PROF_ATTR(5) File Formats and Configurations PROF_ATTR(5)
NAME
prof_attr - profile description database
SYNOPSIS
/etc/security/prof_attrDESCRIPTION
/etc/security/prof_attr is a local source for execution profile
names, descriptions, and other attributes of execution profiles. The
prof_attr file can be used with other profile sources, including the
prof_attr NIS map. Programs use the
getprofattr(3SECDB) routines to
gain access to this information.
The search order for multiple
prof_attr sources is specified in the
/etc/nsswitch.conf file, as described in the
nsswitch.conf(5) man
page.
An execution profile is a mechanism used to bundle together the
commands and authorizations needed to perform a specific function. An
execution profile can also contain other execution profiles. Each
entry in the
prof_attr database consists of one line of text
containing five fields separated by colons (
:). Line continuations
using the backslash (
\) character are permitted. The format of each
entry is:
profname:
res1:
res2:
desc:
attr profname The name of the profile. Profile names are case-
sensitive.
res1 Reserved for future use.
res2 Reserved for future use.
desc A long description. This field should explain the purpose
of the profile, including what type of user would be
interested in using it. The long description should be
suitable for displaying in the help text of an
application.
attr An optional list of semicolon-separated (
;) key-value
pairs that describe the security attributes to apply to
the object upon execution. Zero or more keys can be
specified. There are four valid keys:
help,
profiles,
auths, and
privs.
help is assigned the name of a file ending in
.htm or
.html.
auths specifies a comma-separated list of authorization
names chosen from those names defined in the
auth_attr(5) database. Authorization names can be specified using the
asterisk (
*) character as a wildcard. For example,
solaris.printer.* would mean all of Sun's authorizations
for printing.
profiles specifies a comma-separated list of profile
names chosen from those names defined in the
prof_attr database.
privs specifies a comma-separated list of privileges
names chosen from those names defined in the
priv_names(5) database. These privileges can then be used
for executing commands with
pfexec(1).
EXAMPLES
Example 1: Allowing Execution of All Commands
The following entry allows the user to execute all commands:
All:::Use this profile to give a :help=All.html Example 2: Consulting the Local prof_attr File First
With the following
nsswitch.conf entry, the local
prof_attr file is
consulted before the
NIS map:
prof_attr: files nisFILES
/etc/nsswitch.conf /etc/security/prof_attrNOTES
The root user is usually defined in local databases because root
needs to be able to log in and do system maintenance in single-user
mode and at other times when the network name service databases are
not available. So that the profile definitions for root can be
located at such times, root's profiles should be defined in the local
prof_attr file, and the order shown in the example
nsswitch.conf(5) file entry under EXAMPLES is highly recommended.
Because the list of legal keys is likely to expand, any code that
parses this database must be written to ignore unknown key-value
pairs without error. When any new keywords are created, the names
should be prefixed with a unique string, such as the company's stock
symbol, to avoid potential naming conflicts.
Each application has its own requirements for whether the
help value
must be a relative pathname ending with a filename or the name of a
file. The only known requirement is for the name of a file.
The following characters are used in describing the database format
and must be escaped with a backslash if used as data: colon (
:),
semicolon (
;), equals (
=), and backslash (
\).
SEE ALSO
auths(1),
pfexec(1),
profiles(1),
getauthattr(3SECDB),
getprofattr(3SECDB),
getuserattr(3SECDB),
auth_attr(5),
exec_attr(5),
priv_names(5),
user_attr(5) February 25, 2017 PROF_ATTR(5)
