unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

smf_security(5)       Standards, Environments, and Macros      smf_security(5)



NAME
       smf_security - service management facility security behavior

DESCRIPTION
       The  configuration  subsystem  for  the  service  management  facility,
       smf(5), requires privilege to modify the configuration  of  a  service.
       Privileges  are  granted  to  a  user by associating the authorizations
       described below to the user through user_attr(4) and prof_attr(4).  See
       rbac(5).

       The  following authorization is used to manipulate services and service
       instances.

       solaris.smf.modify      Authorized to add, delete, or modify  services,
                               service instances, or their properties.



   Property Group Authorizations
       The smf(5) configuration subsystem associates properties with each ser-
       vice and service instance. Related properties are grouped.  Groups  may
       represent  an  execution  method,  credential  information, application
       data, or restarter state. The ability  to  create  or  modify  property
       groups  can cause smf(5) components to perform actions that may require
       operating system privilege. Accordingly, the framework requires  appro-
       priate authorization to manipulate property groups.

       Each  property  group has a type corresponding to its purpose. The core
       property group types are method, dependency,  application,  and  frame-
       work.  Additional property group types can be introduced, provided they
       conform to the extended naming  convention  in  smf(5).  The  following
       basic  authorizations,  however,  apply only to the core property group
       types:

       solaris.smf.modify.method

           Authorized to change values or create, delete, or modify a property
           group of type method.



       solaris.smf.modify.dependency

           Authorized to change values or create, delete, or modify a property
           group of type dependency.



       solaris.smf.modify.application

           Authorized to change values or create, delete, or modify a property
           group of type application.



       solaris.smf.modify.framework

           Authorized to change values or create, delete, or modify a property
           group of type framework.



       solaris.smf.modify

           Authorized to add, delete, or modify services,  service  instances,
           or their properties.



       Property  group-specific  authorization  can be specified by properties
       contained in the property group.

       modify_authorization    Authorizations allow the addition, deletion, or
                               modification  of properties within the property
                               group.



       value_authorization     Authorizations allow changing the values of any
                               property  of  the  property  group  except mod-
                               ify_authorization.



       The above authorization properties are only  used  if  they  have  type
       astring. If an instance property group does not have one of the proper-
       ties, but the instance's service has a property group of the same  name
       with the property, its values are used.

   Service Action Authorization
       Certain actions on service instances may result in service interruption
       or deactivation. These actions require an authorization to ensure  that
       any  denial  of  service  is  a  deliberate administrative action. Such
       actions include a request for execution of the refresh or restart meth-
       ods,  or  placement  of  a service instance in the maintenance or other
       non-operational state. The following authorization allows such  actions
       to be requested:

       solaris.smf.manage      Authorized  to  request  restart,  refresh,  or
                               other  state  modification   of   any   service
                               instance.



       In  addition,  the  general/action_authorization  property  can specify
       additional authorizations that permit service actions to  be  requested
       for  that  service  instance.  The  solaris.smf.manage authorization is
       required to modify this property.

   Defined Rights Profiles
       Two rights profiles are included that offer grouped authorizations  for
       manipulating typical smf(5) operations.

       Service Management

           A  service  manager can manipulate any service in the repository in
           any   way.   It   corresponds   to   the   solaris.smf.manage   and
           solaris.smf.modify authorizations.

           The  service  management profile is the minimum required to use the
           pkgadd(1M) or pkgrm(1M) commands to add or remove software packages
           that contain an inventory of services in its service manifest.



       Service Operator

           A service operator has the ability to enable or disable any service
           instance on the system, as well as  request  that  its  restart  or
           refresh  method be executed. It corresponds to the solaris.smf.man-
           age and solaris.smf.modify.framework authorizations.

           Sites can define additional rights  profiles  customized  to  their
           needs.



   Remote Repository Modification
       Remote  repository  servers may deny modification attempts due to addi-
       tional privilege checks. See NOTES.

SEE ALSO
       auths(1),    profiles(1),    pkgadd(1M),    pkgrm(1M),    prof_attr(4),
       user_attr(4), rbac(5), smf(5)

NOTES
       The present version of smf(5) does not support remote repositories.



SunOS 5.10                         2 Dec 04                    smf_security(5)