Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
31323334353637383940
Solaris 9 Security CX-310-301 34
¾ deallocate – Used to deallocate a device after a user has finished with it
¾ dminfo – Used to report information on a device. Reads the device_maps file
¾ list_devices – Produces a list of allocatable devices
¾ device-clean scripts – A series of scripts that prohibit any other user from accessing information
or data from a device when the user has finished using it. The scripts can be found in the directory
/etc/security/lib.
Authorizing Device Access to a User
In order for a user to be able to user an allocatable device, certain authorizations must be given to the user.
These are done using the usermod command. The authorizations are already present in the
/etc/security/auth_attr file.
To give user testuser the device authorizations, run the following command:
# usermod –A “solaris.device.*” testuser
This, in turn, makes an entry in the user attributes database, /etc/user_attr as shown here:
testuser::::type=normal;auths=solaris.device.*
Note that the auth_attr and user_attr are both databases that are used as part of the Role Based Access
Control (RBAC) feature, described later in this document.
Managing Devices Under BSM Control
There are a number of steps to follow to restrict access to specified devices. These are described below:
1. Ensure any devices have an entry in the file /etc/security/device_maps
2. Edit the file /etc/security/device_allocate to determine which devices can be allocated by users
3. Any user that is going to try and use these devices must have the necessary authorizations. Only
users with these authorizations can use the devices, all others will not be able to allocate them
4. An empty lock file needs to be created for each of the devices you decide can be allocated by a
user. The lock file must be created in the /etc/security/dev directory and should be the same name
as that used when adding the device to the /etc/security/device_maps file
5. Change the permissions of the actual device files (in /dev) to 000 and make sure they are owned by
user bin and group bin