1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
|
'\" te
.\" Copyright (c) 2006 by Sun Microsystems, Inc. All rights reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH EXEC_ATTR 4 "Mar 30, 2006"
.SH NAME
exec_attr \- execution profiles database
.SH SYNOPSIS
.LP
.nf
\fB/etc/security/exec_attr\fR
.fi
.SH DESCRIPTION
.sp
.LP
\fB/etc/security/exec_attr\fR is a local database that specifies the execution
attributes associated with profiles. The \fBexec_attr\fR file can be used with
other sources for execution profiles, including the \fBexec_attr\fR \fBNIS\fR
map and \fBNIS+\fR table. Programs use the \fBgetexecattr\fR(3SECDB) routines
to access this information.
.sp
.LP
The search order for multiple execution profile sources is specified in the
\fB/etc/nsswitch.conf\fR file, as described in the \fBnsswitch.conf\fR(4) man
page. The search order follows the entry for \fBprof_attr\fR(4).
.sp
.LP
A profile is a logical grouping of authorizations and commands that is
interpreted by a profile shell to form a secure execution environment. The
shells that interpret profiles are \fBpfcsh\fR, \fBpfksh\fR, and \fBpfsh\fR.
See the \fBpfsh\fR(1) man page. Each user's account is assigned zero or more
profiles in the \fBuser_attr\fR(4) database file.
.sp
.LP
Each entry in the \fBexec_attr\fR database consists of one line of text
containing seven fields separated by colons (\fB:\fR). Line continuations using
the backslash (\fB\\fR) character are permitted. The basic format of each entry
is:
.sp
.LP
\fIname\fR:\fIpolicy\fR:\fItype\fR:\fIres1\fR:\fIres2\fR:\fIid\fR:\fIattr\fR
.sp
.ne 2
.na
\fB\fIname\fR\fR
.ad
.RS 10n
The name of the profile. Profile names are case-sensitive.
.RE
.sp
.ne 2
.na
\fB\fIpolicy\fR\fR
.ad
.RS 10n
The security policy that is associated with the profile entry. The valid
policies are \fBsuser\fR (standard Solaris superuser) and \fBsolaris\fR. The
\fBsolaris\fR policy recognizes privileges (see \fBprivileges\fR(5)); the
\fBsuser\fR policy does not.
.sp
The \fBsolaris\fR and \fBsuser\fR policies can coexist in the same
\fBexec_attr\fR database, so that Solaris releases prior to the current release
can use the \fBsuser\fR policy and the current Solaris release can use a
\fBsolaris\fR policy. \fBsolaris\fR is a superset of \fBsuser\fR; it allows you
to specify privileges in addition to UIDs. Policies that are specific to the
current release of Solaris or that contain privileges should use \fBsolaris\fR.
Policies that use UIDs only or that are not specific to the current Solaris
release should use \fBsuser\fR.
.RE
.sp
.ne 2
.na
\fB\fItype\fR\fR
.ad
.RS 10n
The type of object defined in the profile. There are two valid types: \fBcmd\fR
and \fBact\fR. The \fBcmd\fR type specifies that the \fBID\fR field is a
command that would be executed by a shell. The \fBact\fR type is available only
if the system is configured with Trusted Extensions. It specifies that the
\fBID\fR field is a \fBCDE\fR action that should be executed by the Trusted
Extensions \fBCDE\fR action mechanism.
.RE
.sp
.ne 2
.na
\fB\fIres1\fR\fR
.ad
.RS 10n
Reserved for future use.
.RE
.sp
.ne 2
.na
\fB\fIres2\fR\fR
.ad
.RS 10n
Reserved for future use.
.RE
.sp
.ne 2
.na
\fB\fIid\fR\fR
.ad
.RS 10n
A string that uniquely identifies the object described by the profile. For a
profile of type \fBcmd,\fR the id is either the full path to the command or the
asterisk (\fB*\fR) symbol, which is used to allow all commands. An asterisk
that replaces the filename component in a pathname indicates all files in a
particular directory.
.sp
To specify arguments, the pathname should point to a shell script that is
written to execute the command with the desired argument. In a Bourne shell,
the effective UID is reset to the real UID of the process when the effective
UID is less than 100 and not equal to the real UID. Depending on the \fBeuid\fR
and \fBegid\fR values, Bourne shell limitations might make other shells
preferable. To prevent the effective UIDs from being reset to real UIDs, you
can start the script with the \fB-p\fR option.
.sp
.in +2
.nf
#!/bin/sh -p
.fi
.in -2
.sp
If the Trusted Extensions feature is configured and the profile entry type is
\fBact\fR, the \fBid\fR is either the fully qualified name of a \fBCDE\fR
action, or an asterisk (\fB*\fR) representing a wildcard. A fully qualified
\fBCDE\fR action is specified using the action name and four additional
semicolon-separated fields. These fields can be empty but the semicolons are
required. The fields in a \fBCDE\fR action are as follows:
.sp
.ne 2
.na
\fB\fIargclass\fR\fR
.ad
.RS 12n
Specifies the argument class (for example, \fBFILE\fR or \fBSESSION\fR.)
Corresponds to \fBARG_CLASS\fR for \fBCDE\fR actions.
.RE
.sp
.ne 2
.na
\fB\fIargtype\fR\fR
.ad
.RS 12n
Specifies the data type for the argument. Corresponds to \fBARG_TYPE\fR for
\fBCDE\fR actions.
.RE
.sp
.ne 2
.na
\fB\fIargmode\fR\fR
.ad
.RS 12n
Specifies the read or write mode for the argument. Corresponds to
\fBARG_MODE\fR for \fBCDE\fR actions.
.RE
.sp
.ne 2
.na
\fB\fIargcount\fR\fR
.ad
.RS 12n
Specifies the number of arguments that the action can accept. Corresponds to
\fBARG_COUNT\fR for \fBCDE\fR actions.
.RE
.RE
.sp
.ne 2
.na
\fB\fIattr\fR\fR
.ad
.RS 10n
An optional list of semicolon-separated (\fB;\fR) key-value pairs that describe
the security attributes to apply to the object upon execution. Zero or more
keys may be specified. The list of valid key words depends on the policy
enforced. The following key words are valid: \fBeuid\fR, \fBuid,\fR \fBegid\fR,
\fBgid\fR, \fBprivs\fR, and \fBlimitprivs\fR.
.sp
\fBeuid\fR and \fBuid\fR contain a single user name or a numeric user \fBID\fR.
Commands designated with \fBeuid\fR run with the effective \fBUID\fR indicated,
which is similar to setting the setuid bit on an executable file. Commands
designated with \fBuid\fR run with both the real and effective \fBUID\fRs.
Setting \fBuid\fR may be more appropriate than setting the \fBeuid\fR on
privileged shell scripts.
.sp
\fBegid\fR and \fBgid\fR contain a single group name or a numeric group
\fBID\fR. Commands designated with \fBegid\fR run with the effective \fBGID\fR
indicated, which is similar to setting the setgid bit on a file. Commands
designated with \fBgid\fR run with both the real and effective \fBGID\fRs.
Setting \fBgid\fR may be more appropriate than setting \fBguid\fR on privileged
shell scripts.
.sp
\fBprivs\fR contains a privilege set which will be added to the inheritable set
prior to running the command.
.sp
\fBlimitprivs\fR contains a privilege set which will be assigned to the limit
set prior to running the command.
.sp
\fBprivs\fR and \fBlimitprivs\fR are only valid for the \fBsolaris\fR policy.
.RE
.SH EXAMPLES
.LP
\fBExample 1 \fRUsing Effective User ID
.sp
.LP
The following example shows the \fBaudit\fR command specified in the Audit
Control profile to execute with an effective user \fBID\fR of root (\fB0\fR):
.sp
.in +2
.nf
\fBAudit Control:suser:cmd:::/usr/sbin/audit:euid=0\fR
.fi
.in -2
.sp
.SH FILES
.sp
.LP
\fB/etc/nsswitch.conf\fR
.sp
.LP
\fB/etc/user_attr\fR
.sp
.LP
\fB/etc/security/exec_attr\fR
.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp
.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE ATTRIBUTE VALUE
_
Availibility SUNWcsr
_
Interface Stability See below.
.TE
.sp
.LP
The command-line syntax is Committed. The output is Uncommitted.
.SH CAVEATS
.sp
.LP
When deciding which authorization source to use (see DESCRIPTION), keep in mind
that \fBNIS+\fR provides stronger authentication than \fBNIS\fR.
.sp
.LP
Because the list of legal keys is likely to expand, any code that parses this
database must be written to ignore unknown key-value pairs without error. When
any new keywords are created, the names should be prefixed with a unique
string, such as the company's stock symbol, to avoid potential naming
conflicts.
.sp
.LP
The following characters are used in describing the database format and must be
escaped with a backslash if used as data: colon (\fB:\fR), semicolon (\fB;\fR),
equals (\fB=\fR), and backslash (\fB\\fR).
.SH SEE ALSO
.sp
.LP
\fBauths\fR(1), \fBdtaction\fR(1), \fBprofiles\fR(1), \fBroles\fR(1),
\fBsh\fR(1), \fBmakedbm\fR(1M), \fBgetauthattr\fR(3SECDB),
\fBgetauusernam\fR(3BSM), \fBgetexecattr\fR(3SECDB), \fBgetprofattr\fR(3SECDB),
\fBgetuserattr\fR(3SECDB), \fBkva_match\fR(3SECDB), \fBauth_attr\fR(4),
\fBprof_attr\fR(4), \fBuser_attr\fR(4), \fBattributes\fR(5),
\fBprivileges\fR(5)
|
