Friday February 03, 2006

My little Solaris security cheat sheet

This returned me to sanity a few times while learning about Solaris security. Like many others, I'm not a security expert and I often need a short version to fit in my head.

authorization A right assigned to users that is checked by privileged programs to determine whether users can execute restricted functionality. More in auth_attr(4).

privilege An attribute that provides fine-grained control over the actions of processes, as opposed to traditional unix all-or-nothing, super-user vs user, model. More in privileges(5).

profile A logical grouping of authorizations and commands. Profile shells, pf[ck]sh, interpret profiles to form a secure execution environment. More in prof_attr(4), exec_attr(4).

role A type of user account, with associated authorizations and profiles. Roles cannot be logged in directly - users assume roles using su(1M).

how to get	CLI	API
authorizations	auths(1)	getauthattr(3SECDB)
privileges	ppriv(1)	getppriv(2)
profiles	profiles(1)	getprofattr(3SECDB)
roles	roles(1)	-

authorizations	privileges
Per-user: all user processes have same authorizations.	Per-process: each process has separate privilege sets.
Static: once assigned to user, remains the same.	Dynamic: privilege sets can change during process lifecycle.
A simple token. In theory can be easily added to other OSes.	Integrated deep into Solaris.
Userland	Userland and kernel.
Introduced in Solaris 8 1	Introduced in Solaris 10 1

¹Was also available much earlier in Trusted Solaris.

Tags: Solaris OpenSolaris Security

(2006-02-03 09:36:14.0) Permalink