EXEC_ATTR(5) File Formats and Configurations EXEC_ATTR(5)
NAME
exec_attr - execution profiles database
SYNOPSIS
/etc/security/exec_attrDESCRIPTION
/etc/security/exec_attr is a local database that specifies the execution
attributes associated with profiles. The
exec_attr file can be used with
other sources for execution profiles, including the
exec_attr NIS map.
Programs use the
getexecattr(3SECDB) routines to access this information.
The search order for multiple execution profile sources is specified in
the
/etc/nsswitch.conf file, as described in the
nsswitch.conf(5) man
page. The search order follows the entry for
prof_attr(5).
A profile is a logical grouping of authorizations and commands that is
interpreted by a profile shell to form a secure execution environment.
The shells that interpret profiles are
pfcsh,
pfksh, and
pfsh. See the
pfsh(1) man page. Each user's account is assigned zero or more profiles
in the
user_attr(5) database file.
Each entry in the
exec_attr database consists of one line of text
containing seven fields separated by colons (
:). Line continuations using
the backslash (
\) character are permitted. The basic format of each entry
is:
name:
policy:
type:
res1:
res2:
id:
attr name The name of the profile. Profile names are case-sensitive.
policy The security policy that is associated with the profile entry.
The valid policies are
suser (standard Solaris superuser) and
solaris. The
solaris policy recognizes privileges (see
privileges(7)); the
suser policy does not.
The
solaris and
suser policies can coexist in the same
exec_attr database, so that Solaris releases prior to the
current release can use the
suser policy and the current
Solaris release can use a
solaris policy.
solaris is a superset
of
suser; it allows you to specify privileges in addition to
UIDs. Policies that are specific to the current release of
Solaris or that contain privileges should use
solaris.
Policies that use UIDs only or that are not specific to the
current Solaris release should use
suser.
type The type of object defined in the profile. The only valid type
is
cmd, which specifies that the
ID field is a command that
would be executed by a shell.
res1 Reserved for future use.
res2 Reserved for future use.
id A string that uniquely identifies the object described by the
profile. The id is either the full path to the command or the
asterisk (
*) symbol, which is used to allow all commands. An
asterisk that replaces the filename component in a pathname
indicates all files in a particular directory.
To specify arguments, the pathname should point to a shell
script that is written to execute the command with the desired
argument. In a Bourne shell, the effective UID is reset to the
real UID of the process when the effective UID is less than 100
and not equal to the real UID. Depending on the
euid and
egid values, Bourne shell limitations might make other shells
preferable. To prevent the effective UIDs from being reset to
real UIDs, you can start the script with the
-p option.
#!/bin/sh -p
attr An optional list of semicolon-separated (
;) key-value pairs
that describe the security attributes to apply to the object
upon execution. Zero or more keys may be specified. The list of
valid key words depends on the policy enforced. The following
key words are valid:
euid,
uid, egid,
gid,
privs, and
limitprivs.
euid and
uid contain a single user name or a numeric user
ID.
Commands designated with
euid run with the effective
UID indicated, which is similar to setting the setuid bit on an
executable file. Commands designated with
uid run with both the
real and effective
UIDs. Setting
uid may be more appropriate
than setting the
euid on privileged shell scripts.
egid and
gid contain a single group name or a numeric group
ID.
Commands designated with
egid run with the effective
GID indicated, which is similar to setting the setgid bit on a
file. Commands designated with
gid run with both the real and
effective
GIDs. Setting
gid may be more appropriate than
setting
guid on privileged shell scripts.
privs contains a privilege set which will be added to the
inheritable set prior to running the command.
limitprivs contains a privilege set which will be assigned to
the limit set prior to running the command.
privs and
limitprivs are only valid for the
solaris policy.
EXAMPLES
Example 1: Using Effective User ID
The following example shows the
audit command specified in the Audit
Control profile to execute with an effective user
ID of root (
0):
Audit Control:suser:cmd:::/usr/sbin/audit:euid=0FILES
/etc/nsswitch.conf /etc/user_attr /etc/security/exec_attrATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Availibility | SUNWcsr |
+--------------------+-----------------+
|Interface Stability | See below. |
+--------------------+-----------------+
The command-line syntax is Committed. The output is Uncommitted.
CAVEATS
Because the list of legal keys is likely to expand, any code that parses
this database must be written to ignore unknown key-value pairs without
error. When any new keywords are created, the names should be prefixed
with a unique string, such as the company's stock symbol, to avoid
potential naming conflicts.
The following characters are used in describing the database format and
must be escaped with a backslash if used as data: colon (
:), semicolon
(
;), equals (
=), and backslash (
\).
SEE ALSO
auths(1),
profiles(1),
roles(1),
sh(1),
getauthattr(3SECDB),
getexecattr(3SECDB),
getprofattr(3SECDB),
getuserattr(3SECDB),
kva_match(3SECDB),
auth_attr(5),
prof_attr(5),
user_attr(5),
attributes(7),
privileges(7),
makedbm(8) August 3, 2017
EXEC_ATTR(5)