Movatterモバイル変換

[0]ホーム
URL:

Go to main content
oracle home

Developer's Guide to Oracle® Solaris 11.4 Security

Exit Print View

 
Search Scope:
  »  ...Documentation Home  »  Oracle Solaris 11.4 Information Library  »  Developer's Guide to Oracle® ...  »  Developing Privileged Applications  »  About Authorizations
Updated: November 2020
 
 

About Authorizations

Authorizations are stored in theauth_attr database.

Note -  If your administrator is using SMF to manage authorizations, then SMF property values indicate the current values of AUTHS_GRANTED, AUTH_PROFS_GRANTED, and PROFS_GRANTED, rather than the values in the/etc/security/policy.conf file. For more information, seeModifying Rights System-Wide As SMF Properties inSecuring Users and Processes in Oracle Solaris 11.4 andSecurity Attributes in Files and Their Corresponding SMF Properties inSecuring Users and Processes in Oracle Solaris 11.4.

    To create an application that uses authorizations, take the following steps:

  1. Scan the entries in theauth_attr databaseusing thegetent command as follows:

    $getent auth_attr | sort | more

    Thegetent command retrieves a list of authorizations from theauth_attr database and thesort command alphabetizes them. The authorizations are retrieved in the order in which they were configured. See thegetent(8) man page for information about using thegetent command.

  2. Check for the required authorization at the beginning of theprogram using thechkauthattr(3C) function.

      Thechkauthattr() function searches for the authorization in the following order:

    • AUTHS_GRANTED key in thepolicy.conf(5) database – AUTHS_GRANTED indicates authorizations that have been assigned by default.

    • PROFS_GRANTED key in thepolicy.conf(5) database – PROFS_GRANTEDindicates rights profiles that have been assigned by default.chkauthattr() checks these rights profiles for the specified authorization.

    • Theuser_attr(5) database –This database stores security attributes that have been assigned to users.

    • Theprof_attr(5) database –This database stores rights profiles that have been assigned to users.

    Ifchkauthattr() cannot find the right authorizationin any of these places, then the user is denied access to the program. If theStop profileis encountered by thechkauthattr() function, further authorizationsand profiles including AUTHS_GRANTED, PROFS_GRANTED, and those found in the/etc/security/policy.conf are ignored. Hence theStop profilecan be used to override profiles that are listed using the PROFS_GRANTEDand AUTHS_GRANTED key in the/etc/security/policy.conf file.

SeeChapter 3, Assigning Rights in Oracle Solaris inSecuring Users and Processes in Oracle Solaris 11.4 for information about how to use the provided security attributes, add new ones, and assign them to users and processes.

Note - Users can add entries to theauth_attr(),exec_attr(), andprof_attr() databases.However, Oracle Solaris authorizations are not stored in these databases.
Example 4  Checking for User Authorizations

The following code snippet demonstrates how thechkauthattr() function can be used to check a user's authorization. In this case, the program checks for thesolaris.job.admin authorization. If the user has this authorization, the user is able to read or write to other users' files. Without the authorization, the user can operate on owned files only.

/* Define override privileges */priv_set_t *override_privs = priv_allocset();/* Clear privilege set before adding privileges. */priv_set(PRIV_OFF, PRIV_EFFECTIVE, PRIV_FILE_DAC_READ,PRIV_FILE_DAC_WRITE, NULL);priv_addset(override_privs, PRIV_FILE_DAC_READ);priv_addset(override_privs, PRIV_FILE_DAC_WRITE);if (!chkauthattr("solaris.jobs.admin", username)) {    /* turn off privileges */    setppriv(PRIV_OFF, PRIV_EFFECTIVE, override_privs);}/* Authorized users continue to run with privileges *//* Other users can read or write to their own files only */
Copyright © 2000, 2020, Oracle and/or its affiliates. 
Previous
Next
[8]ページ先頭
©2009-2025 Movatter.jp