System Administration Commands sac(1M)
NAME
sac - service access controller
SYNOPSIS
sac -t sanity_interval
/usr/lib/saf/sac
DESCRIPTION
The Service Access Controller (SAC) is the overseer of the server machine. It is started when the server machine enters multiuser mode. The SAC performs several important functions as explained below. Customizing the SAC EnvironmentWhen sac is invoked, it first looks for the per-system con-
figuration script /etc/saf/_sysconfig. sac interprets _sys-
config to customize its own environment. The modificationsmade to the SAC environment by _sysconfig are inherited by
all the children of the SAC. This inherited environment may be modified by the children. Starting Port MonitorsAfter it has interpreted the _sysconfig file, the sac reads
its administrative file /etc/saf/_sactab. _sactab specifies
which port monitors are to be started. For each port monitorto be started, sac forks a child (see fork(2)) and creates a
utmpx entry with the type field set to LOGIN_PROCESS. Each
child then interprets its per-port monitor configuration
script /etc/saf/pmtag/_config , if the file exists. These
modifications to the environment affect the port monitor and will be inherited by all its children. Finally, the child process execs the port monitor, using the commandfound in the _sactab entry. (See sacadm; this is the com-
mand given with the -c option when the port monitor is added
to the system.) Polling Port Monitors to Detect FailureThe -t option sets the frequency with which sac polls the
port monitors on the system. This time may also be thought of as half of the maximum latency required to detect that aport monitor has failed and that recovery action is neces-
sary. Administrative functions The Service Access Controller represents the administrative point of control for port monitors. Its administrative tasks are explained below.SunOS 5.11 Last change: 21 Apr 2009 1
System Administration Commands sac(1M)
When queried (sacadm with either -l or -L), the Service
Access Controller returns the status of the port monitorsspecified, which sacadm prints on the standard output. A
port monitor may be in one of six states: ENABLED The port monitor is currently running and isaccepting connections. See sacadm(1M) with the
-e option.
DISABLED The port monitor is currently running and isnot accepting connections. See sacadm with the
-d option, and see NOTRUNNING, below.
STARTING The port monitor is in the process of starting up. STARTING is an intermediate state on the way to ENABLED or DISABLED. FAILED The port monitor was unable to start and remain running. STOPPING The port monitor has been manually terminated but has not completed its shutdown procedure. STOPPING is an intermediate state on the way to NOTRUNNING. NOTRUNNING The port monitor is not currently running.(See sacadm with -k.) This is the normal "not
running" state. When a port monitor is killed, all ports it was monitoring are inaccessible. It is not possible for an external user to tell whether a port is not being monitored or the system is down. If the port monitor is not killed but is in the DISABLED state, it may be possible (depending on the port monitor being used) to write a message on the inaccessible port telling the user who is trying to access the port that it is disabled. This is the advantage of having a DISABLED state as well as the NOTRUNNING state. When a port monitor terminates, the SAC removes the utmpx entry for that port monitor.SunOS 5.11 Last change: 21 Apr 2009 2
System Administration Commands sac(1M)
The SAC receives all requests to enable, disable, start, or stop port monitors and takes the appropriate action. The SAC is responsible for restarting port monitors that terminate. Whether or not the SAC will restart a given port monitor depends on two things: o The restart count specified for the port monitorwhen the port monitor was added by sacadm; this
information is included in /etc/saf/pmtag/_sactab.
o The number of times the port monitor has already been restarted. SECURITYsac uses pam(3PAM) for session management. The PAM confi-
guration policy, listed through /etc/pam.conf, specifies thesession management module to be used for sac. Here is a par-
tial pam.conf file with entries for sac using the UNIX ses-
sion management module.sac session required pam_unix_session.so.1
If there are no entries for the sac service, then the
entries for the "other" service will be used. OPTIONS-t sanity_interval Sets the frequency (sanity_interval)
with which sac polls the port monitors
on the system. FILESo /etc/saf/_sactab
o /etc/saf/_sysconfig
o /var/adm/utmpxo /var/saf/_log
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:SunOS 5.11 Last change: 21 Apr 2009 3
System Administration Commands sac(1M)
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcs ||_____________________________|_____________________________|
SEE ALSO
pmadm(1M), sacadm(1M), fork(2) pam(3PAM), pam.conf(4),
attributes(5), pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5),
pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)
NOTESThe pam_unix(5) module is no longer supported. Similar func-
tionality is provided by pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5),
and pam_unix_session(5).
The service access controller service is managed by the ser-
vice management facility, smf(5), under the service identif-
ier:svc:/system/sac:default
Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using svcadm(1M). The service's status can be queried using the svcs(1) command.SunOS 5.11 Last change: 21 Apr 2009 4