Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
51525354555657585960
Solaris 9 Security CX-310-301 55
Creating A Profile
A profile is created by making an entry with an editor, such as vi, in the file /etc/security/prof_attr. To
create a new profile for adding user groups add the following entry, noting the number of “:” characters:
Group Creation:::Create new groups:
Associating Executions with a Profile
The previous action created a profile. At this point the profile does not do anything. The commands for a
profile must be entered in /etc/security/exec_attr. The following example adds the groupadd commands to
the “User Creation” profile:
Group Creation:suser:cmd:::/usr/sbin/groupadd:euid=0
This entry will run the groupadd command as user root (euid=0).
Creating a Role
Roles are created using the roladd command. A role called newgroup will be added, which is associated
with the “Group Creation” profile:
# roleadd –P “Group Creation” –s /usr/bin/pfsh newgroup
As a result, the following entry is inserted into /etc/user_attr:
newgroup::::type=role;profiles=Group Creation
Note that a role needs to be assigned a default shell that is a profile shell. This ensures that the profile
attributes in /etc/security/exec_attr are used when a command is run. There are three profile shells:
¾ /usr/bin/pfsh – Profile Bourne shell
¾ /usr/bin/pfksh – Profile korn shell
¾ /usr/bin/pfcsh – Profile C shell
Assigning a Role to a User
Having created a role, it needs to be assigned to a user account. To assign the newgroup role to the user
temptest:
# usermod –R newgroup temptest
The following entry appears in /etc/user_attr showing the user account temptest and that it has been
assigned the role newgroup:
temptest::::type=normal;roles=newgroup