1smf_security(5)       Standards, Environments, and Macros      smf_security(5)
2
3
4

NAME

6       smf_security - service management facility security behavior
7

DESCRIPTION

9       The  configuration  subsystem  for  the  service  management  facility,
10       smf(5), requires privilege to modify the configuration  of  a  service.
11       Privileges  are  granted  to  a  user by associating the authorizations
12       described below to the user through user_attr(4) and prof_attr(4).  See
13       rbac(5).
14
15
16       The  following authorization is used to manipulate services and service
17       instances.
18
19       solaris.smf.modify    Authorized to add, delete,  or  modify  services,
20                             service  instances,  or  their properties, and to
21                             read protected property values.
22
23
24   Property Group Authorizations
25       The smf(5) configuration subsystem associates properties with each ser‐
26       vice  and  service instance. Related properties are grouped. Groups can
27       represent an  execution  method,  credential  information,  application
28       data,  or  restarter  state.  The  ability to create or modify property
29       groups can cause smf(5) components to perform actions that can  require
30       operating  system privilege. Accordingly, the framework requires appro‐
31       priate authorization to manipulate property groups.
32
33
34       Each property group has a type corresponding to its purpose.  The  core
35       property  group  types  are method, dependency, application, and frame‐
36       work. Additional property group types can be introduced, provided  they
37       conform  to  the  extended  naming  convention in smf(5). The following
38       basic authorizations, however, apply only to the  core  property  group
39       types:
40
41       solaris.smf.modify.method
42
43           Authorized to change values or create, delete, or modify a property
44           group of type method.
45
46
47       solaris.smf.modify.dependency
48
49           Authorized to change values or create, delete, or modify a property
50           group of type dependency.
51
52
53       solaris.smf.modify.application
54
55           Authorized  to  change  values,  read protected values, and create,
56           delete, or modify a property group of type application.
57
58
59       solaris.smf.modify.framework
60
61           Authorized to change values or create, delete, or modify a property
62           group of type framework.
63
64
65       solaris.smf.modify
66
67           Authorized  to  add, delete, or modify services, service instances,
68           or their properties, and to read protected property values.
69
70
71
72       Property group-specific authorization can be  specified  by  properties
73       contained in the property group.
74
75       modify_authorization    Authorizations allow the addition, deletion, or
76                               modification of properties within the  property
77                               group,  and  the  retrieval  of property values
78                               from the property group if protected.
79
80
81       value_authorization     Authorizations allow changing the values of any
82                               property  of  the  property  group  except mod‐
83                               ify_authorization, and  the  retrieval  of  any
84                               property   values  except  modify_authorization
85                               from the property group if protected.
86
87
88       read_authorization      Authorizations allow the retrieval of  property
89                               values  within the property group. The presence
90                               of a  string-valued  property  with  this  name
91                               identifies  the  containing  property  group as
92                               protected. This property has no effect on prop‐
93                               erty  groups  of  types other than application.
94                               See Protected Property Groups.
95
96
97
98       The above authorization properties are only  used  if  they  have  type
99       astring. If an instance property group does not have one of the proper‐
100       ties, but the instance's service has a property group of the same  name
101       with the property, its values are used.
102
103   Protected Property Groups
104       Normally, all property values in the repository can be read by any user
105       without explicit authorization. Property groups of non-framework  types
106       can  be  used  to store properties with values that require protection.
107       They must not be revealed except upon proper authorization. A  property
108       group's  status  as protected is indicated by the presence of a string-
109       valued read_authorization property. If this property  is  present,  the
110       values  of  all properties in the property group is retrievable only as
111       described in Property Group Authorizations.
112
113
114       Administrative domains with policies that prohibit backup of data  con‐
115       sidered  sensitive  should  exclude  the  SMF repository databases from
116       their backups. In the face of such  a  policy,  non-protected  property
117       values can be backed up by using the svccfg(1M) archive command to cre‐
118       ate an archive of the repository without protected property values.
119
120   Service Action Authorization
121       Certain actions on service instances can result in service interruption
122       or  deactivation. These actions require an authorization to ensure that
123       any denial of service  is  a  deliberate  administrative  action.  Such
124       actions include a request for execution of the refresh or restart meth‐
125       ods, or placement of a service instance in  the  maintenance  or  other
126       non-operational  state. The following authorization allows such actions
127       to be requested:
128
129       solaris.smf.manage    Authorized to request restart, refresh, or  other
130                             state modification of any service instance.
131
132
133
134       In  addition,  the  general/action_authorization  property  can specify
135       additional authorizations that permit service actions to  be  requested
136       for  that  service  instance.  The  solaris.smf.manage authorization is
137       required to modify this property.
138
139   Defined Rights Profiles
140       Two rights profiles are included that offer grouped authorizations  for
141       manipulating typical smf(5) operations.
142
143       Service Management    A  service  manager can manipulate any service in
144                             the repository in any way. It corresponds to  the
145                             solaris.smf.manage  and solaris.smf.modify autho‐
146                             rizations.
147
148                             The service management  profile  is  the  minimum
149                             required  to use the pkgadd(1M) or pkgrm(1M) com‐
150                             mands to add or  remove  software  packages  that
151                             contain  an  inventory of services in its service
152                             manifest.
153
154
155       Service Operator      A service operator has the ability to  enable  or
156                             disable  any  service  instance on the system, as
157                             well as  request  that  its  restart  or  refresh
158                             method   be   executed.  It  corresponds  to  the
159                             solaris.smf.manage and  solaris.smf.modify.frame‐
160                             work authorizations.
161
162                             Sites  can define additional rights profiles cus‐
163                             tomized to their needs.
164
165
166   Remote Repository Modification
167       Remote repository servers can deny modification attempts due  to  addi‐
168       tional privilege checks. See NOTES.
169

SEE ALSO

171       auths(1), profiles(1), pkgadd(1M), pkgrm(1M), svccfg(1M), prof_attr(4),
172       user_attr(4), rbac(5), smf(5)
173

NOTES

175       The present version of smf(5) does not support remote repositories.
176
177
178       When a service is configured to be started as root but with  privileges
179       different  from  limit_privileges,  the  resulting process is privilege
180       aware.  This can be surprising to developers who  expect  seteuid(<non-
181       zero UID>) to reduce privileges to basic or less.
182
183
184
185SunOS 5.11                        20 May 2009                  smf_security(5)
Impressum