1prof_attr(4)                     File Formats                     prof_attr(4)
2
3
4

NAME

6       prof_attr - profile description database
7

SYNOPSIS

9       /etc/security/prof_attr
10
11

DESCRIPTION

13       /etc/security/prof_attr  is a local source for execution profile names,
14       descriptions, and other attributes of execution profiles. The prof_attr
15       file  can  be  used with other profile sources, including the prof_attr
16       NIS map and NIS+ table. Programs use the  getprofattr(3SECDB)  routines
17       to gain access to this information.
18
19
20       The  search  order  for  multiple prof_attr sources is specified in the
21       /etc/nsswitch.conf file, as described in the nsswitch.conf(4) man page.
22
23
24       An execution profile is a mechanism used to bundle  together  the  com‐
25       mands and authorizations needed to perform a specific function. An exe‐
26       cution profile can also contain other execution profiles. Each entry in
27       the  prof_attr  database  consists  of one line of text containing five
28       fields separated by colons (:). Line continuations using the  backslash
29       (\) character are permitted. The format of each entry is:
30
31
32       profname:res1:res2:desc:attr
33
34       profname    The name of the profile. Profile names are case-sensitive.
35
36
37       res1        Reserved for future use.
38
39
40       res2        Reserved for future use.
41
42
43       desc        A  long  description. This field should explain the purpose
44                   of the profile, including what type of user would be inter‐
45                   ested  in using it. The long description should be suitable
46                   for displaying in the help text of an application.
47
48
49       attr        An optional list of semicolon-separated (;) key-value pairs
50                   that  describe  the  security  attributes  to  apply to the
51                   object upon execution. Zero or more keys can be  specified.
52                   There  are  four  valid  keys:  help,  profiles, auths, and
53                   privs.
54
55                   help is assigned the name of  a  file  ending  in  .htm  or
56                   .html.
57
58                   auths  specifies  a  comma-separated  list of authorization
59                   names chosen from those names defined in  the  auth_attr(4)
60                   database.  Authorization  names  can be specified using the
61                   asterisk  (*)  character  as  a  wildcard.   For   example,
62                   solaris.printer.*  would  mean  all of Sun's authorizations
63                   for printing.
64
65                   profiles specifies a comma-separated list of profile  names
66                   chosen from those names defined in the prof_attr database.
67
68                   privs  specifies a comma-separated list of privileges names
69                   chosen from those names defined in the priv_names(4)  data‐
70                   base.  These privileges can then be used for executing com‐
71                   mands with pfexec(1).
72
73

EXAMPLES

75       Example 1 Allowing Execution of All Commands
76
77
78       The following entry allows the user to execute all commands:
79
80
81         All:::Use this profile to give a :help=All.html
82
83
84
85       Example 2 Consulting the Local prof_attr File First
86
87
88       With the following nsswitch.conf entry, the  local  prof_attr  file  is
89       consulted before the NIS+ table:
90
91
92         prof_attr: files nisplus
93
94
95

FILES

97       /etc/nsswitch.conf
98
99
100       /etc/security/prof_attr
101

NOTES

103       When deciding which authorization source to use (see DESCRIPTION), keep
104       in mind that NIS+ provides stronger authentication than NIS.
105
106
107       The root user is usually defined in local databases because root  needs
108       to  be able to log in and do system maintenance in single-user mode and
109       at other times when the network name service databases are  not  avail‐
110       able.  So  that the profile definitions for root can be located at such
111       times, root's profiles should be defined in the local  prof_attr  file,
112       and  the  order  shown in the example nsswitch.conf(4) file entry under
113       EXAMPLES is highly recommended.
114
115
116       Because the list of legal keys is  likely  to  expand,  any  code  that
117       parses  this database must be written to ignore unknown key-value pairs
118       without error. When any new keywords are created, the names  should  be
119       prefixed  with  a unique string, such as the company's stock symbol, to
120       avoid potential naming conflicts.
121
122
123       Each application has its own requirements for whether  the  help  value
124       must  be  a  relative  pathname ending with a filename or the name of a
125       file. The only known requirement is for the name of a file.
126
127
128       The following characters are used in describing the database format and
129       must  be escaped with a backslash if used as data: colon (:), semicolon
130       (;), equals (=), and backslash (\).
131

SEE ALSO

133       auths(1),   pfexec(1),   profiles(1),   getauthattr(3SECDB),    getpro‐
134       fattr(3SECDB),    getuserattr(3SECDB),    auth_attr(4),   exec_attr(4),
135       priv_names(4), user_attr(4)
136
137
138
139SunOS 5.11                        3 Apr 2008                      prof_attr(4)
Impressum