svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
prof_attr(5)
prof_attr(5) File Formats prof_attr(5)
NAME
prof_attr - profile description database
SYNOPSIS
/etc/security/prof_attr
/etc/security/prof_attr.d/package
DESCRIPTION
/etc/security/prof_attr is a local source for execution profile names,
descriptions, and other attributes of execution profiles. The prof_attr
file can be used with other profile sources, including the prof_attr
NIS map. Programs use the getprofattr(3C) routines to gain access to
this information.
/etc/security/prof_attr entries are locally managed by the system
administrator. The /etc/security/prof_attr.d directory contains addi‐
tional entries installed by packages which should not be locally modi‐
fied. If an entry appears in multiple files in these locations,
/etc/security/prof_attr takes precedence. The profiles(1) command may
be used to verify the active definition for a profile.
The search order for multiple prof_attr sources is specified in the
nsswitch.conf(5) man page.
An execution profile is a mechanism used to bundle together the com‐
mands and authorizations needed to perform a specific function. An exe‐
cution profile can also contain other execution profiles. Each entry in
the prof_attr database consists of one line of text containing five
fields separated by colons (:). Line continuations using the backslash
(\) character are permitted. The format of each entry is:
profname:res1:res2:desc:attr
profname The name of the profile. Profile names are case-sensitive.
res1 The characters RO in this field indicate it is read only
and not modifiable by the tools that update this database.
res2 Reserved for future use.
desc A long description. This field should explain the purpose
of the profile, including what type of user would be inter‐
ested in using it. The long description should be suitable
for displaying in the help text of an application.
attr An optional list of semicolon-separated (;) key-value pairs
that describe the security attributes to apply to the
object upon execution. Zero or more keys can be specified.
The following keys are currently interpreted by the system:
help is a key-value pair, which is obsolete and is ignored.
audit_flags specifies per-user audit preselection flags as
a colon-separated list of always-audit-flags and never-
audit-flags values; for example, audit_flags=always-audit-
flags:never-audit-flags. For more information, see the
audit_flags(7) man page.
auths specifies a comma-separated list of authorization
names chosen from those names defined in the auth_attr(5)
database. Authorization names can be specified using the
asterisk (*) character as a wildcard. For example,
solaris.printer.* would mean all of Oracle Solaris's autho‐
rizations for printing.
pam_policy specifies the PAM policy to apply to a user.
pam_policy must be either an absolute pathname to a
pam.conf(5)-formatted file or the name of a pam.conf-for‐
matted file located in /etc/security/pam_policy. For more
information, see the pam_user_policy(7) man page.
access_times specifies the days and times that the corre‐
sponding set of applications and services can be accessed.
When checking the rules for a specific service the evalua‐
tion begins with the access_times in the user's
user_attr(5) database, and then follows the access_times in
the user's profiles and sub-profiles until a matching ser‐
vice name or a wildcard entry is found. If no rules are
found for the service, the user is exempt from time
restrictions for that service. For a description of the
syntax for this property, see the user_attr(5) man page.
profiles specifies a comma-separated list of profile names
chosen from those names defined in the prof_attr database.
privs specifies a comma-separated list of privileges names
chosen from those names defined in the priv_names(5) data‐
base. These privileges can then be used for executing com‐
mands with pfexec(1).
annotation, audit_flags, pam_policy, defaultpriv, and lim‐
itpriv have the same semantics as in user_attr(5). If they
are not specified in the user_attr database, the assigned
profiles are searched until a match is found.
EXAMPLES
Example 1 Allowing Execution of All Commands
The following entry allows the user to execute all commands:
All:::Execute any command as the user or role
Example 2 Consulting the Local prof_attr File First
With the following nsswitch.conf entry, the local prof_attr file is
consulted before the NIS map:
prof_attr: files nis
Example 3 Displaying prof_attr entries
The getent(8) command can be used to print the definitions used for a
profile following the search path configured via nsswitch.conf:
% getent prof_attr "Media Backup" "Media Restore"
Media Backup:RO::Backup files and file systems:profiles=NDMP Management
Media Restore:RO::Restore files and file systems from backups:
auths=solaris.media.extract;profiles=NDMP Management
FILES
/etc/security/prof_attr
Locally added entries.
/etc/security/prof_attr.d/*
Entries added by package installation.
NOTES
The root user is usually defined in local databases because root needs
to be able to log in and do system maintenance in single-user mode and
at other times when the network name service databases are not avail‐
able. So that the profile definitions for root can be located at such
times, root's profiles should be defined in the local prof_attr file,
and the order shown in the example nsswitch.conf(5) file entry under
EXAMPLES is highly recommended.
Because the list of legal keys is likely to expand, any code that
parses this database must be written to ignore unknown key-value pairs
without error. When any new keywords are created, the names should be
prefixed with a unique string, such as the company's stock symbol, to
avoid potential naming conflicts.
The following characters are used in describing the database format and
must be escaped with a backslash if used as data: colon (:), semicolon
(;), equals (=), and backslash (\).
The following authorizations are required to set various fields:
prof name of profile solaris.profile.manage
desc description of profile solaris.profile.manage
help help file name solaris.profile.manage
of profile
annotation audit record annotation solaris.account.setpolicy
audit_flags audit preselection flags solaris.audit.assign
auths authorizations granted solaris.auth.assign/delegate
pam_policy PAM policy applied solaris.account.setpolicy
access_times PAM time policy solaris.account.setpolicy
profiles profiles granted solaris.profile.assign/delegate
privs privileges granted solaris.privilege.assign/delegate
limitpriv the limit set of solaris.privilege.assign/delegate
privileges for the
command process
defaultpriv the inheritable set of solaris.privilege.assign/delegate
privileges for the
command process
The value of limitpriv that can be set by an authorized user for a
given command is limited to the limitpriv privileges that are granted
to the user.
The value of the defaultpriv that can be set by an authorized user for
a given command is limited to the defaultpriv privileges granted to the
user.
The solaris.auth.assign authorization allows the authorized user to
grant any authorization to another user. The solaris.auth.delegate
allows the authorized user to grant only the user's authorizations to
another user. The same principle applies to profiles and privileges.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ AvailabilitySee below. _ Interface StabilitySee below.
Availability
/etc/security/prof_attr is delivered in the system/core-os package.
/etc/security/prof_attr.d/ files are delivered in the packages that
provide the software they are associated with.
Interface Stability
The format is Committed. The contents have no stability attributes.
SEE ALSO
auths(1), pfexec(1), profiles(1), getauthattr(3C), getprofattr(3C),
getuserattr(3C), auth_attr(5), exec_attr(5), priv_names(5),
user_attr(5), audit_flags(7), pam_user_policy(7), rbac(7), getent(8)
HISTORY
Support for /etc/security/prof_attr.d/ files was added in Oracle
Solaris 11.0.0.
/etc/security/prof_attr was added in Solaris 8.
Oracle Solaris 11.4 3 Nov 2021 prof_attr(5)