EXEC_ATTR(5) File Formats and Configurations EXEC_ATTR(5)

NAME


exec_attr - execution profiles database

SYNOPSIS


/etc/security/exec_attr


DESCRIPTION


/etc/security/exec_attr is a local database that specifies the
execution attributes associated with profiles. The exec_attr file can
be used with other sources for execution profiles, including the
exec_attr NIS map. Programs use the getexecattr(3SECDB) routines to
access this information.


The search order for multiple execution profile sources is specified
in the /etc/nsswitch.conf file, as described in the nsswitch.conf(5)
man page. The search order follows the entry for prof_attr(5).


A profile is a logical grouping of authorizations and commands that
is interpreted by a profile shell to form a secure execution
environment. The shells that interpret profiles are pfcsh, pfksh, and
pfsh. See the pfsh(1) man page. Each user's account is assigned zero
or more profiles in the user_attr(5) database file.


Each entry in the exec_attr database consists of one line of text
containing seven fields separated by colons (:). Line continuations
using the backslash (\) character are permitted. The basic format of
each entry is:


name:policy:type:res1:res2:id:attr

name
The name of the profile. Profile names are case-sensitive.


policy
The security policy that is associated with the profile
entry. The valid policies are suser (standard Solaris
superuser) and solaris. The solaris policy recognizes
privileges (see privileges(7)); the suser policy does not.

The solaris and suser policies can coexist in the same
exec_attr database, so that Solaris releases prior to the
current release can use the suser policy and the current
Solaris release can use a solaris policy. solaris is a
superset of suser; it allows you to specify privileges in
addition to UIDs. Policies that are specific to the current
release of Solaris or that contain privileges should use
solaris. Policies that use UIDs only or that are not
specific to the current Solaris release should use suser.


type
The type of object defined in the profile. The only valid
type is cmd, which specifies that the ID field is a command
that would be executed by a shell.


res1
Reserved for future use.


res2
Reserved for future use.


id
A string that uniquely identifies the object described by
the profile. The id is either the full path to the command
or the asterisk (*) symbol, which is used to allow all
commands. An asterisk that replaces the filename component
in a pathname indicates all files in a particular
directory.

To specify arguments, the pathname should point to a shell
script that is written to execute the command with the
desired argument. In a Bourne shell, the effective UID is
reset to the real UID of the process when the effective UID
is less than 100 and not equal to the real UID. Depending
on the euid and egid values, Bourne shell limitations might
make other shells preferable. To prevent the effective UIDs
from being reset to real UIDs, you can start the script
with the -p option.

#!/bin/sh -p


attr
An optional list of semicolon-separated (;) key-value pairs
that describe the security attributes to apply to the
object upon execution. Zero or more keys may be specified.
The list of valid key words depends on the policy enforced.
The following key words are valid: euid, uid, egid, gid,
privs, and limitprivs.

euid and uid contain a single user name or a numeric user
ID. Commands designated with euid run with the effective
UID indicated, which is similar to setting the setuid bit
on an executable file. Commands designated with uid run
with both the real and effective UIDs. Setting uid may be
more appropriate than setting the euid on privileged shell
scripts.

egid and gid contain a single group name or a numeric group
ID. Commands designated with egid run with the effective
GID indicated, which is similar to setting the setgid bit
on a file. Commands designated with gid run with both the
real and effective GIDs. Setting gid may be more
appropriate than setting guid on privileged shell scripts.

privs contains a privilege set which will be added to the
inheritable set prior to running the command.

limitprivs contains a privilege set which will be assigned
to the limit set prior to running the command.

privs and limitprivs are only valid for the solaris policy.


EXAMPLES


Example 1: Using Effective User ID




The following example shows the audit command specified in the Audit
Control profile to execute with an effective user ID of root (0):


Audit Control:suser:cmd:::/usr/sbin/audit:euid=0


FILES


/etc/nsswitch.conf


/etc/user_attr


/etc/security/exec_attr

ATTRIBUTES


See attributes(7) for descriptions of the following attributes:


+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Availibility | SUNWcsr |
+--------------------+-----------------+
|Interface Stability | See below. |
+--------------------+-----------------+


The command-line syntax is Committed. The output is Uncommitted.

CAVEATS


Because the list of legal keys is likely to expand, any code that
parses this database must be written to ignore unknown key-value
pairs without error. When any new keywords are created, the names
should be prefixed with a unique string, such as the company's stock
symbol, to avoid potential naming conflicts.


The following characters are used in describing the database format
and must be escaped with a backslash if used as data: colon (:),
semicolon (;), equals (=), and backslash (\).

SEE ALSO


auths(1), profiles(1), roles(1), sh(1), getauthattr(3SECDB),
getexecattr(3SECDB), getprofattr(3SECDB), getuserattr(3SECDB),
kva_match(3SECDB), auth_attr(5), prof_attr(5), user_attr(5),
attributes(7), privileges(7), makedbm(8)

August 3, 2017 EXEC_ATTR(5)
tribblix@gmail.com :: GitHub :: Privacy