File Formats execattr(4)
NAME
execattr - execution profiles database
SYNOPSIS
/etc/security/execattr
DESCRIPTION
/etc/security/execattr is a local database that specifies
the execution attributes associated with profiles. The
execattr file can be used with other sources for execution
profiles, including the execattr NIS map and NIS] table.
Programs use the getexecattr(3SECDB) routines to access this
information.
The search order for multiple execution profile sources is
specified in the /etc/nsswitch.conf file, as described in
the nsswitch.conf(4) man page. The search order follows the
entry for profattr(4).
A profile is a logical grouping of authorizations and com-
mands that is interpreted by a profile shell to form a
secure execution environment. The shells that interpret pro-
files are pfcsh, pfksh, and pfsh. See the pfsh(1) man page.
Each user's account is assigned zero or more profiles in the
userattr(4) database file.
Each entry in the execattr database consists of one line of
text containing seven fields separated by colons (:). Line
continuations using the backslash (\fR) character are per-
mitted. The basic format of each entry is:
name:policy:type:res1:res2:id:attr
name The name of the profile. Profile names are case-
sensitive.
policy The security policy that is associated with the
profile entry. The valid policies are suser (stan-
dard Solaris superuser) and solaris. The solaris
policy recognizes privileges (see privileges(5));
the suser policy does not.
The solaris and suser policies can coexist in the
same execattr database, so that Solaris releases
prior to the current release can use the suser
policy and the current Solaris release can use a
SunOS 5.11 Last change: 30 Mar 2006 1
File Formats execattr(4)
solaris policy. solaris is a superset of suser; it
allows you to specify privileges in addition to
UIDs. Policies that are specific to the current
release of Solaris or that contain privileges
should use solaris. Policies that use UIDs only or
that are not specific to the current Solaris
release should use suser.
type The type of object defined in the profile. There
are two valid types: cmd and act. The cmd type
specifies that the ID field is a command that
would be executed by a shell. The act type is
available only if the system is configured with
Trusted Extensions. It specifies that the ID field
is a CDE action that should be executed by the
Trusted Extensions CDE action mechanism.
res1 Reserved for future use.
res2 Reserved for future use.
id A string that uniquely identifies the object
described by the profile. For a profile of type
cmd, the id is either the full path to the command
or the asterisk (*) symbol, which is used to allow
all commands. An asterisk that replaces the
filename component in a pathname indicates all
files in a particular directory.
To specify arguments, the pathname should point to
a shell script that is written to execute the com-
mand with the desired argument. In a Bourne shell,
the effective UID is reset to the real UID of the
process when the effective UID is less than 100
and not equal to the real UID. Depending on the
euid and egid values, Bourne shell limitations
might make other shells preferable. To prevent the
effective UIDs from being reset to real UIDs, you
can start the script with the -p option.
#!/bin/sh -p
If the Trusted Extensions feature is configured
and the profile entry type is act, the id is
either the fully qualified name of a CDE action,
or an asterisk (*) representing a wildcard. A
fully qualified CDE action is specified using the
SunOS 5.11 Last change: 30 Mar 2006 2
File Formats execattr(4)
action name and four additional semicolon-
separated fields. These fields can be empty but
the semicolons are required. The fields in a CDE
action are as follows:
argclass Specifies the argument class (for
example, FILE or SESION.) Corresponds
to ARGCLAS for CDE actions.
argtype Specifies the data type for the argu-
ment. Corresponds to ARGTYPE for CDE
actions.
argmode Specifies the read or write mode for
the argument. Corresponds to ARGMODE
for CDE actions.
argcount Specifies the number of arguments that
the action can accept. Corresponds to
ARGCOUNT for CDE actions.
attr An optional list of semicolon-separated (;) key-
value pairs that describe the security attributes
to apply to the object upon execution. Zero or
more keys may be specified. The list of valid key
words depends on the policy enforced. The follow-
ing key words are valid: euid, uid, egid, gid,
privs, and limitprivs.
euid and uid contain a single user name or a
numeric user ID. Commands designated with euid run
with the effective UID indicated, which is similar
to setting the setuid bit on an executable file.
Commands designated with uid run with both the
real and effective UIDs. Setting uid may be more
appropriate than setting the euid on privileged
shell scripts.
egid and gid contain a single group name or a
numeric group ID. Commands designated with egid
run with the effective GID indicated, which is
similar to setting the setgid bit on a file. Com-
mands designated with gid run with both the real
and effective GIDs. Setting gid may be more
appropriate than setting guid on privileged shell
scripts.
SunOS 5.11 Last change: 30 Mar 2006 3
File Formats execattr(4)
privs contains a privilege set which will be added
to the inheritable set prior to running the com-
mand.
limitprivs contains a privilege set which will be
assigned to the limit set prior to running the
command.
privs and limitprivs are only valid for the
solaris policy.
EXAMPLES
Example 1 Using Effective User ID
The following example shows the audit command specified in
the Audit Control profile to execute with an effective user
ID of root (0):
Audit Control:suser:cmd:::/usr/sbin/audit:euid=0
FILES
/etc/nsswitch.conf
/etc/userattr
/etc/security/execattr
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availibility SUNWcsr
Interface Stability See below.
The command-line syntax is Committed. The output is Uncom-
mitted.
SunOS 5.11 Last change: 30 Mar 2006 4
File Formats execattr(4)
CAVEATS
When deciding which authorization source to use (see
DESCRIPTION), keep in mind that NIS] provides stronger
authentication than NIS.
Because the list of legal keys is likely to expand, any code
that parses this database must be written to ignore unknown
key-value pairs without error. When any new keywords are
created, the names should be prefixed with a unique string,
such as the company's stock symbol, to avoid potential nam-
ing conflicts.
The following characters are used in describing the database
format and must be escaped with a backslash if used as data:
colon (:), semicolon (;), equals (=), and backslash (\fR).
SEE ALSO
auths(1), dtaction(1), profiles(1), roles(1), sh(1),
makedbm(1M), getauthattr(3SECDB), getauusernam(3BSM),
getexecattr(3SECDB), getprofattr(3SECDB),
getuserattr(3SECDB), kvamatch(3SECDB), authattr(4),
profattr(4), userattr(4), attributes(5), privileges(5)
SunOS 5.11 Last change: 30 Mar 2006 5
|
