File Formats user_attr(4)
NAME
user_attr - extended user attributes database
SYNOPSIS
/etc/user_attr
DESCRIPTION
/etc/user_attr is a local source of extended attributes
associated with users and roles. user_attr can be used with
other user attribute sources, including the LDAP people con-
tainer and the user_attr NIS map. Programs use the
getuserattr(3SECDB) routines to gain access to this informa-
tion.The search order for multiple user_attr sources is specified
in the /etc/nsswitch.conf file, as described in the nsswitch.conf(4) man page. The search order follows that for passwd(4).Each entry in the user_attr databases consists of a single
line with five fields separated by colons (:). Line con-
tinuations using the backslash (\) character are permitted. Each entry has the form: user:qualifier:res1:res2:attr userThe name of the user as specified in the passwd(4) data-
base. qualifier Reserved for future use. res1 Reserved for future use. res2 Reserved for future use.SunOS 5.11 Last change: 21 Jul 2010 1
File Formats user_attr(4)
attrAn optional list of semicolon-separated (;) key-value
pairs that describe the security attributes to apply to the object upon execution. Zero or more keys may be specified. The following keys are currently interpreted by the system: authsSpecifies a comma-separated list of authorization
names chosen from those names defined in theauth_attr(4) database. Authorization names may be
specified using the asterisk (*) character as a wildcard. For example, solaris.printer.* means all of Sun's printer authorizations.audit_flags
Specifies per-user Audit preselection flags as
colon-separated always-audit-flags and never-audit-
flags. For example, audit_flags=always-audit-
flags:never-audit-flags. See audit_flags(5).
profilesContains an ordered, comma-separated list of profile
names chosen from prof_attr(4). Profiles are
enforced by the profile shells, pfcsh, pfksh, and pfsh. See pfsh(1). A default profile is assigned in /etc/security/policy.conf (see policy.conf(4)). If no profiles are assigned, the profile shells do not allow the user to execute any commands. rolesCan be assigned a comma-separated list of role names
from the set of user accounts in this database whose type field indicates the account is a role. If the roles key value is not specified, the user is not permitted to assume any role. typeCan be assigned one of these strings: normal, indi-
cating that this account is for a normal user, one who logs in; or role, indicating that this account is for a role. Roles can only be assumed by a normalSunOS 5.11 Last change: 21 Jul 2010 2
File Formats user_attr(4)
user after the user has logged in. projectCan be assigned a name of one project from the pro-
ject(4) database to be used as a default project toplace the user in at login time. For more informa-
tion, see getdefaultproj(3PROJECT). defaultpriv The default set of privileges assigned to a user'sinheritable set upon login. See "Privileges Key-
words," below. limitpriv The maximum set of privileges a user or any process started by the user, whether through su(1M) or any other means, can obtain. The system administrator must take extreme care when removing privileges from the limit set. Removing any basic privilege has the ability of crippling all applications; removing any other privilege can cause many or all applications requiring privileges to malfunction. See "Privileges Keywords," below.lock_after_retries
Specifies whether an account is locked after the count of failed logins for a user equals or exceeds the allowed number of retries as defined by RETRIES in /etc/default/login. Possible values are yes or no. The default is no. Account locking is applicable only to local accounts and accounts in the ldap nameservice repository if configured with an enableSha-
dowUpdate of true as specified in ldapclient(1M). The following keys are available only if the system is configured with the Trusted Extensions feature: idletime Contains a number representing the maximum number of minutes a workstation can remain idle before the Trusted Extensions CDE window manager attempts the task specified in idlecmd. A zero in this field specifies that the idlecmd command is neverSunOS 5.11 Last change: 21 Jul 2010 3
File Formats user_attr(4)
executed. If unspecified, the default idletime of 30 minutes is in effect. idlecmdContains one of two keywords that the Trusted Exten-
sions CDE window manager interprets when a worksta-
tion is idle for too long. The keyword lock speci-
fies that the workstation is to be locked (thusrequiring the user to re-authenticate to resume the
session). The keyword logout specifies that session is to be terminated (thus, killing the user's processes launched in the current session). If unspecified, the default value, lock, is in effect. clearance Contains the maximum label at which the user can operate. If unspecified, in the Defense IntelligenceAgency (DIA) encodings scheme, the default is speci-
fied in label_encodings(4) (see label_encodings(4)
and labels(5) in the Solaris Trusted Extensions Reference Manual).min_label
Contains the minimum label at which the user can log in. If unspecified, in the DIA encodings scheme, thedefault is specified in label_encodings(4) (see
label_encodings(4) and labels(5) in the Solaris
Trusted Extensions Reference Manual). Except for the type key, the key=value fields in/etc/user_attr can be added using roleadd(1M) and
useradd(1M). You can use rolemod(1M) and usermod(1M) tomodify key=value fields in /etc/user_attr. Modification of
the type key is restricted as described in rolemod and user-
mod. Privileges KeywordsThe defaultpriv and limitpriv are the privileges-related
keywords and are described above.See privileges(5) for a description of privileges. The com-
mand ppriv -l (see ppriv(1)) produces a list of all
SunOS 5.11 Last change: 21 Jul 2010 4
File Formats user_attr(4)
supported privileges. Note that you specify privileges as they are displayed by ppriv. In privileges(5), privilegesare listed in the form PRIV_
. For example, the privilege file_chown, as you would specify it in
user_attr, is listed in privileges(5) as PRIV_FILE_CHOWN.
Privileges are specified through the Solaris Management Con-
sole (smc(1M)), the recommended method, or, on the command line, for users, throughusermod(1M). See usermod(1M) forexamples of commands that modify privileges and their subse-
quent effect on user_attr.
EXAMPLES
Example 1 Assigning a Profile to Root The following example entry assigns to root the All profile, which allows root to use all commands in the system, and also assigns two authorizations: root::::auths=solaris.*,solaris.grant;profiles=All;type=normal The solaris.* wildcard authorization shown above gives root all the solaris authorizations; and the solaris.grant authorization gives root the right to grant to others any solaris authorizations that root has. The combination of authorizations enables root to grant to others all thesolaris authorizations. See auth_attr(4) for more about
authorizations. FILES /etc/nsswitch.conf See nsswitch.conf(4)./etc/user_attr
Described here.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:SunOS 5.11 Last change: 21 Jul 2010 5
File Formats user_attr(4)
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availibility | SUNWcsr ||_____________________________|_____________________________|
| Interface Stability | See below ||_____________________________|_____________________________|
The command-line syntax is Committed. The output is Uncom-
mitted.SEE ALSO
auths(1), pfcsh(1), pfksh(1), pfsh(1), ppriv(1), pro-
files(1), roles(1), ldapclient(1M), roleadd(1M), rolemod(1M), useradd(1M), usermod(1M),getdefaultproj(3PROJECT), getuserattr(3SECDB), auth_attr(4),
exec_attr(4), nsswitch.conf(4), passwd(4), policy.conf(4),
prof_attr(4), project(4), attributes(5), audit_flags(5),
privileges(5)See the dtstyle(1X), label_encodings(4), and labels(5) man
pages in the Solaris Trusted Extensions Reference Manual. System Administration Guide: Security Services NOTES The root user is usually defined in local databases for a number of reasons, including the fact that root needs to beable to log in and do system maintenance in single-user
mode, before the network name service databases are avail-
able. For this reason, an entry should exist for root in thelocal user_attr file, and the precedence shown in the exam-
ple nsswitch.conf(4) file entry under EXAMPLES is highly
recommended. Because the list of legal keys is likely to expand, any code that parses this database must be written to ignore unknownkey-value pairs without error. When any new keywords are
created, the names should be prefixed with a unique string,such as the company's stock symbol, to avoid potential nam-
ing conflicts. In the attr field, escape the following symbols with abackslash (\) if you use them in any value: colon (:), semi-
colon (;), carriage return (\n), equals (=), or backslash (\).SunOS 5.11 Last change: 21 Jul 2010 6