Managing Device Allocation (Tasks)

Device allocation is commonly implemented at sites that require an additional layer of device security. Typically, users must have authorization to access allocatable devices.

Managing Device Allocation (Task Map)

The following task map points to procedures that enable, configure, and troubleshoot device allocation. Device allocation is not enabled by default. After device allocation is enabled, see Allocating Devices (Tasks) for instructions on allocating devices.

How to Enable Device Allocation

Before You Begin

You must become an administrator who is assigned the Device Security rights profile. For more information, see How to Use Your Assigned Administrative Rights.

1. Enable the device allocation service and verify that the service is enabled.

   # svcadm enable svc:/system/device/allocate
   # svcs -x allocate
   svc:/system/device/allocate:default (device allocation)
    State: online since September 10, 2011 01:10:11 PM PDT
      See: allocate(1)
      See: deallocate(1)
      See: list_devices(1)
      See: device_allocate(1M)
      See: mkdevalloc(1M)
      See: mkdevmaps(1M)
      See: dminfo(1M)
      See: device_maps(4)
      See: /var/svc/log/system-device-allocate:default.log
   Impact: None.

2. To disable the device allocation service, use the disable subcommand.

   # svcadm disable device/allocate

How to Authorize Users to Allocate a Device

Before You Begin

You must become an administrator who is assigned the User Security rights profile. Your rights profiles must include the solaris.auth.delegate authorization. For more information, see How to Use Your Assigned Administrative Rights.

1. Create a rights profile that contains the appropriate authorization and commands.

   Typically, you would create a rights profile that includes the solaris.device.allocate authorization. Follow the instructions in How to Create a Rights Profile. Give the rights profile appropriate properties, such as the following:

   • Rights profile name: Device Allocation

   • Granted authorizations: solaris.device.allocate

   • Commands with privileges: mount with the sys_mount privilege, and umount with the sys_mount privilege

2. (Optional) Create a role for the rights profile.

   Follow the instructions in How to Create a Role. Use the following role properties as a guide:

   • Role name: devicealloc

   • Role full name: Device Allocator

   • Role description: Allocates and mounts allocated devices

   • Rights profile: Device Allocation

     This rights profile must be the first in the list of profiles that are included in the role.

3. Assign the rights profile to authorized users or authorized roles.
4. Teach the users how to use device allocation.

   For examples of allocating removable media, see How to Allocate a Device.

How to View Allocation Information About a Device

Before You Begin

You have completed How to Enable Device Allocation.

You must become an administrator who is assigned the Device Security rights profile. For more information, see How to Use Your Assigned Administrative Rights.

• Display information about allocatable devices on your system.

  # list_devices device-name

  where device-name is one of the following:

  • audio[n] – Is a microphone and speaker.

  • fd[n] – Is a diskette drive.

  • rmdisk[n] – Is a removable media device, such as a USB.

  • sr[n] – Is a CD-ROM drive.

  • st[n] – Is a tape drive.

Troubleshooting

If the list_devices command returns an error message similar to the following, then either device allocation is not enabled, or you do not have sufficient permissions to retrieve the information.

list_devices: No device maps file entry for specified device.

For the command to succeed, enable device allocation and assume a role with the solaris.device.revoke authorization.

How to Forcibly Allocate a Device

Forcible allocation is used when someone has forgotten to deallocate a device. Forcible allocation can also be used when a user has an immediate need for a device.

Before You Begin

You must become an administrator who is assigned the solaris.device.revoke authorization. For more information, see How to Use Your Assigned Administrative Rights.

1. Determine if you have the appropriate authorizations in your role.

   $ auths
   solaris.device.allocate solaris.device.revoke

2. Forcibly allocate the device to the user who needs the device.

   In this example, a USB drive is forcibly allocated to the user jdoe.

   $ allocate -U jdoe

How to Forcibly Deallocate a Device

Devices that a user has allocated are not automatically deallocated when the process terminates or when the user logs out. Forcible deallocation is used when a user has forgotten to deallocate a device.

Before You Begin

You must become an administrator who is assigned the solaris.device.revoke authorization. For more information, see How to Use Your Assigned Administrative Rights.

1. Determine if you have the appropriate authorizations in your role.

   $ auths
   solaris.device.allocate solaris.device.revoke

2. Forcibly deallocate the device.

   In this example, the printer is forcibly deallocated. The printer is now available for allocation by another user.

   $ deallocate -f /dev/lp/printer-1

How to Change Which Devices Can Be Allocated

Before You Begin

Device allocation must be enabled for this procedure to succeed. To enable device allocation, see How to Enable Device Allocation. You must assume the root role.

• Specify if authorization is required, or specify the solaris.device.allocate authorization.

  Change the fifth field in the device entry in the device_allocate file.

  audio;audio;reserved;reserved;solaris.device.allocate;/etc/security/lib/audio_clean
  fd0;fd;reserved;reserved;solaris.device.allocate;/etc/security/lib/fd_clean
  sr0;sr;reserved;reserved;solaris.device.allocate;/etc/security/lib/sr_clean

  where solaris.device.allocate indicates that a user must have the solaris.device.allocate authorization to use the device.

Example 5-2 Permitting Any User to Allocate a Device

In the following example, any user on the system can allocate any device. The fifth field in every device entry in the device_allocate file has been changed to an at sign (@).

# pfedit /etc/security/device_allocate
audio;audio;reserved;reserved;@;/etc/security/lib/audio_clean
fd0;fd;reserved;reserved;@;/etc/security/lib/fd_clean
sr0;sr;reserved;reserved;@;/etc/security/lib/sr_clean
…

Example 5-3 Preventing Some Peripheral Devices From Being Used

In the following example, the audio device cannot be used. The fifth field in the audio device entry in the device_allocate file has been changed to an asterisk (*).

# pfedit /etc/security/device_allocate
audio;audio;reserved;reserved;*;/etc/security/lib/audio_clean
fd0;fd;reserved;reserved;solaris device.allocate;/etc/security/lib/fd_clean
sr0;sr;reserved;reserved;solaris device.allocate;/etc/security/lib/sr_clean
…

Example 5-4 Preventing All Peripheral Devices From Being Used

In the following example, no peripheral device can be used. The fifth field in every device entry in the device_allocate file has been changed to an asterisk (*).

# pfedit /etc/security/device_allocate
audio;audio;reserved;reserved;*;/etc/security/lib/audio_clean
fd0;fd;reserved;reserved;*;/etc/security/lib/fd_clean
sr0;sr;reserved;reserved;*;/etc/security/lib/sr_clean
…

How to Audit Device Allocation

By default, the device allocation commands are in the other audit class.

Before You Begin

You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see How to Use Your Assigned Administrative Rights.

• Preselect the ot audit class.

  $ auditconfig -getflags
  current-flags
  $ auditconfig -setflags current-flags,ot

  For detailed instructions, see How to Preselect Audit Classes.