sys_attrs_sec(5) File Formats Manual sys_attrs_sec(5)
NAME
sys_attrs_sec - sec subsystem attributes
DESCRIPTION
This reference page lists and describes attributes for the Security (sec) kernel subsystem. Refer to the sys_attrs(5) reference page for an
introduction to the topic of kernel subsystem attributes. In the following list, attributes preceded by an asterisk (*) can be modified at
run time.
Enables (enable) or disables (disable) Access Control List (ACL) access checks and default ACL inheritance on the system. See acl(4)
and the Security manual for more information.
Default value: disable
In a TruCluster environment, the value of this attribute must be the same on all member systems.
The size of the audit buffer in 1-KB units.
Default value: 16 (kilobytes)
Minimum value: 16
Maximum value: 1024
In a TruCluster environment, the value of this attribute must be the same on all member systems.
If you are generating your own audit records and the size of these records is close to or greater than the current audit_buffer_size
value, increasing this value may improve system performance.
The size, in bytes, reserved for the audit site mask. Each byte can support four site-defined events.
Default value: 64 (bytes)
Minimum value: 1
Maximum value: 1,048,576
In a TruCluster environment, the value of this attribute must be the same on all member systems.
The audit subsystem allows sites to define their own audit events (site-defined events). The site-defined events are specified in
the /etc/sec/site_events file. Because the number of site-defined events is determined by the customer, the audit_site_events
attribute is provided so the customer can specify how much memory the kernel needs to reserve for these events. There is no need to
change this value unless there are more than 256 site-defined events. See the Security manual for more information on specifying
site-defined events.
A value that controls the permission bits of a file with access control lists (ACLs) as seen by an NFS Version 2 client. NFS Version
2 clients make their own file access decisions, based on their interpretation of the file's permission bits. The file permission
bits may not accurately specify file access if the file has an ACL. You can specify the following values for the nfs_flatten_mode
attribute to better control file access decisions by NFS Version 2 clients: Do not modify file access; send the original file per-
mission bits to the NFS Version 2 client. Restrict the file access; modify the "group" and "other" fields of the file permissions
so that the permission bits grant only a level of access that is granted in every ACL entry. For example, send permission bits that
grant write access only if all ACL entries grant write access. Make file access more permissive; modify the "group" and "other"
fields of the file permissions so that the permission bits reflect a level of access that is granted by the combination of ACL
entries. For example, if some ACL entries grant read and execute permission and others grant write permission, send permission bits
that grant read, write, and execute permission.
Default value: 0
In a TruCluster environment, the value of this attribute must be the same on all member systems.
See acl(4) for more information.
The size limit, in bytes, of property list entries on UFS file systems.
Default value: 8192 (bytes)
Minimum value: 320
Maximum value: 18,446,744,073,709,551,615
In a TruCluster environment, the value of this attribute must be the same on all member systems.
On AdvFS file systems, a property list entry has a hard size limit of 1560 bytes. The ufs_proplist_max_entry attribute facilitates
interoperation of UFS and AdvFS property list entries. Set this attribute to 1560 if you want to use all property list entries on
your system with both UFS and AdvFS file systems. See proplist(4) for more information about property lists.
The ufs_proplist_max_entry attribute interacts with the ufs_sec_proplist_max_entry attribute. The latter is used to configure the
size of ACLs on UFS file systems. Because ACLs are stored in property lists, ufs_sec_proplist_max_entry cannot be greater than
(ufs_proplist_max_entry - 64) bytes. If ufs_sec_proplist_max_entry is set to exceed this limit, the value of ufs_proplist_max_entry
is automatically increased. The size limit, in bytes, of ACLs on UFS file systems.
Default value: 1548 (bytes)
Minimum value: 256
Maximum value: 18,446,744,073,709,551,551
In a TruCluster environment, the value of this attribute must be the same on all member systems.
ACLs are implemented by using property lists. On AdvFS file systems, there is a hard size limit of 1560 bytes for a property list
entry. This limit allows 2548 bytes for the ACL data, or a total of 65 entries, plus the three required entries of user::, group::,
and other::. Files have only one ACL, an Access ACL. Directories can have up to three ACLs: an Access ACL, a Default ACL, and a
Default Directory ACL. The AdvFS limit is placed on each of the three ACLs for a directory, meaning that each can have up to 65
entries. See acl(4) and the Security manual for more information about ACLs.
By default, the ufs_sec_proplist_max_entry attribute is set to ensure that the size limit of ACLs on UFS file systems is the same as
the size limit of ACLs on AdvFS file systems. This ensures that ACLs on your system can be copied between UFS and AdvFS file sys-
tems. It is recommended that you not modify the default setting of ufs_sec_proplist_max_entry unless you have strong need for larger
ACLs.
The ufs_sec_proplist_max_entry attribute interacts with the ufs_proplist_max_entry attribute. See the description of ufs_pro-
plist_max_entry for a description of this relationship.
SEE ALSO
Files: acl(4), proplist(4)
Others: sys_attrs(5)
Security
sys_attrs_sec(5)