svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
auths(1)
auths(1) User Commands auths(1)
NAME
auths - manage and list authorizations
SYNOPSIS
auths [user]...
auths list [-S repository] [-vx] [-u user]
auths info [-S repository] [-v] [authorization]
auths check [-u user] authorization
auths add [-S repository] -t description authorization
auths modify [-S repository] [-t description] authorization
auths remove [-S repository] authorization
DESCRIPTION
Authorizations are rights that are checked by certain privileged pro‐
grams to determine whether a user may execute restricted functionality.
They are part of the Solaris Role Based Access Control system described
in rbac(7).
The auths command has various subcommands to manage an authorization
and its properties in the auth_attr(5) database in the local files name
service or LDAP name service. When run with no subcommand, the auths
command prints on standard output the authorizations that the user run‐
ning it, or the optionally specified user or role have been granted.
An administrator must be granted the Rights Management Profile to be
able to manage the authorizations in the auth_attr(5) database with the
add, modify, or remove subcommands.
Each user may have zero or more authorizations. Authorizations are rep‐
resented by fully-qualified names, which identify the organization that
created the authorization and the functionality that it controls. Fol‐
lowing the Java convention, the hierarchical components of an autho‐
rization are separated by dots (.), starting with the reverse order
Internet domain name of the creating organization, and ending with the
specific function within a class of authorizations. Authorizations can‐
not end with a dot (.).
An asterisk (*) indicates all authorizations in a class.
A user's authorizations are looked up in user_attr(5) and in the
/etc/security/policy.conf file (see policy.conf(5)). Authorizations may
be specified directly in user_attr(5) or indirectly through
prof_attr(5). Authorizations may also be assigned to every user in the
system directly as default authorizations or indirectly as default pro‐
files in the /etc/security/policy.conf file.
For each user, there are two sets of profiles, an authenticated set,
and an unauthenticated set. Authorizations in the authenticated set are
always effective, but those in the unauthenticated set only become
effective after a successful response to an authentication challenge.
Such challenges are automatically issued when the user executes a com‐
mand matching an entry in the authenticated profiles set. See
pfexec(1).
Subcommands
add [-S repository] -t description authorization
Create the specified authorization in the specified name service
repository.
If no repository option is specified, the authorization is created
in the files name service.
check [-u user] authorization
Check if the specified authorization has been granted to the speci‐
fied user, or the current user if the -u option was not given.
If the user has the proper authorization, auths exits with exit
code 0. Otherwise, it returns with exit code greater than 1.
info [-S repository] [-v] [authorization]
Check if the specified authorization is present in the specified
name service repository, or looks up based on nsswitch.conf(5) if
no -S is given. If the specified authorization is present, it is
listed and the auths exits with return code 0.
If no authorization is specified, auths prints all the authoriza‐
tions present in the specified name service repository or based on
nsswitch.conf(5).
list [-S repository] [-vx] [-u user]
Lists all the authorizations that are assigned to the specified
user or the current user, if no username is specified, based on the
name service repository.
If no repository is specified the information is looked up based on
nsswitch.conf(5).
modify [-S repository] [ -t description ] authorization
Modify an existing authorization in the specified name service
repository. If no repository is specified the authorization will be
modified in the first name service that it is found in based on
nsswitch.conf(5).
remove [-S repository] authorization
Remove an existing authorization in the specified name service
repository.
If no repository is specified, the authorization is removed from
the first name service that it is found in based on nss‐
witch.conf(5).
OPTIONS
The auths subcommands support the following options:
-S repository Specify the name service repository to be modified or
searched. The supported repository options are files
and ldap.
Note -
When updating the ldap repository, both the LDAP
server and client must be configured with Enable‐
ShadowUpdate=true.
If this option is omitted, look up is based on nss‐
witch.conf(5).
-t description Specify the textual description of the authorization.
-u user Specify the user for which to list or check autho‐
rization.
If this option is omitted, the current user is used.
-v Print the description for the authorization.
-x Only print the authorizations.
EXAMPLES
Example 1 Using the auths Command
The output from the auths output looks as follows:
example% auths tester01 tester02
tester01 : solaris.system.date,solaris.jobs.admin
tester02 : solaris.system.*
There is no space after the comma separating the authorization names in
tester01.
The following command lists the authorizations that are assigned to
user tester01.
example% auths list -u tester01
tester01:
solaris.jobs.admin
solaris.system.date
Example 2 Listing Authorizations
The following command lists the authorizations assigned to user
tester01 with descriptions.
example% auths list -v -u tester01
tester01:
solaris.jobs.admin
Manage All Jobs
solaris.system.date
Set Date & Time
Example 3 Listing Authorizations
The following command lists the authorizations with descriptions in the
name service.
example% auths info -v solaris.user.manage
solaris.user.manage:
Manage user accounts
Example 4 Adding an Authorization
The following adds the authorization solaris.foo.manage with a descrip‐
tion of "manage foo" to the files name service repository.
example% auths add -t "manage foo" solaris.foo.manage
Example 5 Modifying an Authorization
The following example modifies the authorization solaris.foo.manage in
LDAP, setting the description to "manage foo and bars".
example% auths -S ldap modify -t "manage foo and bars" \
solaris.foo.manage
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 An error occurred.
2 User not authorized.
FILES
/etc/user_attr
/etc/security/auth_attr
/etc/security/policy.conf
/etc/security/prof_attr
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/core-os
SEE ALSO
profiles(1), roles(1), getauthattr(3C), auth_attr(5), policy.conf(5),
prof_attr(5), user_attr(5), attributes(7), rbac(7)
Securing Users and Processes in Oracle Solaris 11.4
Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP
HISTORY
The auths command was added to Oracle Solaris in Solaris 8.
The subcommands add, check, info, list, modify, and remove, and the
options -h, -S, -t, -u, and -v were added in Solaris 11.1.0.
The -x option was added in Solaris 11.2.0.
The -h option to provide an html authorization helpfile was obsoleted
in Solaris 11.4.0.
Oracle Solaris 11.4 21 Jun 2021 auths(1)