profiles

- list and manage rights profiles

Synopsis

profiles [-l] [-a | user ...] [-S repository]

profiles -p profiles [-S repository]

profiles -p profiles [-S repository] subcommand

profiles -p profiles [-S repository] -f command_file

profiles help

Description

The profiles utility creates and modifies the configuration of a rights profile in the prof_attr(4) or exec_attr(4) databases in the local files name service or LDAP name service. A rights profile configuration consists of a profile name and a number of properties.

The following synopsis of the profiles subcommand is for interactive usage:

profiles -p profile [-S repository] [subcommand]

The profiles command prints on standard output the names of the rights profiles that have been assigned to you or to the optionally-specified user or role name. Profiles are a bundling mechanism used to enumerate the commands and authorizations needed to perform a specific function. Along with each listed executable are the process attributes, such as the effective user and group IDs, with which the process runs when started by a privileged command interpreter. See the pfexec(1) man page. Profiles can contain other profiles defined in prof_attr(4).

Multiple profiles can be combined to construct the appropriate access control. When profiles are assigned, the authorizations are added to the existing set. If the same command appears in multiple profiles, the first occurrence, as determined by the ordering of the profiles is used for process-attribute settings. For convenience, a wildcard can be specified to match all commands.

The special profile “Stop” shortcuts the evaluations of further profiles. Profiles seen after the “Stop” profile are not evaluated nor are they used to find additional commands. This profile can be used to sidestep profiles listed in /etc/security/policy.conf with the PROF_GRANTED key and the authorizations listed with AUTH_GRANTED in that file.

When profiles are interpreted, the profile list is loaded from user_attr(4). If any default profiles are defined in /etc/security/policy.conf (see policy.conf(4)), the list of default profiles are added to the list loaded from user_attr(4). Matching entries in prof_attr(4) provide the authorizations list, and matching entries in exec_attr(4) provide the commands list.

Properties

When invoked with the -p option, the properties of the specified profile, as well as the properties of its associated executable files can be managed. However, to maintain system integrity, those profiles that are maintained by Solaris can not modified by this command. Such profiles can only be modified via the pkg(1) command during a system update.

Optionally, other profiles can also be delivered by the pkg(1) command as not modifiable.

To prevent privilege escalation, the property values are restricted based on the user's authorizations. At a minimum, an administrator needs to be granted the Rights Management profile. Additionally, to modify security-related properties controlled by delegate authorizations, an administrator must be granted Rights Delegation profile. See exec_attr(4), prof_attr(4), and the following summary for details.

Property values can be simple strings, or comma-separated lists of simple strings. Simple strings containing white space must be double quoted.

The profiles command operates in both profile and command contexts. The profile context is the initial state, in which the various profile properties can be managed. The following table summarizes the properties in the profile context:

Property Name   Value Type         Required Authorizations

name            simple             none
auths           list of simple     solaris.auth.{assign/delegate}
profiles        list of simple     solaris.profile.{assign/delegate}
privs           list of simple     solaris.privilege.{assign/delegate}
limitpriv       list of simple     solaris.privilege.{assign/delegate}
defaultpriv     list of simple     solaris.privilege.{assign/delegate}
always_audit    list of simple     solaris.audit.assign
never_audit     list of simple     solaris.audit.assign
desc            simple             none
help            simple             none
pam_policy      simple             solaris.account.setpolicy
cmd             simple/new context none

The command context is entered by specifying the cmd property. While in the command context, the properties of the current command can be managed.

The following table summarizes the properties in the command context:

Property Name   Value Type         Required Authorizations

id              simple             none
privs           list of simple     solaris.privilege.{assign/delegate}
limitprivs      list of simple     solaris.privilege.{assign/delegate}
euid            simple             solaris.profile.cmd.setuid
uid             simple             solaris.profile.cmd.setuid
egid            simple             solaris.group.{assign/delegate}
gid             simple             solaris.group.{assign/deleg

The values that can be specified in the profile context properties are described in the following list. . An equal sign (=) is required between the property and its values as specified in the following list.

always_audit

The audit flags specifying event classes to always audit. Only the first occurrence of this property, either in the user's user_attr(4) entry, or in the ordered list of assigned profiles is applied at login and su.

auths

One or more comma-separated authorizations to be added to the new profile. If the wildcard character (*) is use in an authorization name, the name must be enclosed in double quotes (").

cmd

The fully qualified path to an executable file or the asterisk (*) symbol, which is used to specify all commands. An asterisk that replaces the filename component in a pathname indicates all files in a particular directory.

This is a special property that is used to enter the command context to manage the security properties of a command.

Either numeric IDs and names can be used for these IDs.

id

This property is initially set to the value that was specified by the previous cmd property, but can be modified. When used in conjunction with the select subcommand, the properties of an existing command can be cloned for subsequent editing.

pam_policy

The PAM policy to apply to a user. pam_policy must be either an absolute pathname to a pam.conf(4)-formatted file or the name of a pam.conf(4)-formatted file located in /etc/security/pam_policy. See pam_user_policy(5) for more information.

privs

The set of privileges to be applied to the inheritable set of the executable process. The default is basic.

limitprivs

The set of privileges to be applied to the limit set of the executable process. The default is all.

euid

The effective user ID of the process that executes with the command.

uid

The real user ID of the process that executes with the command.

egid

The effective group ID of the process that executes with the command.

gid

The real group ID of the process that executes with the command.

defaultpriv

The default set of privileges assigned to a user's set of processes. Only the first occurrence of this property, either in the user's user_attr(4) entry, or in the ordered list of assigned profiles is applied at login and su.

desc

The description of the new profile. The text must be enclosed in quotation marks.

help

The help file name for the new profile. The help file is copied to the /usr/lib/help/profiles/locale/<locale> directory. Where <locale> is the value of the user's language locale, or C if none is specified. Specifying this property is only applicable in the files repository.

limitpriv

The maximum set of privileges a user or any process started by the user, whether through su(1M) or any other means, can obtain. Only the first occurrence of this property, either in the user's user_attr(4) entry, or in the ordered list of assigned profiles is applied at login and su.

name

The name of the profile. The initial value for the name is specified using -p option on the command line. If the name is changed, the current profile properties are applied to the newly named profile. In this way an existing profile can be cloned for subsequent editing. The name must not match an existing profile.

never_audit

The audit flags specifying event classes to never audit. Only the first occurrence of this property, either in the user's user_attr(4) entry, or in the ordered list of assigned profiles is applied at login and su.

privs

The set of privileges that can be specified using the P option of the pfexec(1) command.

profiles

One or more comma-separated supplementary profiles to be added to the new profile.

Options

The following options are supported:

-a

Lists all the profile names in the specified repository. If no repository is specified, it follows whatever is configured for prof_attr in nsswitch.conf(4).

-f command_file

Specifies the name of profiles command file. command_file is a text file of profiles subcommands, one per line.

-l

Provides information about the Rights Profile and lists the commands and their special process attributes such as user and group IDs.

-p profile

Specifies the profile name.

-S repository

The valid repositories are files and ldap. repository specifies which name service is updated. The default repository is files.

Sub-commands

When invoked with the -p option, subcommands can be provided on the command line or interactively. Multiple subcommands, separated by semicolons can be specified on the command line by enclosing the entire set in quotation marks. The lack of subcommands implies an interactive session, during which auto-completion of subcommands can be invoked by using the TAB key.

The add and select subcommands can be used to select a specific command, at which point the context changes to that of the command. During an interactive session, the command context is identified by the command basename in the prompt string. The end and cancel subcommands are used to complete the command specification, at which time the context is reverted to the profile context.

Subcommands that can result in destructive actions or loss of work have a -F option to force the action. If input is from a terminal device, the user is prompted when appropriate. This could occur if a subcommand is given without the -F option. Otherwise, the action is disallowed, with a diagnostic message written to standard error.

The property-value can be a simple value, or a list of simple values for those properties which accept lists. The following subcommands are supported:

add cmd=pathname

In the profile context, begins the specification for a given command. The context is changed to the commandtype.

add property-name=property-value

Adds the specified values to the current property values. This subcommand can only be applied to properties that accept lists.

cancel

End the command specification and reset context to profile. Abandons any partially specified resources. cancel is only applicable in the command context.

clear property name

Clear the value for the property.

commit

Commit the current configuration from memory to stable storage. The configuration must be committed for the changes to take effect. Until the in-memory configuration is committed, you can remove changes with the revert subcommand. The commit operation is attempted automatically upon completion of a profiles session. Since a configuration must be correct to be committed, this operation automatically does a verify.

delete [-F]

Delete the specified profile from memory and stable storage. This operation is not permitted if the profile is included as a subprofile of another profile in the same repository. Instead, a list of profiles which include this profile is supplied from which the user must manually remove this profile prior to deleting it. Specify the -F option to force the action. If the deletion is allowed, its action is instantaneous and the session is terminated.

end

End the command specification. This subcommand is only applicable in the command context. The profiles command verifies that the current command is completely specified. If so, it is added to the in-memory configuration (see commit for saving this to stable storage) and the context reverts to the profile context. If the specification is incomplete, it issues an appropriate error message.

exit [-F]

Exit the profiles session. A commit is automatically attempted if needed. You can also use an EOF character to exit profiles. The -F option can be used to force the action.

export [-f output-fle]

Print configuration to standard output. Use the -f option to print the configuration to output-file. This option produces output in a form suitable for use in a command file option.

help [usage] [subcommands] [properties] [<subcommand.] [<properties>]

Print general help or help about specific topic.

info [property-name]

Display information about the current profile or the specified property.

remove cmd=fullpath

Removes the specified command from the profile. This subcommand is only valid in the profile context.

remove [-F] cmd

Removes all the commands from the profile. A confirmation is required, unless you use the -F option. This subcommand is only valid in the profile context.

remove property-name=property-value

Remove the specified values from the property. This can only be applied to properties that accept lists.

revert [-F]

Revert the configuration back to the last committed state. The -F option can be used to force the action.

select cmd=fullpath

Select the command which matches the given pathname criteria, for modification. This subcommand is applicable only in the profile context.

set property-name=property-value

Set a given property name to the given value. Some properties (for example, name and desc) are only valid in the profile context, while others are only valid in the command context. This subcommand is applicable in both the profile and command contexts.

verify

Verify the current configuration for correctness:

• The required properties are specified.

• The values are valid for each keyword.

• The user is authorized to specify the values.

Examples

Example 1 Using the profiles Command

The output of the profiles command has the following form:

example% profiles tester01 tester02
tester01 : Audit Management, All Commands
tester02 : Device Management, All Commands
example%

Example 2 Using the list Option

example% profiles -l tester01 tester02
tester01 :
    Audit Management:
      /usr/sbin/audit          euid=root
      /usr/sbin/auditconfig    euid=root    egid=sys
    All Commands:
      *
tester02 :
    Device Management:
      /usr/bin/allocate:       euid=root
      /usr/bin/deallocate:     euid=root
    All Commands
      *
example%

Example 3 Creating a New Profile

The following creates a new User Manager profile in LDAP. new profile description is Manage users and groups, and the authorization assigned is solaris.user.manage. The supplementary profile assigned is Mail Management. The help file name is RtUserMgmt.html.

example% profiles -p "User Manager" -S ldap
profiles:User Manager> set desc="Manage users and groups"
profiles:User Manager> set help=RtUserMgmt.html
profiles:User Manager> set auths=solaris.user.manage
profiles:User Manager> set profiles="Mail Management"
profiles:User Manager> exit

Example 4 Displaying Information Regarding the Current Configuration

The following command displays information regarding the User Manager profile:

example% profiles -p "User Manager" -S ldap info
name=User Manager
desc=Manage users and  groups
auths=solaris.user.manage
profiles=Mail Management
help=RtUserMgmt.html

Example 5 Deleting a Profile

The following command deletes the User Manager profile from LDAP:

example% profiles -p "User Manager" -S ldap delete -F

Example 6 Modifying a Profile

The following modifies the User Manager profile in LDAP. The new profile description is Manage world, the new authorization assignment is solaris.user.* authorizations, and the new supplementary profile assignment is All.

example% profiles -p "User Manager" -S ldap
profiles:User Manager> set desc="Manage world"
profiles:User Manager> set auths="solaris.user.*"
profiles:User Manager> set profiles=All
profiles:User Manager> exit

Example 7 Creating an exec_attr Database Entry

The following command creates a new exec_attr entry for the User Manager profile in LDAP. The /usr/bin/cp entry is added. The command has an effective user ID of 0 and an effective group ID of 0.

example% profiles -p "User Manager" -S ldap
profiles:User Manager> add cmd=/usr/bin/cp
profiles:User Manager:cp> set euid=0
profiles:User Manager:cp> set egid=0
profiles:User Manager:cp> end
profiles:User Manager> exit
example%

Example 8 Deleting an exec_attr Database Entry

The following example deletes an exec_attr database entry for the User Manager profile from LDAP. The entry designated for the command /usr/bin/cp is deleted.

example% profiles -p "User Manager" -S ldap
profiles:User Manager> remove cmd=/usr/bin/cp
profiles:User Manager> exit
example%

Example 9 Modifying an exec_attr Database Entry

The following modifies the attributes of the exec_attr database entry for the User Manager profile in LDAP. The /usr/bin/cp entry is modified to execute with the real user ID of 0 and the real group ID of 0.

example% profiles -p "User Manager" -S ldap
profiles:User Manager> select cmd=/usr/bin/cp
profiles:User Manager:cp> clear euid
profiles:User Manager:cp> clear egid
profiles:User Manager:cp> set uid=0
profiles:User Manager:cp> set gid=0
profiles:User Manager:cp> end
profiles:User Manager> exit
example%

Exit Status

The following exit values are returned:

0

Successful completion.

1

An error occurred.

Files

/etc/security/exec_attr

/etc/security/prof_attr

/etc/user_attr

/etc/security/policy.conf

Attributes

See attributes(5) for descriptions of the following attributes:

See Also

auths(1), pfexec(1), pkg(1), roles(1), getprofattr(3C), auth_attr(4), exec_attr(4), nsswitch.conf(4), pam.conf(4), policy.conf(4), prof_attr(4), user_attr(4), audit_flags(5), attributes(5), pam_user_policy(5), privileges(5)