exec_attr(4) File Formats exec_attr(4)
exec_attr - execution profiles database
/etc/security/exec_attr is a local database that specifies the execution attributes asso-
ciated with profiles. The exec_attr file can be used with other sources for execution pro-
files, including the exec_attr NIS map and NIS+ table. Programs use the getexe-
cattr(3SECDB) routines to access this information.
The search order for multiple execution profile sources is specified in the /etc/nss-
witch.conf file, as described in the nsswitch.conf(4) man page. The search order follows
the entry for prof_attr(4).
A profile is a logical grouping of authorizations and commands that is interpreted by a
profile shell to form a secure execution environment. The shells that interpret profiles
are pfcsh, pfksh, and pfsh. See the pfsh(1) man page. Each user's account is assigned zero
or more profiles in the user_attr(4) database file.
Each entry in the exec_attr database consists of one line of text containing seven fields
separated by colons (:). Line continuations using the backslash (\fR) character are per-
mitted. The basic format of each entry is:
name The name of the profile. Profile names are case-sensitive.
policy The security policy that is associated with the profile entry. The valid poli-
cies are suser (standard Solaris superuser) and solaris. The solaris policy rec-
ognizes privileges (see privileges(5)); the suser policy does not.
The solaris and suser policies can coexist in the same exec_attr database, so
that Solaris releases prior to the current release can use the suser policy and
the current Solaris release can use a solaris policy. solaris is a superset of
suser; it allows you to specify privileges in addition to UIDs. Policies that
are specific to the current release of Solaris or that contain privileges should
use solaris. Policies that use UIDs only or that are not specific to the current
Solaris release should use suser.
type The type of object defined in the profile. There are two valid types: cmd and
act. The cmd type specifies that the ID field is a command that would be exe-
cuted by a shell. The act type is available only if the system is configured
with Trusted Extensions. It specifies that the ID field is a CDE action that
should be executed by the Trusted Extensions CDE action mechanism.
res1 Reserved for future use.
res2 Reserved for future use.
id A string that uniquely identifies the object described by the profile. For a
profile of type cmd, the id is either the full path to the command or the aster-
isk (*) symbol, which is used to allow all commands. An asterisk that replaces
the filename component in a pathname indicates all files in a particular direc-
To specify arguments, the pathname should point to a shell script that is writ-
ten to execute the command with the desired argument. In a Bourne shell, the
effective UID is reset to the real UID of the process when the effective UID is
less than 100 and not equal to the real UID. Depending on the euid and egid val-
ues, Bourne shell limitations might make other shells preferable. To prevent the
effective UIDs from being reset to real UIDs, you can start the script with the
If the Trusted Extensions feature is configured and the profile entry type is
act, the id is either the fully qualified name of a CDE action, or an asterisk
(*) representing a wildcard. A fully qualified CDE action is specified using the
action name and four additional semicolon-separated fields. These fields can be
empty but the semicolons are required. The fields in a CDE action are as fol-
argclass Specifies the argument class (for example, FILE or SESSION.) Corre-
sponds to ARG_CLASS for CDE actions.
argtype Specifies the data type for the argument. Corresponds to ARG_TYPE
for CDE actions.
argmode Specifies the read or write mode for the argument. Corresponds to
ARG_MODE for CDE actions.
argcount Specifies the number of arguments that the action can accept. Corre-
sponds to ARG_COUNT for CDE actions.
attr An optional list of semicolon-separated (;) key-value pairs that describe the
security attributes to apply to the object upon execution. Zero or more keys may
be specified. The list of valid key words depends on the policy enforced. The
following key words are valid: euid, uid, egid, gid, privs, and limitprivs.
euid and uid contain a single user name or a numeric user ID. Commands desig-
nated with euid run with the effective UID indicated, which is similar to set-
ting the setuid bit on an executable file. Commands designated with uid run with
both the real and effective UIDs. Setting uid may be more appropriate than set-
ting the euid on privileged shell scripts.
egid and gid contain a single group name or a numeric group ID. Commands desig-
nated with egid run with the effective GID indicated, which is similar to set-
ting the setgid bit on a file. Commands designated with gid run with both the
real and effective GIDs. Setting gid may be more appropriate than setting guid
on privileged shell scripts.
privs contains a privilege set which will be added to the inheritable set prior
to running the command.
limitprivs contains a privilege set which will be assigned to the limit set
prior to running the command.
privs and limitprivs are only valid for the solaris policy.
Example 1 Using Effective User ID
The following example shows the audit command specified in the Audit Control profile to
execute with an effective user ID of root(0):
See attributes(5) for descriptions of the following attributes:
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|Availibility |SUNWcsr |
|Interface Stability |See below. |
The command-line syntax is Committed. The output is Uncommitted.
When deciding which authorization source to use (see DESCRIPTION), keep in mind that NIS+
provides stronger authentication than NIS.
Because the list of legal keys is likely to expand, any code that parses this database
must be written to ignore unknown key-value pairs without error. When any new keywords are
created, the names should be prefixed with a unique string, such as the company's stock
symbol, to avoid potential naming conflicts.
The following characters are used in describing the database format and must be escaped
with a backslash if used as data: colon (:), semicolon (;), equals (=), and backslash
auths(1), dtaction(1), profiles(1), roles(1), sh(1), makedbm(1M), getauthattr(3SECDB),
getauusernam(3BSM), getexecattr(3SECDB), getprofattr(3SECDB), getuserattr(3SECDB),
kva_match(3SECDB), auth_attr(4), prof_attr(4), user_attr(4), attributes(5), privileges(5)
SunOS 5.11 30 Mar 2006 exec_attr(4)