1smf_security(5) Standards, Environments, and Macros smf_security(5)
2
6 smf_security - service management facility security behavior
7
9 The configuration subsystem for the service management facility,
10 smf(5), requires privilege to modify the configuration of a service.
11 Privileges are granted to a user by associating the authorizations
12 described below to the user through user_attr(4) and prof_attr(4). See
13 rbac(5).
14 The following authorization is used to manipulate services and service
17 instances.
18 solaris.smf.modify Authorized to add, delete, or modify services,
20 service instances, or their properties, and to
21 read protected property values.
22 Property Group Authorizations
25 The smf(5) configuration subsystem associates properties with each ser‐
26 vice and service instance. Related properties are grouped. Groups can
27 represent an execution method, credential information, application
28 data, or restarter state. The ability to create or modify property
29 groups can cause smf(5) components to perform actions that can require
30 operating system privilege. Accordingly, the framework requires appro‐
31 priate authorization to manipulate property groups.
32 Each property group has a type corresponding to its purpose. The core
35 property group types are method, dependency, application, and frame‐
36 work. Additional property group types can be introduced, provided they
37 conform to the extended naming convention in smf(5). The following
38 basic authorizations, however, apply only to the core property group
39 types:
40 solaris.smf.modify.method
42 Authorized to change values or create, delete, or modify a property
44 group of type method.
45 solaris.smf.modify.dependency
48 Authorized to change values or create, delete, or modify a property
50 group of type dependency.
51 solaris.smf.modify.application
54 Authorized to change values, read protected values, and create,
56 delete, or modify a property group of type application.
57 solaris.smf.modify.framework
60 Authorized to change values or create, delete, or modify a property
62 group of type framework.
63 solaris.smf.modify
66 Authorized to add, delete, or modify services, service instances,
68 or their properties, and to read protected property values.
69 Property group-specific authorization can be specified by properties
73 contained in the property group.
74 modify_authorization Authorizations allow the addition, deletion, or
76 modification of properties within the property
77 group, and the retrieval of property values
78 from the property group if protected.
79 value_authorization Authorizations allow changing the values of any
82 property of the property group except mod‐
83 ify_authorization, and the retrieval of any
84 property values except modify_authorization
85 from the property group if protected.
86 read_authorization Authorizations allow the retrieval of property
89 values within the property group. The presence
90 of a string-valued property with this name
91 identifies the containing property group as
92 protected. This property has no effect on prop‐
93 erty groups of types other than application.
94 See Protected Property Groups.
95 The above authorization properties are only used if they have type
99 astring. If an instance property group does not have one of the proper‐
100 ties, but the instance's service has a property group of the same name
101 with the property, its values are used.
102 Protected Property Groups
104 Normally, all property values in the repository can be read by any user
105 without explicit authorization. Property groups of non-framework types
106 can be used to store properties with values that require protection.
107 They must not be revealed except upon proper authorization. A property
108 group's status as protected is indicated by the presence of a string-
109 valued read_authorization property. If this property is present, the
110 values of all properties in the property group is retrievable only as
111 described in Property Group Authorizations.
112 Administrative domains with policies that prohibit backup of data con‐
115 sidered sensitive should exclude the SMF repository databases from
116 their backups. In the face of such a policy, non-protected property
117 values can be backed up by using the svccfg(1M) archive command to cre‐
118 ate an archive of the repository without protected property values.
119 Service Action Authorization
121 Certain actions on service instances can result in service interruption
122 or deactivation. These actions require an authorization to ensure that
123 any denial of service is a deliberate administrative action. Such
124 actions include a request for execution of the refresh or restart meth‐
125 ods, or placement of a service instance in the maintenance or other
126 non-operational state. The following authorization allows such actions
127 to be requested:
128 solaris.smf.manage Authorized to request restart, refresh, or other
130 state modification of any service instance.
131 In addition, the general/action_authorization property can specify
135 additional authorizations that permit service actions to be requested
136 for that service instance. The solaris.smf.manage authorization is
137 required to modify this property.
138 Defined Rights Profiles
140 Two rights profiles are included that offer grouped authorizations for
141 manipulating typical smf(5) operations.
142 Service Management A service manager can manipulate any service in
144 the repository in any way. It corresponds to the
145 solaris.smf.manage and solaris.smf.modify autho‐
146 rizations.
147 The service management profile is the minimum
149 required to use the pkgadd(1M) or pkgrm(1M) com‐
150 mands to add or remove software packages that
151 contain an inventory of services in its service
152 manifest.
153 Service Operator A service operator has the ability to enable or
156 disable any service instance on the system, as
157 well as request that its restart or refresh
158 method be executed. It corresponds to the
159 solaris.smf.manage and solaris.smf.modify.frame‐
160 work authorizations.
161 Sites can define additional rights profiles cus‐
163 tomized to their needs.
164 Remote Repository Modification
167 Remote repository servers can deny modification attempts due to addi‐
168 tional privilege checks. See NOTES.
169
171 auths(1), profiles(1), pkgadd(1M), pkgrm(1M), svccfg(1M), prof_attr(4),
172 user_attr(4), rbac(5), smf(5)
173
175 The present version of smf(5) does not support remote repositories.
176 When a service is configured to be started as root but with privileges
179 different from limit_privileges, the resulting process is privilege
180 aware. This can be surprising to developers who expect seteuid(<non-
181 zero UID>) to reduce privileges to basic or less.
182SunOS 5.11 20 May 2009 smf_security(5)