auths - manage and list authorizations
auths [user]...
auths list [-S repository] [-vx] [-u user]
auths info [-S repository] [-v] [authorization]
auths check [-u user] authorization
auths add [-S repository] -t description authorization
auths modify [-S repository] [-t description] authorization
auths remove [-S repository] authorization
Authorizations are rights that are checked by certain privileged programs to determine whether a user may execute restricted functionality. They are part of the Solaris Role Based Access Control system described in rbac(7).
The auths command has various subcommands to manage an authorization and its properties in the auth_attr(5) database in the local files name service or LDAP name service. When run with no subcommand, the auths command prints on standard output the authorizations that the user running it, or the optionally specified user or role have been granted.
An administrator must be granted the Rights Management Profile to be able to manage the authorizations in the auth_attr(5) database with the add, modify, or remove subcommands.
Each user may have zero or more authorizations. Authorizations are represented by fully-qualified names, which identify the organization that created the authorization and the functionality that it controls. Following the Java convention, the hierarchical components of an authorization are separated by dots (.), starting with the reverse order Internet domain name of the creating organization, and ending with the specific function within a class of authorizations. Authorizations cannot end with a dot (.).
An asterisk (*) indicates all authorizations in a class.
A user's authorizations are looked up in user_attr(5) and in the /etc/security/policy.conf file (see policy.conf(5)). Authorizations may be specified directly in user_attr(5) or indirectly through prof_attr(5). Authorizations may also be assigned to every user in the system directly as default authorizations or indirectly as default profiles in the /etc/security/policy.conf file.
For each user, there are two sets of profiles, an authenticated set, and an unauthenticated set. Authorizations in the authenticated set are always effective, but those in the unauthenticated set only become effective after a successful response to an authentication challenge. Such challenges are automatically issued when the user executes a command matching an entry in the authenticated profiles set. See pfexec(1).
Create the specified authorization in the specified name service repository.
If no repository option is specified, the authorization is created in the files name service.
Check if the specified authorization has been granted to the specified user, or the current user if the –u option was not given.
If the user has the proper authorization, auths exits with exit code 0. Otherwise, it returns with exit code greater than 1.
Check if the specified authorization is present in the specified name service repository, or looks up based on nsswitch.conf(5) if no –S is given. If the specified authorization is present, it is listed and the auths exits with return code 0.
If no authorization is specified, auths prints all the authorizations present in the specified name service repository or based on nsswitch.conf(5).
Lists all the authorizations that are assigned to the specified user or the current user, if no username is specified, based on the name service repository.
If no repository is specified the information is looked up based on nsswitch.conf(5).
Modify an existing authorization in the specified name service repository. If no repository is specified the authorization will be modified in the first name service that it is found in based on nsswitch.conf(5).
Remove an existing authorization in the specified name service repository.
If no repository is specified, the authorization is removed from the first name service that it is found in based on nsswitch.conf(5).
The auths subcommands support the following options:
Specify the name service repository to be modified or searched. The supported repository options are files and ldap.
If this option is omitted, look up is based on nsswitch.conf(5).
Specify the textual description of the authorization.
Specify the user for which to list or check authorization.
If this option is omitted, the current user is used.
Print the description for the authorization.
Only print the authorizations.
The output from the auths output looks as follows:
example% auths tester01 tester02 tester01 : solaris.system.date,solaris.jobs.admin tester02 : solaris.system.*
There is no space after the comma separating the authorization names in tester01.
The following command lists the authorizations that are assigned to user tester01.
example% auths list -u tester01 tester01: solaris.jobs.admin solaris.system.dateExample 2 Listing Authorizations
The following command lists the authorizations assigned to user tester01 with descriptions.
example% auths list -v -u tester01 tester01: solaris.jobs.admin Manage All Jobs solaris.system.date Set Date & TimeExample 3 Listing Authorizations
The following command lists the authorizations with descriptions in the name service.
example% auths info -v solaris.user.manage solaris.user.manage: Manage user accountsExample 4 Adding an Authorization
The following adds the authorization solaris.foo.manage with a description of “manage foo” to the files name service repository.
example% auths add -t "manage foo" solaris.foo.manageExample 5 Modifying an Authorization
The following example modifies the authorization solaris.foo.manage in LDAP, setting the description to “manage foo and bars”.
example% auths -S ldap modify -t "manage foo and bars" \ solaris.foo.manage
The following exit values are returned:
Successful completion.
An error occurred.
User not authorized.
/etc/user_attr
/etc/security/auth_attr
/etc/security/policy.conf
/etc/security/prof_attr
See attributes(7) for descriptions of the following attributes:
|
profiles(1), roles(1), getauthattr(3C), auth_attr(5), policy.conf(5), prof_attr(5), user_attr(5), attributes(7), rbac(7)
Securing Users and Processes in Oracle Solaris 11.4
Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP
The auths command was added to Oracle Solaris in Solaris 8.
The subcommands add, check, info, list, modify, and remove, and the options –h, –S, –t, –u, and –v were added in Solaris 11.1.0.
The –x option was added in Solaris 11.2.0.
The –h option to provide an html authorization helpfile was obsoleted in Solaris 11.4.0.