profiles - list and manage rights profiles
profiles [-lx] [-c command] [user ...] [-S repository]
profiles [-la] [-S repository]
profiles -p profile [-S repository] [subcommand]
profiles -p profile [-S repository] -f command_file
profiles help
The profiles utility creates and modifies the configuration of a rights profile in the prof_attr(5) or exec_attr(5) databases in the local files name service or LDAP name service. A rights profile configuration consists of a profile name and a number of properties.
The following synopsis of the profiles subcommand is for interactive usage:
profiles –p profile [–S repository] [subcommand]
The profiles command prints on standard output the names of the rights profiles that have been assigned to you or to the optionally-specified user or role name. Profiles are a bundling mechanism used to enumerate the commands and authorizations needed to perform a specific function. Along with each listed executable are the process attributes, such as the effective user and group IDs, with which the process runs when started by a privileged command interpreter. See the pfexec(1) man page. Profiles can contain other profiles defined in prof_attr(5).
Multiple profiles can be combined to construct the appropriate access control. When profiles are assigned, the authorizations are added to the existing set. If the same command appears in multiple profiles, the first occurrence, as determined by the ordering of the profiles is used for process-attribute settings. For convenience, a wildcard can be specified to match all commands.
The special profile “Stop” shortcuts the evaluations of further profiles. Profiles seen after the “Stop” profile are not evaluated nor are they used to find additional commands. This profile can be used to sidestep profiles listed in /etc/security/policy.conf with the PROF_GRANTED key and the authorizations listed with AUTH_GRANTED in that file.
When profiles are interpreted, the profile list is loaded from user_attr(5). For each user, there are two sets of profiles, an authenticated set, and an unauthenticated set. The user is required to reauthenticate prior to executing commands matching an entry in the authenticated profiles set. See pfexec(1). If any default profiles are defined in /etc/security/policy.conf (see policy.conf(5)), the list of default profiles are added to the list loaded from user_attr(5). Matching entries in prof_attr(5) provide the authorizations list, and matching entries in exec_attr(5) provide the commands list.
When invoked with the –p option, the properties of the specified profile, as well as the properties of its associated executable files can be managed. However, to maintain system integrity, those profiles that are maintained by Oracle Solaris can not be modified by this command. Such profiles can only be modified via the pkg command during a system update.
Optionally, other profiles can also be delivered by the pkg command as not modifiable.
To prevent privilege escalation, the property values are restricted based on the user's authorizations. At a minimum, an administrator needs to be granted the Rights Management profile. Additionally, to modify security-related properties controlled by delegate authorizations, an administrator must be granted Rights Delegation profile. See exec_attr(5), prof_attr(5), and the following summary for details.
Property values can be simple strings, or comma-separated lists of simple strings. Simple strings containing white space must be double quoted.
The profiles command operates in both profile and command contexts. The profile context is the initial state, in which the various profile properties can be managed. The following table summarizes the properties in the profile context:
Property Name Value Type Required Authorizations
name simple none
annotation simple solaris.account.setpolicy
auths list of simple solaris.auth.{assign/delegate}
profiles list of simple solaris.profile.{assign/delegate}
privs list of simple solaris.privilege.{assign/delegate}
limitpriv list of simple solaris.privilege.{assign/delegate}
defaultpriv list of simple solaris.privilege.{assign/delegate}
always_audit list of simple solaris.audit.assign
never_audit list of simple solaris.audit.assign
access_times list of simple solaris.account.setpolicy
desc simple none
help simple none
pam_policy simple solaris.account.setpolicy
cmd simple/new context none
The command context is entered by specifying the cmd property. While in the command context, the properties of the current command can be managed.
The following table summarizes the properties in the command context:
Property Name Value Type Required Authorizations
id simple none
privs list of simple solaris.privilege.{assign/delegate}
limitprivs list of simple solaris.privilege.{assign/delegate}
euid simple solaris.profile.cmd.setuid
uid simple solaris.profile.cmd.setuid
egid simple solaris.group.{assign/delegate}
gid simple solaris.group.{assign/delegate}
clearance simple solaris.label.delegate
The values that can be specified in the profile context properties are described in the following list. An equal sign (=) is required between the property and its values as specified in the following list.
The audit flags specifying event classes to always audit. Only the first occurrence of this property, either in the user's user_attr(5) entry, or in the ordered list of assigned profiles is applied at login and su.
Specifies whether a user is prompted for an audit record annotation description. yes requires the user to provide an annotation description when prompted. optional allows the user to specify an annotation description when prompted. no will not prompt the user for an annotation description, and is the default choice.
An audit record annotation description is a text line terminated by a newline returned by the application's PAM conversation function. The annotation text is included in each audit record generated by the user.
One or more comma-separated authorizations to be added to the new profile. If the wildcard character (*) is use in an authorization name, the name must be enclosed in double quotes (").
The fully qualified path to an executable file or the asterisk (*) symbol, which is used to specify all commands. An asterisk that replaces the filename component in a pathname indicates all files in a particular directory.
This is a special property that is used to enter the command context to manage the security properties of a command.
Either numeric IDs and names can be used for these IDs.
This property is initially set to the value that was specified by the previous cmd property, but can be modified. When used in conjunction with the select subcommand, the properties of an existing command can be cloned for subsequent editing.
The PAM policy to apply to a user. pam_policy must be either an absolute pathname to a pam.conf(5)-formatted file or the name of a pam.conf(5)-formatted file located in /etc/security/pam_policy. See pam_user_policy(7) for more information.
One or more comma-separated rules that specify the days and times that the corresponding set of applications and services can be accessed.
When checking the times for a specific service name, the evaluation begins with the rules specified through the access_times in the user's user_attr(5) database, and then follows the access_times in the user's profiles and subprofiles until a matching service name or a wildcard entry is found. If no match is found, the user is exempt from time restrictions for that service. See user_attr(5) for more information.
The set of privileges to be applied to the inheritable set of the executable process. The default is basic.
The set of privileges to be applied to the limit set of the executable process. The default is all.
The effective user ID of the process that executes with the command.
The real user ID of the process that executes with the command.
The effective group ID of the process that executes with the command.
The real group ID of the process that executes with the command.
The clearance of the process that executes with the command.
The default set of privileges assigned to a user's set of processes. Only the first occurrence of this property, either in the user's user_attr(5) entry, or in the ordered list of assigned profiles is applied at login and su.
The description of the new profile. The text must be enclosed in quotation marks.
The help file name for the new profile. The help file is copied to the /usr/lib/help/profiles/locale/locale directory, where locale is the value of the user's locale, or C if none is specified. Specifying this property is only applicable in the files repository.
The maximum set of privileges a user or any process started by the user, whether through su(8) or any other means, can obtain. Only the first occurrence of this property, either in the user's user_attr(5) entry, or in the ordered list of assigned profiles is applied at login and su.
The name of the profile. The initial value for the name is specified using –p option on the command line. If the name is changed, the current profile properties are applied to the newly named profile. In this way an existing profile can be cloned for subsequent editing. The name must not match an existing profile.
The audit flags specifying event classes to never audit. Only the first occurrence of this property, either in the user's user_attr(5) entry, or in the ordered list of assigned profiles is applied at login and su.
The set of privileges that can be specified using the P option of the pfexec(1) command.
One or more comma-separated supplementary profiles to be added to the new profile.
The following options are supported:
Lists all the profile names in the specified repository. If no repository is specified, it follows whatever is configured for prof_attr in nsswitch.conf(5).
Lists only the profile names in the user's authenticated profile set. By default, only the profiles in the user's unauthenticated profiles are listed.
Specifies the name of profiles command file. command_file is a text file of profiles subcommands, one per line.
Provides information about all rights profiles that are assigned to user and lists the commands and their special process attributes such as user and group IDs. Without the user argument, provides this information about the user who is running the command.
Provides the name of the Rights Profile and the matching id that would be used if the command were executed using a profile shell by the current user or the specified user(s). The corresponding process attributes are also provided when –l is specified. The –x option limits the search to the user's profiles requiring authentication. If no match is found for any of the specified users, the exit status is set to 1. Otherwise it is set to 0.
Specifies the profile name.
The valid repositories are files and ldap.
repository specifies which name service is updated. The default repository is files.
When invoked with the –p option, subcommands can be provided on the command line or interactively. Multiple subcommands, separated by semicolons can be specified on the command line by enclosing the entire set in quotation marks. The lack of subcommands implies an interactive session, during which auto-completion of subcommands can be invoked by using the TAB key.
The add and select subcommands can be used to select a specific command, at which point the context changes to that of the command. During an interactive session, the command context is identified by the command basename in the prompt string. The end and cancel subcommands are used to complete the command specification, at which time the context is reverted to the profile context.
Subcommands that can result in destructive actions or loss of work have a –F option to force the action. If input is from a terminal device, the user is prompted when appropriate. This could occur if a subcommand is given without the –F option. Otherwise, the action is disallowed, with a diagnostic message written to standard error.
The property-value can be a simple value, or a list of simple values for those properties which accept lists. The following subcommands are supported:
In the profile context, begins the specification for a given command. The context is changed to the command type.
Adds the specified values to the current property values. This subcommand can only be applied to properties that accept lists.
End the command specification and reset context to profile. Abandons any partially specified resources. cancel is only applicable in the command context.
Clear the value for the property.
Commit the current configuration from memory to stable storage. The configuration must be committed for the changes to take effect. Until the in-memory configuration is committed, you can remove changes with the revert subcommand. The commit operation is attempted automatically upon completion of a profiles session. Since a configuration must be correct to be committed, this operation automatically does a verify.
Delete the specified profile from memory and stable storage. This operation is not permitted if the profile is included as a subprofile of another profile in the same repository. Instead, a list of profiles which include this profile is supplied from which the user must manually remove this profile prior to deleting it. Specify the –F option to force the action. If the deletion is allowed, its action is instantaneous and the session is terminated.
End the command specification. This subcommand is only applicable in the command context. The profiles command verifies that the current command is completely specified. If so, it is added to the in-memory configuration (see commit for saving this to stable storage) and the context reverts to the profile context. If the specification is incomplete, it issues an appropriate error message.
Exit the profiles session. A commit is automatically attempted if needed. You can also use an EOF character to exit profiles. The –F option can be used to force the action.
Print configuration to standard output. Use the –f option to print the configuration to output-file. This option produces output in a form suitable for use in a command file option.
Print general help or help about specific topic.
Display information about the current profile or the specified property.
Removes the specified command from the profile. This subcommand is only valid in the profile context.
Removes all the commands from the profile. A confirmation is required, unless you use the –F option. This subcommand is only valid in the profile context.
Remove the specified values from the property. This can only be applied to properties that accept lists.
Revert the configuration back to the last committed state. The –F option can be used to force the action.
Select the command which matches the given pathname criteria, for modification. This subcommand is applicable only in the profile context.
Set a given property name to the given value. Some properties (for example, name and desc) are only valid in the profile context, while others are only valid in the command context. This subcommand is applicable in both the profile and command contexts.
Verify the current configuration for correctness:
The required properties are specified.
The values are valid for each keyword.
The user is authorized to specify the values.
The output of the profiles command has the following form:
example% profiles tester01 tester02 tester01 : Audit Management, All Commands tester02 : Device Management, All CommandsExample 2 Using the list Option
example% profiles -l tester01 tester02
tester01 :
Audit Management:
/usr/sbin/audit euid=root
/usr/sbin/auditconfig euid=root egid=sys
All Commands:
*
tester02 :
Device Management:
/usr/bin/allocate: euid=root
/usr/bin/deallocate: euid=root
All Commands
*
Example 3 Creating a New Profile
The following creates a new “User Manager” profile in LDAP. The new profile description is “Manage users and groups”, and the authorization assigned is solaris.user.manage. The supplementary profile assigned is “Mail Management”.
example% profiles -p "User Manager" -S ldap profiles:User Manager> set desc="Manage users and groups" profiles:User Manager> set auths=solaris.user.manage profiles:User Manager> set profiles="Mail Management" profiles:User Manager> exitExample 4 Displaying Information Regarding a Profile
The following command displays information regarding the “User Manager” profile:
example% profiles -p "User Manager" -S ldap info name=User Manager desc=Manage users and groups auths=solaris.user.manage profiles=Mail ManagementExample 5 Deleting a Profile
The following command deletes the “User Manager” profile from LDAP:
example% profiles -p "User Manager" -S ldap delete -FExample 6 Modifying a Profile
The following modifies the “User Manager” profile in LDAP. The new profile description is “Manage world”, the new authorization assignment is solaris.user.* authorizations, and the new supplementary profile assignment is All.
example% profiles -p "User Manager" -S ldap profiles:User Manager> set desc="Manage world" profiles:User Manager> set auths="solaris.user.*" profiles:User Manager> set profiles=All profiles:User Manager> exitExample 7 Creating an exec_attr Database Entry
The following command creates a new exec_attr entry for the “User Manager” profile in LDAP. The /usr/bin/cp entry is added. The command has an effective user ID of 0 and an effective group ID of 0.
example% profiles -p "User Manager" -S ldap profiles:User Manager> add cmd=/usr/bin/cp profiles:User Manager:cp> set euid=0 profiles:User Manager:cp> set egid=0 profiles:User Manager:cp> end profiles:User Manager> exitExample 8 Deleting an exec_attr Database Entry
The following example deletes an exec_attr database entry for the “User Manager” profile from LDAP. The entry designated for the command /usr/bin/cp is deleted.
example% profiles -p "User Manager" -S ldap profiles:User Manager> remove cmd=/usr/bin/cp profiles:User Manager> exitExample 9 Modifying an exec_attr Database Entry
The following modifies the attributes of the exec_attr database entry for the User Manager profile in LDAP. The /usr/bin/cp entry is modified to execute with the real user ID of 0 and the real group ID of 0.
example% profiles -p "User Manager" -S ldap profiles:User Manager> select cmd=/usr/bin/cp profiles:User Manager:cp> clear euid profiles:User Manager:cp> clear egid profiles:User Manager:cp> set uid=0 profiles:User Manager:cp> set gid=0 profiles:User Manager:cp> end profiles:User Manager> exitExample 10 Showing the Attributes Associated With a Command
The following shows the process attributes that would be applied to the command /usr/sbin/useradd when executed by two users, John and Mary, using a profile shell.
example% profiles -lc /usr/sbin/useradd john mary john: name=User Management id=/usr/sbin/useradd euid=0 mary: name=All id=*
The following exit values are returned:
Successful completion
An error occurred or no profile matching the command is assigned to the user(s)
/etc/security/exec_attr
/etc/security/prof_attr
/etc/user_attr
/etc/security/policy.conf
See attributes(7) for descriptions of the following attributes:
|
auths(1), pfexec(1), pkg(1), roles(1), getprofattr(3C), auth_attr(5), exec_attr(5), nsswitch.conf(5), pam.conf(5), policy.conf(5), prof_attr(5), user_attr(5), attributes(7), audit_flags(7), pam_user_policy(7), privileges(7), rbac(7)
Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP