prof_attr(5) 맨 페이지 - 윈디하나의 솔라나라

개요

섹션
맨 페이지 이름
검색(S)

prof_attr(5)

prof_attr(5)                     File Formats                     prof_attr(5)



NAME
       prof_attr - profile description database

SYNOPSIS
       /etc/security/prof_attr
       /etc/security/prof_attr.d/package

DESCRIPTION
       /etc/security/prof_attr  is a local source for execution profile names,
       descriptions, and other attributes of execution profiles. The prof_attr
       file  can  be  used with other profile sources, including the prof_attr
       NIS map. Programs use the getprofattr(3C) routines to  gain  access  to
       this information.


       /etc/security/prof_attr  entries  are  locally  managed  by  the system
       administrator. The /etc/security/prof_attr.d directory  contains  addi‐
       tional  entries installed by packages which should not be locally modi‐
       fied. If an  entry  appears  in  multiple  files  in  these  locations,
       /etc/security/prof_attr  takes  precedence. The profiles(1) command may
       be used to verify the active definition for a profile.


       The search order for multiple prof_attr sources  is  specified  in  the
       nsswitch.conf(5) man page.


       An  execution  profile  is a mechanism used to bundle together the com‐
       mands and authorizations needed to perform a specific function. An exe‐
       cution profile can also contain other execution profiles. Each entry in
       the prof_attr database consists of one line  of  text  containing  five
       fields  separated by colons (:). Line continuations using the backslash
       (\) character are permitted. The format of each entry is:


       profname:res1:res2:desc:attr

       profname    The name of the profile. Profile names are case-sensitive.


       res1        The characters RO in this field indicate it  is  read  only
                   and not modifiable by the tools that update this database.


       res2        Reserved for future use.


       desc        A  long  description. This field should explain the purpose
                   of the profile, including what type of user would be inter‐
                   ested  in using it. The long description should be suitable
                   for displaying in the help text of an application.


       attr        An optional list of semicolon-separated (;) key-value pairs
                   that  describe  the  security  attributes  to  apply to the
                   object upon execution. Zero or more keys can be  specified.
                   The following keys are currently interpreted by the system:

                   help is a key-value pair, which is obsolete and is ignored.

                   audit_flags  specifies per-user audit preselection flags as
                   a colon-separated list  of  always-audit-flags  and  never-
                   audit-flags  values; for example, audit_flags=always-audit-
                   flags:never-audit-flags.  For  more  information,  see  the
                   audit_flags(7) man page.

                   auths  specifies  a  comma-separated  list of authorization
                   names chosen from those names defined in  the  auth_attr(5)
                   database.  Authorization  names  can be specified using the
                   asterisk  (*)  character  as  a  wildcard.   For   example,
                   solaris.printer.* would mean all of Oracle Solaris's autho‐
                   rizations for printing.

                   pam_policy specifies the PAM policy to  apply  to  a  user.
                   pam_policy  must  be  either  an  absolute  pathname  to  a
                   pam.conf(5)-formatted file or the name of  a  pam.conf-for‐
                   matted  file  located in /etc/security/pam_policy. For more
                   information, see the pam_user_policy(7) man page.

                   access_times specifies the days and times that  the  corre‐
                   sponding  set of applications and services can be accessed.
                   When checking the rules for a specific service the  evalua‐
                   tion   begins   with   the   access_times   in  the  user's
                   user_attr(5) database, and then follows the access_times in
                   the  user's profiles and sub-profiles until a matching ser‐
                   vice name or a wildcard entry is found.  If  no  rules  are
                   found  for  the  service,  the  user  is  exempt  from time
                   restrictions for that service. For  a  description  of  the
                   syntax for this property, see the user_attr(5) man page.

                   profiles  specifies a comma-separated list of profile names
                   chosen from those names defined in the prof_attr database.

                   privs specifies a comma-separated list of privileges  names
                   chosen  from those names defined in the priv_names(5) data‐
                   base. These privileges can then be used for executing  com‐
                   mands with pfexec(1).

                   annotation,  audit_flags, pam_policy, defaultpriv, and lim‐
                   itpriv have the same semantics as in user_attr(5). If  they
                   are  not  specified in the user_attr database, the assigned
                   profiles are searched until a match is found.


EXAMPLES
       Example 1 Allowing Execution of All Commands



       The following entry allows the user to execute all commands:


         All:::Execute any command as the user or role


       Example 2 Consulting the Local prof_attr File First



       With the following nsswitch.conf entry, the  local  prof_attr  file  is
       consulted before the NIS map:


         prof_attr: files nis


       Example 3 Displaying prof_attr entries



       The  getent(8)  command can be used to print the definitions used for a
       profile following the search path configured via nsswitch.conf:


         % getent prof_attr "Media Backup" "Media Restore"
         Media Backup:RO::Backup files and file systems:profiles=NDMP Management
         Media Restore:RO::Restore files and file systems from backups:
         auths=solaris.media.extract;profiles=NDMP Management


FILES
       /etc/security/prof_attr

           Locally added entries.


       /etc/security/prof_attr.d/*

           Entries added by package installation.


NOTES
       The root user is usually defined in local databases because root  needs
       to  be able to log in and do system maintenance in single-user mode and
       at other times when the network name service databases are  not  avail‐
       able.  So  that the profile definitions for root can be located at such
       times, root's profiles should be defined in the local  prof_attr  file,
       and  the  order  shown in the example nsswitch.conf(5) file entry under
       EXAMPLES is highly recommended.


       Because the list of legal keys is  likely  to  expand,  any  code  that
       parses  this database must be written to ignore unknown key-value pairs
       without error. When any new keywords are created, the names  should  be
       prefixed  with  a unique string, such as the company's stock symbol, to
       avoid potential naming conflicts.


       The following characters are used in describing the database format and
       must  be escaped with a backslash if used as data: colon (:), semicolon
       (;), equals (=), and backslash (\).


       The following authorizations are required to set various fields:

         prof            name of profile            solaris.profile.manage
         desc            description of profile     solaris.profile.manage
         help            help file name             solaris.profile.manage
                           of profile
         annotation      audit record annotation    solaris.account.setpolicy
         audit_flags     audit preselection flags   solaris.audit.assign
         auths           authorizations granted     solaris.auth.assign/delegate
         pam_policy      PAM policy applied         solaris.account.setpolicy
         access_times    PAM time policy            solaris.account.setpolicy
         profiles        profiles granted           solaris.profile.assign/delegate
         privs           privileges granted         solaris.privilege.assign/delegate
         limitpriv       the limit set of           solaris.privilege.assign/delegate
                           privileges for the
                           command process
         defaultpriv     the inheritable set of     solaris.privilege.assign/delegate
                           privileges for the
                           command process



       The value of limitpriv that can be set by  an  authorized  user  for  a
       given  command  is limited to the limitpriv privileges that are granted
       to the user.


       The value of the defaultpriv that can be set by an authorized user  for
       a given command is limited to the defaultpriv privileges granted to the
       user.


       The solaris.auth.assign authorization allows  the  authorized  user  to
       grant  any  authorization  to  another  user. The solaris.auth.delegate
       allows the authorized user to grant only the user's  authorizations  to
       another user. The same principle applies to profiles and privileges.

ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       tab()  box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
       TRIBUTE VALUE _ AvailabilitySee below.  _ Interface StabilitySee below.


   Availability
       /etc/security/prof_attr is delivered in the system/core-os package.


       /etc/security/prof_attr.d/ files are delivered  in  the  packages  that
       provide the software they are associated with.

   Interface Stability
       The format is Committed. The contents have no stability attributes.

SEE ALSO
       auths(1),  pfexec(1),  profiles(1),  getauthattr(3C),  getprofattr(3C),
       getuserattr(3C),     auth_attr(5),     exec_attr(5),     priv_names(5),
       user_attr(5), audit_flags(7), pam_user_policy(7), rbac(7), getent(8)

HISTORY
       Support  for  /etc/security/prof_attr.d/  files  was  added  in  Oracle
       Solaris 11.0.0.


       /etc/security/prof_attr was added in Solaris 8.



Oracle Solaris 11.4               3 Nov 2021                      prof_attr(5)
맨 페이지 내용의 저작권은 맨 페이지 작성자에게 있습니다.
RSS ATOM XHTML 5 CSS3