. If true, rad will only listen for connections from the local machine. Defaults to true. pam_service An astring. The pam service name to use when authenti- cating. Defaults to rad-gss. See the "Authenticating with PAM" section below. The pipe transport reads from and writes to a specific file descriptor, as is needed when a process wishes to communicate with a child rad process using a pipe. The pipe transport has the following options: proto An astring. The protocol to use with this transport instance. Defaults to rad. fd An integer. The file descriptor to read from/write to. exit A boolean. If true, rad will exit when communication over the pipe ends. Defaults to false. The tcp transport listens for clear-text connections on a TCP socket. The tcp transport has the following options: proto An astring. The protocol to use with this transport instance. Defaults to rad. port An integer. The port to listen on for connections. localonly A boolean. If true, rad will only listen for connections from the local machine. Defaults to true. pam_service An astring. The pam(3PAM) service name to use when authenticating. Defaults to rad-tcp. See the "Authenticating with PAM" section below. The tls transport listens for TLS connections on a TCP socket. The tls transport has the following options: proto An astring. The protocol to use with this transport instance. Defaults to rad. port An integer. The port to listen on for connections. localonly A boolean. If true, rad will only listen for connections from the local machine. Defaults to true. certificate An astring. The location of the PEM-formatted x509 certificate to use. privatekey An astring. The location of the PEM-formatted private key to use. pam_service An astring. The pam(3PAM) service name to use when authenticating. Defaults to rad-tls. See the "Authenticating with PAM" section below. The unix transport listens for connections on an AF_UNIX socket. The unix transport has the following options: proto An astring. The protocol to use with this transport instance. Defaults to rad. path An astring. The path to listen on. peercred A boolean. If true, rad will attempt to automatically authenticate connections using getpeerucred(3C). Defaults to true. pam_service n astring. The pam(3PAM) service name to use when authenticating. Defaults to rad-unix. See the "Authenticating with PAM" section below. AUTHENTICATING WITH PAM When rad is run as a service, and getpeerucred(3C) is not applicable to the transport being used, pam(3PAM) is used to authenticate connec- tions. The PAM service name used is dependent on the transport: rad-gss when connecting by means of the gss transport rad-tls when connecting by means of the tls transport rad-tcp when connecting by means of the tcp transport rad-unix when connecting by means of the unix transport (and peercred is false) rad when connecting by means of any other transport In rare cases, administrators may need to override the PAM service name used on a per-transport basis. For example, two rad TLS transports serving a single rad instance, with one listening on a local (more trusted) network and the other on a remote (less trusted) network, could require different PAM configurations. In such cases, administrators can specify the name of the PAM service to use as a transport configuration property (see the "Transports" sec- tion above). As with all PAM services, PAM will for look for entries corresponding to the PAM service for rad in /etc/pam.conf first and then /etc/pam.d/service. If no entries are found PAM will look in /etc/pam.conf for entries corresponding to the "other" service. If no "other" entries are found PAM will finally look for entries in /etc/pam.d/other. FILES /etc/rad/cert.pem The location where the remote rad instance (svc:/system/rad:remote) stores its certificate. This file is readable by all users. /etc/rad/key.pem The location where the remote rad instance (svc:/system/rad:remote) stores its private key. /system/volatile/rad/radsocket The AF_UNIX socket where the local rad instance (svc:/sys- tem/rad:local) accepts connections that are implicitly authenti- cated with getpeerucred(3C). /system/volatile/rad/radsocket-unauth The AF_UNIX socket where the local rad instance (svc:/sys- tem/rad:local) accepts connections that must explicitly authenti- cate using pam(3PAM). /system/volatile/rad/radsocket-http The AF_UNIX socket where the local rad instance (svc:/sys- tem/rad:local) accepts HTTP protocol (rad-http) connections that are implicitly authenticated with getpeerucred(3C). /system/volatile/rad/radsocket-unauth-http The AF_UNIX socket where the local rad instance (svc:/sys- tem/rad:local) accepts HTTP protocol (rad-http) connections that must explicitly authenticate using pam(3PAM). ATTRIBUTES See attributes(7) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | | | | | | |ATTRIBUTE TYPE |ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |system/management/rad | +-----------------------------+-----------------------------+ |Interface Stability |Private | +-----------------------------+-----------------------------+ SEE ALSO usermgr-1(3rad), radadrgen(1), pipe(2), getpeerucred(3C), pam(3PAM), scf_handle_create(3SCF), attributes(7), smf(7), smf_method(7), svc.startd(8) Managing User Accounts and User Environments in Oracle Solaris 11.4 NOTES Two instances of rad are delivered by the system and is enabled by default. svc:/system/rad:local listens to AF_UNIX connections at the paths: o /system/volatile/rad/rad socket o /system/volatile/rad/radsocket-unauth o /system/volatile/rad/radsocket-http o /system/volatile/rad/radsocket-unauth-http The first and third AF_UNIX sockets will automatically authenticate the connecting process using getpeerucred(3C), while the other two require the connecting process to explicitly authenticate. svc:/system/rad:remote listens for TLS connections on ports 12302 (RAD RPC) and 6788 (HTTP/JSON) and for GSS-API (RAD RPC protocol) connec- tions on port 6789. The service is disabled by default. These ports require all clients to explicitly authenticate. Other system components, including some desktop administrative user interfaces, rely on the local instance of rad (svc:/system/rad:local). Oracle Solaris 11.4 23 Feb 2018 rad(8)