17.4 Enhanced Access Control

Command Control policies give you additional options to control the execution of commands. For example, you can use a policy to restrict the rights and roles of a command so that the command works only for one particular directory, file, network address, or system call.

17.4.1 Configuring a Command Control Policy

A command control policy is defined by using the policy script arguments. A policy script argument specifies the access rights of the applications based on the path, network, and capability.

  1. On the home page of the console, click Command Control.

  2. From the Command Control Sample Scripts, add the Enhanced Access Control Policy script.

  3. Drag and drop the Enhanced Access Control Policy script from Scripts to Authorizing Rule.

  4. Click the Authorizing Rule and access the Script Arguments.

  5. Create a script argument with a name policy and add that policy to the Value field.

17.4.2 Configuring a Path Policy

A Path policy is a type of command control policy that restricts an application from accessing a specific directory based on the path.

The syntax of a Path policy is as follows:

path [owner] <path> <capability:capability:!capability>

owner specifies the file or directory ownership that should match with the current user ID.

path specifies a particular directory based on the path. Replace path with any of the following options:

Table 17-1 Path Options

Option

Description

/dir/file

Specifies the file that the application can access in the /dir/directory.

/dir/

Specifies the directory that the application can access.

/dir/f*

Specifies a file that begins with f in the /dir/directory that the application can access.

/dir/*

Specifies that the application can access all the files in the /dir/ directory.

/dir/**

Specifies that the application can access all the files and the subdirectories within the /dir/directory.

/dir/**/

Specifies that the application can access all subdirectories that are recursively searched for in the /dir/directory.

/dir/**/*

Specifies that the application can access all the files that are recursively searched for in any subdirectory within the /dir/directory.

capability specifies the rights of the application. You can use the ! symbol in the syntax to denote a logical not. For example, all:!write grants all the rights except the write role.

Replace capability with any of the following options:

Table 17-2 Capability Options

Option

Description

privperms

Enables the application with the read, write, and ownership permissions for the specified directory or file.

The privperms command limits two areas of functionality:

  1. Using the chmod command to set a file to setuid or setgid.

  2. Using the chown or chgrp command to change the ownership of a file.

perms

Enables the application to assign the permissions of a specified directory or file.

read

Enables the application to assign the read permission for a specified directory or file.

write

Gives the application the create and write permissions for the specified directory or file.

unlink

Gives the application the deletion rights for the specified directory or file.

mknod

Enables the application to create system files in the specified directory.

exec

Enables the application to execute the shared files and files for which the application does not have read and write permission.

unsafe

Enables the application to execute any file that does not inherit the policy.

link

Enables the application to create a symbolic link or hard link to another file.

log[=<0-9>]

Enables the application to audit system calls, with an optional risk value of 0-9.

all

Enables the application to have all permissions.

You can use wildcards, regular expressions, and strings in the Path policy. For example, using the word default in the following example specifies the default policy.

path default all:log 
path /opt/oracle/private/** !all:log=9

When administering EAC policy, do not restrict the following permissions to the listed folders:

Read / Write Permission

Read Permission

/tmp/

/etc/resolv.conf

/dev/zero

/etc/hosts

/dev/null

/etc/passwd

/dev/tty

/etc/groups

/devices/**

/dev/random

/proc/<pid>/**

/dev/urandom

/tmp/**

/etc/utmp

/var/tmp/**

/etc/utmpx

 

/usr/share/**

 

/usr/lib/**

 

/lib/**

 

/usr/lib64/**

 

/lib64/**

NOTE:Solaris 9/sbin/sh is a static binary and therefore cannot enforce EAC.