unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



sys_attrs_sec(5)					     sys_attrs_sec(5)



NAME

  sys_attrs_sec	- sec subsystem	attributes

DESCRIPTION

  This reference page lists and	describes attributes for the Security (sec)
  kernel subsystem. Refer to the sys_attrs(5) reference	page for an introduc-
  tion to the topic of kernel subsystem	attributes. In the following list,
  attributes preceded by an asterisk (*) can be	modified at run	time.



  *acl_mode
      Enables (enable) or disables (disable) Access Control List (ACL) access
      checks and default ACL inheritance on the	system.	See acl(4) and the
      Security manual for more information.

      Default value: disable

      In a TruCluster environment, the value of	this attribute must be the
      same on all member systems.



  audit_buffer_size
      The size of the audit buffer in 1-KB units.

      Default value: 16	(kilobytes)

      Minimum value: 16

      Maximum value: 1024

      In a TruCluster environment, the value of	this attribute must be the
      same on all member systems.

      If you are generating your own audit records and the size	of these
      records is close to or greater than the current audit_buffer_size
      value, increasing	this value may improve system performance.



  audit_site_events
      The size,	in bytes, reserved for the audit site mask.  Each byte can
      support four site-defined	events.

      Default value: 64	(bytes)

      Minimum value: 1

      Maximum value: 1,048,576

      In a TruCluster environment, the value of	this attribute must be the
      same on all member systems.

      The audit	subsystem allows sites to define their own audit events
      (site-defined events). The site-defined events are specified in the
      /etc/sec/site_events file. Because the number of site-defined events is
      determined by the	customer, the audit_site_events	attribute is provided
      so the customer can specify how much memory the kernel needs to reserve
      for these	events.	There is no need to change this	value unless there
      are more than 256	site-defined events. See the Security manual for more
      information on specifying	site-defined events.



  * nfs_flatten_mode
      A	value that controls the	permission bits	of a file with access control
      lists (ACLs) as seen by an NFS Version 2 client. NFS Version 2 clients
      make their own file access decisions, based on their interpretation of
      the file's permission bits. The file permission bits may not accurately
      specify file access if the file has an ACL. You  can specify the fol-
      lowing values for	the nfs_flatten_mode attribute to better control file
      access decisions by NFS Version 2	clients:

      0	      Do not modify file access; send the original file	permission
	      bits to the NFS Version 2	client.

      1	      Restrict the file	access;	modify the "group" and "other" fields
	      of the file permissions so that the permission bits grant	only
	      a	level of access	that is	granted	in every ACL entry. For	exam-
	      ple, send	permission bits	that grant write access	only if	all
	      ACL entries grant	write access.

      2	      Make file	access more permissive;	 modify	the "group" and
	      "other" fields of	the file permissions so	that the permission
	      bits reflect a level of access that is granted by	the combina-
	      tion of ACL entries.  For	example, if some ACL entries grant
	      read and execute permission and others grant write permission,
	      send permission bits that	grant read, write, and execute per-
	      mission.

      Default value: 0

      In a TruCluster environment, the value of	this attribute must be the
      same on all member systems.

      See acl(4) for more information.



  * ufs_proplist_max_entry
      The size limit, in bytes,	of property list entries on UFS	file systems.

      Default value: 8192 (bytes)

      Minimum value: 320

      Maximum value: 18,446,744,073,709,551,615

      In a TruCluster environment, the value of	this attribute must be the
      same on all member systems.

      On AdvFS file systems, a property	list entry has a hard size limit of
      1560 bytes. The ufs_proplist_max_entry attribute facilitates intero-
      peration of UFS and AdvFS	property list entries. Set this	attribute to
      1560 if you want to use all property list	entries	on your	system with
      both UFS and AdvFS file systems. See proplist(4) for more	information
      about property lists.

      The ufs_proplist_max_entry attribute interacts with the
      ufs_sec_proplist_max_entry attribute. The	latter is used to configure
      the size of ACLs on UFS file systems. Because ACLs are stored in pro-
      perty lists, ufs_sec_proplist_max_entry cannot be	greater	than
      (ufs_proplist_max_entry -	64) bytes.  If ufs_sec_proplist_max_entry is
      set to exceed this limit,	the value of ufs_proplist_max_entry is
      automatically increased.

  * ufs_sec_proplist_max_entry
      The size limit, in bytes,	of ACLs	on UFS file systems.

      Default value: 1548 (bytes)

      Minimum value: 256

      Maximum value: 18,446,744,073,709,551,551

      In a TruCluster environment, the value of	this attribute must be the
      same on all member systems.

      ACLs are implemented by using property lists. On AdvFS file systems,
      there is a hard size limit of 1560 bytes for a property list entry.
      This limit allows	2548 bytes for the ACL data, or	a total	of 65
      entries, plus the	three required entries of user::, group::, and
      other::. Files have only one ACL,	an Access ACL. Directories can have
      up to three ACLs:	an Access ACL, a Default ACL, and a Default Directory
      ACL. The AdvFS limit is placed on	each of	the three ACLs for a direc-
      tory, meaning that each can have up to 65	entries. See acl(4) and	the
      Security manual for more information about ACLs.

      By default, the ufs_sec_proplist_max_entry attribute is set to ensure
      that the size limit of ACLs on UFS file systems is the same as the size
      limit of ACLs on AdvFS file systems. This	ensures	that ACLs on your
      system can be copied between UFS and AdvFS file systems. It is recom-
      mended that you not modify the default setting of
      ufs_sec_proplist_max_entry unless	you have strong	need for larger	ACLs.

      The ufs_sec_proplist_max_entry attribute interacts with the
      ufs_proplist_max_entry attribute.	See the	description of
      ufs_proplist_max_entry for a description of this relationship.

SEE ALSO

  Files: acl(4), proplist(4)

  Others: sys_attrs(5)

  Security