svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
exec_attr(5)
exec_attr(5) File Formats exec_attr(5)
NAME
exec_attr - execution profiles database
SYNOPSIS
/etc/security/exec_attr
/etc/security/exec_attr.d/package
DESCRIPTION
/etc/security/exec_attr is a local database that specifies the execu‐
tion attributes associated with profiles. The exec_attr file can be
used with other sources for execution profiles, including the exec_attr
NIS map. Programs use the getexecattr(3C) routines to access this
information.
/etc/security/exec_attr entries are locally managed by the system
administrator. The /etc/security/exec_attr.d directory contains addi‐
tional entries installed by packages which should not be locally modi‐
fied. If an entry appears in multiple files in these locations,
/etc/security/exec_attr takes precedence. The getent(8) command may be
used to verify the active entries in this database.
The search order for multiple execution profile sources is specified in
the nsswitch.conf(5) man page. The search order follows the entry for
prof_attr(5).
A profile is a logical grouping of authorizations and commands that is
interpreted by a profile shell to form a secure execution environment.
The shells that interpret profiles are described in the pfsh(1) man
page. Each user's account is assigned zero or more profiles in the
user_attr(5) database.
Each entry in the exec_attr database consists of one line of text con‐
taining seven fields separated by colons (:). Line continuations using
the backslash (\) character are permitted. The basic format of each
entry is:
name:policy:type:res1:res2:id:attr
name The name of the profile. Profile names are case-sensitive.
policy The security policy that is associated with the profile
entry. The valid policy type is solaris. The solaris policy
recognizes privileges. See privileges(7).
type The type of object defined in the profile. The valid type is
cmd. The cmd type specifies that the ID field is a command
that would be executed by a shell.
res1 The characters RO in this field indicate it is read only and
not modifiable by the tools that update this database.
res2 Reserved for future use.
id A string that uniquely identifies the object described by the
profile. For a profile of type cmd, the id is either the full
path to the command or the asterisk (*) symbol, which is used
to allow all commands. An asterisk that replaces the filename
component in a pathname indicates all files in a particular
directory.
To specify arguments, the pathname should point to a shell
script that is written to execute the command with the
desired argument. In a Bourne shell, the effective UID is
reset to the real UID of the process when the effective UID
is less than 100 and not equal to the real UID. Depending on
the euid and egid values, Bourne shell limitations might make
other shells preferable. To prevent the effective UIDs from
being reset to real UIDs, you can start the script with the
-p option.
#!/usr/sunos/bin/sh -p
attr An optional list of semicolon-separated (;) key-value pairs
that describe the security attributes to apply to the object
upon execution. Zero or more keys can be specified. The list
of valid key words depends on the policy enforced. The fol‐
lowing key words are valid: euid, uid, egid, gid, privs, lim‐
itprivs, and clearance.
euid and uid contain a single user name or a numeric user ID.
Commands designated with euid run with the effective UID
indicated, which is similar to setting the setuid bit on an
executable file. Commands designated with uid run with both
the real and effective UIDs. Setting uid might be more appro‐
priate than setting the euid on privileged shell scripts.
egid and gid contain a single group name or a numeric group
ID. Commands designated with egid run with the effective GID
indicated, which is similar to setting the setgid bit on a
file. Commands designated with gid run with both the real and
effective GIDs. Setting gid might be more appropriate than
setting guid on privileged shell scripts.
privs contains a privilege set which are added to the inheri‐
table set prior to running the command.
privs contains a privilege set which is added to the inheri‐
table set prior to running the command. Privileges including
those in basic set are preceded by a dash (-) or an exclama‐
tion mark (!), may be removed from the inheritable set.
limitprivs contains a privilege set which are assigned to the
limit set prior to running the command.
privs and limitprivs are only valid for the solaris policy.
clearance contains a process label specification in human
readable or internal textual formats. See labels(7). When you
apply this attribute to the associated command, the execution
fails with EACCES. This happens if this clearance is not dom‐
inated by the clearance explicitly specified in the real or
effective user's user_attr(5) entry, or implicitly by the
default clearance specified through labelcfg(8).
clearance is ignored when Trusted Extensions is enabled.
EXAMPLES
Example 1 Using Privileges
The following example shows the audit command specified in the Audit
Control profile to execute with the proc_owner privilege:
Audit Control:solaris:cmd:::/usr/sbin/audit:privs=proc_owner
FILES
/etc/security/exec_attr
Locally added entries.
/etc/security/exec_attr.d/*
Entries added by package installation.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ AvailabilitySee below. _ Interface StabilitySee below.
Availability
/etc/security/exec_attr is delivered in the system/core-os package.
/etc/security/exec_attr.d/ files are delivered in the packages that
provide the software they are associated with.
Interface Stability
The format is Committed. The contents have no stability attributes.
NOTES
Because the list of legal keys is likely to expand, any code that
parses this database must be written to ignore unknown key-value pairs
without error. When any new keywords are created, the names should be
prefixed with a unique string, such as the company's stock symbol, to
avoid potential naming conflicts.
The following characters are used in describing the database format and
must be escaped with a backslash if used as data: colon (:), semicolon
(;), equals (=), and backslash (\).
The authorizations required to set various fields are:
name profile name solaris.profile.cmd.manage
policy security policy solaris.profile.cmd.manage
type type of object defined solaris.profile.cmd.manage
in the profile
id full path of command solaris.profile.cmd.manage
The authorizations required to set attr security attributes of the com‐
mand are:
euid euid of the command solaris.profile.cmd.setuid
process
uid uid of the command solaris.profile.cmd.setuid
process
egid egid of the command solaris.group.assign/delegate
process
gid gid of the command solaris.group.assign/delegate
process
privs privileges added to
the inheritable set of solaris.privilege.assign/delegate
privileges for the
command. An Extended
Policy can be specified
here. See privileges(7).
limitprivs privileges assigned to
the limit set of solaris.privilege.assign/delegate
privileges for the
command
clearance clearance of the command
process solaris.label.delegate
The value of limitprivs that can be set by an authorized user for a
given command are limited to the limitprivs privileges that are granted
to the user.
The value of the privs that can be set by an authorized user for a
given command are limited to the defaultprivs privileges granted to the
user.
The solaris.privilege.assign authorization allows the authorized user
to grant any privilege to a command. The solaris.privilege.delegate
allows the authorized user to grant privileges from the user's privi‐
lege sets. See group(5) for more information on solaris.group.assign
and solaris.group.delegate.
The solaris.label.delegate authorization allows the authorized user to
specify a clearance value that is dominated by the user's current
clearance.
When normal user processes are executed at the user's maximum clear‐
ance, this attribute can only be used to lower a command's process
label. The clearance attribute is more useful in a role's profile
because the current user's process label is maintained when assuming a
role with a higher clearance. In this case the clearance attribute can
be used to raise the command's process label up to the role's maximum
clearance.
SEE ALSO
auths(1), profiles(1), roles(1), sh(1s), kva_match(3C), getau‐
thattr(3C), getexecattr(3C), getprofattr(3C), getuserattr(3C),
auth_attr(5), group(5), prof_attr(5), user_attr(5), attributes(7),
privileges(7), rbac(7)
HISTORY
Support for /etc/security/exec_attr.d/ files was added in Oracle
Solaris 11.0.0.
/etc/security/exec_attr was added in Solaris 8.
Oracle Solaris 11.4 21 Jun 2021 exec_attr(5)