svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
user_attr(5)
user_attr(5) File Formats user_attr(5)
NAME
user_attr - extended user attributes database
SYNOPSIS
/etc/user_attr
/etc/user_attr.d/package
DESCRIPTION
/etc/user_attr is a local source of extended attributes associated with
users and roles. user_attr can be used with other user attribute
sources, including the LDAP people container and the user_attr NIS
map. Programs use the getuserattr(3C) routines to gain access to this
information.
/etc/user_attr entries are locally managed by the system administrator.
The /etc/user_attr.d directory contains additional entries installed by
packages which should not be locally modified. If a user entry appears
in multiple files in these locations, the attributes will be merged,
with /etc/user_attr taking precedence for any conflicting attributes.
The userattr(1) command may be used to verify the active value of an
attribute for a user.
The search order for multiple user_attr sources is specified in the
nsswitch.conf(5) man page. The search order follows that for passwd(5).
Each entry in the user_attr databases consists of a single line with
five fields separated by colons (:). Line continuations using the back‐
slash (\) character are permitted. Each entry has the form:
user:qualifier:res1:res2:attr
user
The name of the user as specified in the passwd(5) database.
The special value default@ is used to specify default attributes.
It is only interpreted by the LDAP name service.
qualifier
An optional field specifying a hostname or a netgroup name which
qualifies where the extended attributes are applicable. The prefix
@ is required to indicate that the value is a netgroup. This field
is only interpreted by the LDAP name service, in which case the
user or role may be assigned multiple user_attr entries. The prece‐
dence for retrieving a user's entry is to first look for the user's
entry which explicitly matches the current hostname, then to look
for the user's entry with a netgroup name matching the current
hostname. An unqualified entry has the lowest precedence.
res1
The characters RO in this field indicate it is read only and not
modifiable by the tools that update this database.
res2
Reserved for future use.
attr
An optional list of semicolon-separated (;) key-value pairs that
describe the security attributes to apply to the object upon execu‐
tion. Zero or more keys can be specified. The following keys are
currently interpreted by the system:
access_times
One or more comma-separated rules that specify the days and
times that the corresponding set of applications and services
can be accessed. An asterisk is treated as a wildcard, which
matches any service name. When evaluating the access_times for
a specific service, if no entries are found then the user is
exempt from time restrictions for that service. The syntax is:
{<service>,...}:<days><start>-<end>[/<days><start>-<end>]...
[,{<service>,...}:<days><start>-<end>]...
Lists of one or more service names are enclosed in curly
braces, followed by the corresponding time policy. The valid
days are specified by a sequence of undelimited two character
entries from the set:
Mo Tu We Th Fr Sa Su Wk Wd Al
The last three indicating the weekdays, the weekend and all 7
days to the week, respectively. The time-range is two 24-hour
times HHMM, separated by a hyphen, indicating the start and end
times. Generally, one range can be specified per day. However,
an end time less than the start time applies to the following
day.
Multiple specifications of days and times are separated by a
slash. Multiple sets of rules are separated by a comma.
access_tz
Specifies the time zone that should be used when interpreting
the times specified in access_times entries. If the access_tz
value is not set, then the systems's default time zone, local
time is used. The valid time zones are listed under
/usr/share/lib/zoneinfo.
annotation
Specifies whether a user is prompted for an audit record anno‐
tation description. yes requires the user to provide an annota‐
tion description when prompted. optional allows the user to
specify an annotation description when prompted. no will not
prompt the user for an annotation description, and is the
default choice.
An audit record annotation description is a text line termi‐
nated by a newline returned by the application's PAM conversa‐
tion function. The annotation text is included in each audit
record generated by the user.
audit_flags
Specifies per-user audit preselection flags as colon-separated
always-audit-flags and never-audit-flags. As in,
audit_flags=always-audit-flags:never-audit-flags. See
audit_flags(7).
auths
Specifies a comma-separated list of authorization names chosen
from those names defined in the auth_attr(5) database. Autho‐
rization names can be specified using the asterisk (*) charac‐
ter as a wildcard. For example, solaris.print.* means all of
Oracle Solaris' printer authorizations.
All of the authorizations from profiles are available to the
user.
auth_profiles
Similar to the profiles keyword, except that the user must re-
authenticate prior to execution if PRIV_PFEXEC is enabled and
the command matches an entry in this list of profiles. Entries
in this list take precedence over the list specified using the
profiles keyword.
defaultpriv
The default set of privileges assigned to a user's inheritable
set upon login. See Privileges Keywords. An Extended Policy can
be specified as described in privileges(7).
limitpriv
The maximum set of privileges a user or any process started by
the user, whether through su(8) or any other means, can obtain.
See Privileges Keywords.
lock_after_retries
Either:
Specifies whether an account is locked after the count of
failed logins for a user equals or exceeds the allowed number
of retries as defined by RETRIES in /etc/default/login. Possi‐
ble values are yes or no. The default is no.
Or:
Specifies the count of failed logins for a user. Possible val‐
ues are 1 ... 15. Account locking is applicable only to local
accounts and accounts in the ldap name service repository. LDAP
account must be configured with an enableShadowUpdate of true
as specified in ldapclient(8).
unlock_after
Specifies the time since the account has been locked, that it
may be unlocked by a successful authentication. The time may be
specified as a number of minutes (m), hours (h), days (d), or
weeks (w). <n>[m | h | d | w]. The default is unspecified. An
administrator must unlock the account.
pam_policy
Specifies the PAM policy to apply to a user. pam_policy must be
either an absolute pathname to a pam.conf(5)-formatted file or
the name of a pam.conf-formatted file located in /etc/secu‐
rity/pam_policy. See pam_user_policy(7) for more information.
profiles
Contains an ordered, comma-separated list of profile names cho‐
sen from prof_attr(5). The process attributes of commands
included in this list of profiles are applied via exec(2) if
the process flag PRIV_PFEXEC is enabled. For more information,
see the pfexec(1) man page.
A list of profiles can also be defined in the /etc/secu‐
rity/policy.conf file. For more information, see the pol‐
icy.conf(5) man page. If no profiles are assigned, the profile
shells do not allow the user to execute any commands.
project
Can be assigned a name of one project from the project(5) data‐
base to be used as a default project to place the user in at
login time. For more information, see getdefaultproj(3PROJECT).
roleauth
Specifies whether the assigned role requires a role password or
the password of the user who is assuming the role.
Valid values are role and user. If roleauth is not specified,
roleauth=role is implied.
roles
Can be assigned a comma-separated list of role names from the
set of user accounts in this database whose type field indi‐
cates the account is a role. If the roles key value is not
specified, the user is not permitted to assume any role.
tpd
Specifies whether the user is granted access to the Trusted
Path Domain when remotely connecting to a Remote Access Daemon
using the SMF service svc:/system/rad:remote. For more informa‐
tion, see the tpd(7) and rad(8) man pages. 'yes' means preserve
the Trusted Path. The default value, 'no', means run outside of
the Trusted Path. This attribute only applies if the remote
service is running in an immutable zone and the trusted_path
property is enabled in its SMF start method.
type
Can be assigned one of these strings: normal, indicating that
this account is for a normal user, one who logs in; or role,
indicating that this account is for a role. Roles can only be
assumed by a normal user after the user has logged in.
The following keys are available only if the system is configured
with the Trusted Extensions feature:
clearance
Contains the maximum label at which the user can operate. If
unspecified, in the Defense Intelligence Agency (DIA) encodings
scheme, the default is specified in label_encodings(5).
min_label
Contains the minimum label at which the user can log in. If
unspecified, in the DIA encodings scheme, the default is speci‐
fied in label_encodings(5).
Except for the type key, the key=value fields in the user_attr database
can be added using roleadd(8) and useradd(8). You can use rolemod(8)
and usermod(8) to modify these values. Modification of the type key is
restricted as described in rolemod and usermod.
The values assigned to the access_times, auths, auth_profiles, roles,
and profiles keywords are cumulative. To assign the values,
/etc/user_attr is searched first, followed by each of the profiles, in
order. The other keywords (audit_flags, project, access_tz, default‐
priv, limitpriv, lock_after_retries, pam_policy, clearance, and
min_label) are first matched, meaning that /etc/user_attr is searched
first, followed by each of the profiles, in order. Once a match is
found that search is over.
Each entry in the user_attr database is limited to a maximum of 1024
characters.
Privileges Keywords
See privileges(7) for a description of privileges. The command ppriv
-l (see ppriv(1)) produces a list of all supported privileges. You
specify privileges as they are displayed by ppriv. In privileges(7),
privileges are listed in the form PRIV_<privilege_name>. For example,
the privilege file_chown, as you would specify it in user_attr, is
listed in privileges(7) as PRIV_FILE_CHOWN.
Privileges can be specified through usermod(8) and rolemod(8). See
usermod(8) for examples of commands that modify privileges and their
subsequent effect on user_attr.
The following authorizations are required to set the various keywords:
tab(); lw(2.2i) lw(3.3i) access_timessolaris.account.setpolicy
access_tzsolaris.account.setpolicy annotationsolaris.account.setpolicy
audit_flagssolaris.audit.assign authssolaris.auth.delegate/assign
auth_profilessolaris.profile.delegate/assign clearanceso‐
laris.label.delegate defaultprivsolaris.privilege.delegate/assign lim‐
itprivsolaris.privilege.delegate/assign lock_after_retriesso‐
laris.account.setpolicy min_labelsolaris.label.delegate pam_policyso‐
laris.account.setpolicy profilessolaris.profile.delegate/assign pro‐
jectsolaris.project.delegate/assign rolessolaris.role.delegate/assign
roleauthsolaris.account.setpolicy
The solaris.auth.assign authorization allows an authorized user to
grant any authorization to another user. The solaris.auth.delegate
allows an authorized user to grant only the user's authorizations to
another user. The same principle applies to roles, profiles, privi‐
leges, and project.
The clearance and min_label values can only be set based on the autho‐
rized user's label range. The defaultpriv and limitpriv values can only
be set based on the authorized user's granted defaultpriv and limitpriv
privileges.
EXAMPLES
Example 1 Assigning a Profile to Root
The following example entry assigns to root the All profile, which
allows root to use all commands in the system, and also assigns all
authorizations:
root::::auths=solaris.*;profiles=All;type=normal
The solaris.* wildcard authorization gives root all of the solaris
authorizations. See auth_attr(5) for more about authorizations.
Example 2 Specifying the Time Rules for PAM Services
The following example entry specifies the days and times when specific
PAM services are available to a user:
jdoe::::access_tz=US/Pacific;access_times={pfexec,sudo}\:\
MoWe0900-1730/Sa2200-0200,{*}\:Wk0800-2200;auth_profiles=\
File System Management;
The user jdoe is restricted to use the File System Management profile
or to use sudo(8) on Mondays and Wednesdays between 9:00 AM and 5:30
PM, and from 10 PM on Saturdays until 2 AM the following morning. All
other PAM services are available on weekdays from 8 AM to 10 PM. These
times are all interpreted using the US/Pacific time zone.
Although the colon character must be escaped with a backslash in the
user_attr entry, the backslash is not used with the administrative
interfaces, e.g. usermod(8) and profiles(1). However, quotes are
required to prevent the shell from interpreting other special charac‐
ters like asterisk, braces, and blanks.
The above entry could have been created using the following commands:
# usermod -K access_tz=US/Pacific jdoe
# usermod -K access_times='{*}:Wk0800-2200' jdoe
# usermod -K access_times+='{pfexec,sudo}:MoWe0900-1730/Sa2200-0200' \
jdoe
# usermod -K auth_profiles='File System Management' jdoe
FILES
/etc/user_attr
Locally added entries.
/etc/user_attr.d/*
Entries added by package installation.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ AvailabilitySee below. _ Interface StabilitySee below.
Availability
/etc/user_attr is delivered in the system/core-os package.
/etc/user_attr.d/ files are delivered in the packages that provide the
software they are associated with.
Interface Stability
The format is Committed. The contents have no stability attributes.
SEE ALSO
auths(1), pfexec(1), ppriv(1), profiles(1), roles(1), userattr(1),
getuserattr(3C), getdefaultproj(3PROJECT), auth_attr(5), exec_attr(5),
label_encodings(5), nsswitch.conf(5), pam.conf(5), passwd(5), pol‐
icy.conf(5), prof_attr(5), project(5), attributes(7), audit_flags(7),
pam_user_policy(7), privileges(7), rbac(7), getent(8), ldapclient(8),
roleadd(8), rolemod(8), useradd(8), usermod(8)
NOTES
The root user is usually defined in local databases for a number of
reasons, including the fact that root needs to be able to log in and do
system maintenance in single-user mode, before the network name service
databases are available. For this reason, an entry should exist for
root in the local user_attr file, and the precedence shown in the exam‐
ple nsswitch.conf(5) file entry under EXAMPLES is highly recommended.
Because the list of legal keys is likely to expand, any code that
parses this database must be written to ignore unknown key-value pairs
without error. When any new keywords are created, the names should be
prefixed with a unique string, such as the company's stock symbol, to
avoid potential naming conflicts.
This file should not be edited. Values are changed using useradd(8) and
usermod(8).
A user without an entry in user_attr gets the default values as defined
in /etc/security/policy.conf.
HISTORY
Support for /etc/user_attr.d/ files was added in Oracle Solaris 11.0.0.
/etc/user_attr was added in Solaris 8.
Oracle Solaris 11.4 21 Jun 2021 user_attr(5)