SMF_SECURITY(7) Standards, Environments, and Macros SMF_SECURITY(7)
NAME
smf_security - service management facility security behavior
DESCRIPTION
The configuration subsystem for the service management facility,
smf(7),
requires privilege to modify the configuration of a service. Privileges
are granted to a user by associating the authorizations described below
to the user through
user_attr(5) and
prof_attr(5). See
rbac(7).
The following authorization is used to manipulate services and service
instances.
solaris.smf.modify Authorized to add, delete, or modify services,
service instances, or their properties, and to read
protected property values.
Property Group Authorizations
The
smf(7) configuration subsystem associates properties with each
service and service instance. Related properties are grouped. Groups can
represent an execution method, credential information, application data,
or restarter state. The ability to create or modify property groups can
cause
smf(7) components to perform actions that can require operating
system privilege. Accordingly, the framework requires appropriate
authorization to manipulate property groups.
Each property group has a type corresponding to its purpose. The core
property group types are
method,
dependency,
application, and
framework.
Additional property group types can be introduced, provided they conform
to the extended naming convention in
smf(7). The following basic
authorizations, however, apply only to the core property group types:
solaris.smf.modify.method Authorized to change values or create, delete, or modify a property
group of type
method.
solaris.smf.modify.dependency Authorized to change values or create, delete, or modify a property
group of type
dependency.
solaris.smf.modify.application Authorized to change values, read protected values, and create,
delete, or modify a property group of type application.
solaris.smf.modify.framework Authorized to change values or create, delete, or modify a property
group of type
framework.
solaris.smf.modify Authorized to add, delete, or modify services, service instances, or
their properties, and to read protected property values.
Property group-specific authorization can be specified by properties
contained in the property group.
modify_authorization Authorizations allow the addition, deletion, or
modification of properties within the property
group, and the retrieval of property values from
the property group if protected.
value_authorization Authorizations allow changing the values of any
property of the property group except
modify_authorization, and the retrieval of any
property values except modify_authorization from
the property group if protected.
read_authorization Authorizations allow the retrieval of property
values within the property group. The presence of
a string-valued property with this name
identifies the containing property group as
protected. This property has no effect on
property groups of types other than application.
See
Protected Property Groups.
The above authorization properties are only used if they have type
astring. If an instance property group does not have one of the
properties, but the instance's service has a property group of the same
name with the property, its values are used.
Protected Property Groups
Normally, all property values in the repository can be read by any user
without explicit authorization. Property groups of non-framework types
can be used to store properties with values that require protection. They
must not be revealed except upon proper authorization. A property group's
status as protected is indicated by the presence of a string-valued
read_authorization property. If this property is present, the values of
all properties in the property group is retrievable only as described in
Property Group Authorizations.
Administrative domains with policies that prohibit backup of data
considered sensitive should exclude the SMF repository databases from
their backups. In the face of such a policy, non-protected property
values can be backed up by using the
svccfg(8) archive command to create
an archive of the repository without protected property values.
Service Action Authorization
Certain actions on service instances can result in service interruption
or deactivation. These actions require an authorization to ensure that
any denial of service is a deliberate administrative action. Such actions
include a request for execution of the refresh or restart methods, or
placement of a service instance in the maintenance or other non-
operational state. The following authorization allows such actions to be
requested:
solaris.smf.manage Authorized to request restart, refresh, or other
state modification of any service instance.
In addition, the
general/action_authorization property can specify
additional authorizations that permit service actions to be requested for
that service instance. The
solaris.smf.manage authorization is required
to modify this property.
Defined Rights Profiles
Two rights profiles are included that offer grouped authorizations for
manipulating typical
smf(7) operations.
Service Management A service manager can manipulate any service in the
repository in any way. It corresponds to the
solaris.smf.manage and
solaris.smf.modify authorizations.
Service Operator A service operator has the ability to enable or
disable any service instance on the system, as well
as request that its restart or refresh method be
executed. It corresponds to the
solaris.smf.manage and
solaris.smf.modify.framework authorizations.
Sites can define additional rights profiles
customized to their needs.
Remote Repository Modification
Remote repository servers can deny modification attempts due to
additional privilege checks. See NOTES.
SEE ALSO
auths(1),
profiles(1),
prof_attr(5),
user_attr(5),
rbac(7),
smf(7),
svccfg(8)NOTES
The present version of
smf(7) does not support remote repositories.
When a service is configured to be started as root but with privileges
different from
limit_privileges, the resulting process is privilege
aware. This can be surprising to developers who expect
seteuid(<non-zero UID>) to reduce privileges to basic or less.
May 13, 2017
SMF_SECURITY(7)