1exec_attr(4) File Formats exec_attr(4)
2
6 exec_attr - execution profiles database
7
9 /etc/security/exec_attr
10
13 /etc/security/exec_attr is a local database that specifies the execu‐
14 tion attributes associated with profiles. The exec_attr file can be
15 used with other sources for execution profiles, including the exec_attr
16 NIS map and NIS+ table. Programs use the getexecattr(3SECDB) routines
17 to access this information.
18 The search order for multiple execution profile sources is specified in
21 the /etc/nsswitch.conf file, as described in the nsswitch.conf(4) man
22 page. The search order follows the entry for prof_attr(4).
23 A profile is a logical grouping of authorizations and commands that is
26 interpreted by a profile shell to form a secure execution environment.
27 The shells that interpret profiles are pfcsh, pfksh, and pfsh. See the
28 pfsh(1) man page. Each user's account is assigned zero or more profiles
29 in the user_attr(4) database file.
30 Each entry in the exec_attr database consists of one line of text con‐
33 taining seven fields separated by colons (:). Line continuations using
34 the backslash (\fR) character are permitted. The basic format of each
35 entry is:
36 name:policy:type:res1:res2:id:attr
39 name The name of the profile. Profile names are case-sensitive.
41 policy The security policy that is associated with the profile
44 entry. The valid policies are suser (standard Solaris supe‐
45 ruser) and solaris. The solaris policy recognizes privileges
46 (see privileges(5)); the suser policy does not.
47 The solaris and suser policies can coexist in the same
49 exec_attr database, so that Solaris releases prior to the
50 current release can use the suser policy and the current
51 Solaris release can use a solaris policy. solaris is a super‐
52 set of suser; it allows you to specify privileges in addition
53 to UIDs. Policies that are specific to the current release of
54 Solaris or that contain privileges should use solaris. Poli‐
55 cies that use UIDs only or that are not specific to the cur‐
56 rent Solaris release should use suser.
57 type The type of object defined in the profile. There are two
60 valid types: cmd and act. The cmd type specifies that the ID
61 field is a command that would be executed by a shell. The act
62 type is available only if the system is configured with
63 Trusted Extensions. It specifies that the ID field is a CDE
64 action that should be executed by the Trusted Extensions CDE
65 action mechanism.
66 res1 Reserved for future use.
69 res2 Reserved for future use.
72 id A string that uniquely identifies the object described by the
75 profile. For a profile of type cmd, the id is either the full
76 path to the command or the asterisk (*) symbol, which is used
77 to allow all commands. An asterisk that replaces the filename
78 component in a pathname indicates all files in a particular
79 directory.
80 To specify arguments, the pathname should point to a shell
82 script that is written to execute the command with the
83 desired argument. In a Bourne shell, the effective UID is
84 reset to the real UID of the process when the effective UID
85 is less than 100 and not equal to the real UID. Depending on
86 the euid and egid values, Bourne shell limitations might make
87 other shells preferable. To prevent the effective UIDs from
88 being reset to real UIDs, you can start the script with the
89 -p option.
90 #!/bin/sh -p
92 If the Trusted Extensions feature is configured and the pro‐
95 file entry type is act, the id is either the fully qualified
96 name of a CDE action, or an asterisk (*) representing a wild‐
97 card. A fully qualified CDE action is specified using the
98 action name and four additional semicolon-separated fields.
99 These fields can be empty but the semicolons are required.
100 The fields in a CDE action are as follows:
101 argclass Specifies the argument class (for example, FILE
103 or SESSION.) Corresponds to ARG_CLASS for CDE
104 actions.
105 argtype Specifies the data type for the argument. Corre‐
108 sponds to ARG_TYPE for CDE actions.
109 argmode Specifies the read or write mode for the argu‐
112 ment. Corresponds to ARG_MODE for CDE actions.
113 argcount Specifies the number of arguments that the action
116 can accept. Corresponds to ARG_COUNT for CDE
117 actions.
118 attr An optional list of semicolon-separated (;) key-value pairs
122 that describe the security attributes to apply to the object
123 upon execution. Zero or more keys may be specified. The list
124 of valid key words depends on the policy enforced. The fol‐
125 lowing key words are valid: euid, uid, egid, gid, privs, and
126 limitprivs.
127 euid and uid contain a single user name or a numeric user ID.
129 Commands designated with euid run with the effective UID
130 indicated, which is similar to setting the setuid bit on an
131 executable file. Commands designated with uid run with both
132 the real and effective UIDs. Setting uid may be more appro‐
133 priate than setting the euid on privileged shell scripts.
134 egid and gid contain a single group name or a numeric group
136 ID. Commands designated with egid run with the effective GID
137 indicated, which is similar to setting the setgid bit on a
138 file. Commands designated with gid run with both the real and
139 effective GIDs. Setting gid may be more appropriate than set‐
140 ting guid on privileged shell scripts.
141 privs contains a privilege set which will be added to the
143 inheritable set prior to running the command.
144 limitprivs contains a privilege set which will be assigned to
146 the limit set prior to running the command.
147 privs and limitprivs are only valid for the solaris policy.
149
152 Example 1 Using Effective User ID
153 The following example shows the audit command specified in the Audit
156 Control profile to execute with an effective user ID of root (0):
157 Audit Control:suser:cmd:::/usr/sbin/audit:euid=0
160
164 /etc/nsswitch.conf
165 /etc/user_attr
168 /etc/security/exec_attr
171
173 See attributes(5) for descriptions of the following attributes:
174 ┌─────────────────────────────┬─────────────────────────────┐
179 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
180 ├─────────────────────────────┼─────────────────────────────┤
181 │Availibility │SUNWcsr │
182 ├─────────────────────────────┼─────────────────────────────┤
183 │Interface Stability │See below. │
184 └─────────────────────────────┴─────────────────────────────┘
185 The command-line syntax is Committed. The output is Uncommitted.
188
190 When deciding which authorization source to use (see DESCRIPTION), keep
191 in mind that NIS+ provides stronger authentication than NIS.
192 Because the list of legal keys is likely to expand, any code that
195 parses this database must be written to ignore unknown key-value pairs
196 without error. When any new keywords are created, the names should be
197 prefixed with a unique string, such as the company's stock symbol, to
198 avoid potential naming conflicts.
199 The following characters are used in describing the database format and
202 must be escaped with a backslash if used as data: colon (:), semicolon
203 (;), equals (=), and backslash (\fR).
204
206 auths(1), dtaction(1), profiles(1), roles(1), sh(1), makedbm(1M),
207 getauthattr(3SECDB), getauusernam(3BSM), getexecattr(3SECDB), getpro‐
208 fattr(3SECDB), getuserattr(3SECDB), kva_match(3SECDB), auth_attr(4),
209 prof_attr(4), user_attr(4), attributes(5), privileges(5)
210SunOS 5.11 30 Mar 2006 exec_attr(4)