 |
Index for
Section 5 |
|
 |
Alphabetical
listing for S |
|
 |
Bottom of
page |
|
sys_attrs_sec(5)
NAME
sys_attrs_sec - sec subsystem attributes
DESCRIPTION
This reference page lists and describes attributes for the Security (sec)
kernel subsystem. Refer to the sys_attrs(5) reference page for an
introduction to the topic of kernel subsystem attributes. In the following
list, attributes preceded by an asterisk (*) can be modified at run time.
* acl_mode
Enables (enable) or disables (disable) Access Control List (ACL) access
checks and default ACL inheritance on the system. See acl(4) and the
Security manual for more information.
Default value: disable
In a TruCluster environment, the value of this attribute must be the
same on all member systems.
audit_buffer_size
The size of the audit buffer in 1-KB units.
Default value: 16 (kilobytes)
Minimum value: 16
Maximum value: 1024
In a TruCluster environment, the value of this attribute must be the
same on all member systems.
If you are generating your own audit records and the size of these
records is close to or greater than the current audit_buffer_size
value, increasing this value may improve system performance.
audit_site_events
The size, in bytes, reserved for the audit site mask. Each byte can
support four site-defined events.
Default value: 64 (bytes)
Minimum value: 1
Maximum value: 1,048,576
In a TruCluster environment, the value of this attribute must be the
same on all member systems.
The audit subsystem allows sites to define their own audit events
(site-defined events). The site-defined events are specified in the
/etc/sec/site_events file. Because the number of site-defined events is
determined by the customer, the audit_site_events attribute is provided
so the customer can specify how much memory the kernel needs to reserve
for these events. There is no need to change this value unless there
are more than 256 site-defined events. See the Security manual for more
information on specifying site-defined events.
* nfs_flatten_mode
A value that controls the permission bits of a file with access control
lists (ACLs) as seen by an NFS Version 2 client. NFS Version 2 clients
make their own file access decisions, based on their interpretation of
the file's permission bits. The file permission bits may not accurately
specify file access if the file has an ACL. You can specify the
following values for the nfs_flatten_mode attribute to better control
file access decisions by NFS Version 2 clients:
0 Do not modify file access; send the original file permission
bits to the NFS Version 2 client.
1 Restrict the file access; modify the "group" and "other" fields
of the file permissions so that the permission bits grant only
a level of access that is granted in every ACL entry. For
example, send permission bits that grant write access only if
all ACL entries grant write access.
2 Make file access more permissive; modify the "group" and
"other" fields of the file permissions so that the permission
bits reflect a level of access that is granted by the
combination of ACL entries. For example, if some ACL entries
grant read and execute permission and others grant write
permission, send permission bits that grant read, write, and
execute permission.
Default value: 0
In a TruCluster environment, the value of this attribute must be the
same on all member systems.
See acl(4) for more information.
* restricted_fifo_open
A value that controls the behavior of the open() call with respect to
fifos. When enabled (1), restricted_fifo_open prevents an open() call
from opening a fifo if all the following conditions are true:
· The parent directory is world writable.
· The current user is not the fifo owner.
· The fifo owner is not the owner of parent directory.
· The fifo owner is not root.
Default value: 0 (disabled)
For best system security, it is recommended that the
restricted_fifo_open attribute be changed to 1 (enabled).
* restricted_hardlink_creat
A value that affects the behavior of the link() and rename() functions
with respect to hard links. When enabled (1), this attribute:
· Prevents hard link creation by causing link() to fail if all of
the following conditions are true:
-- The caller is not privileged.
-- The hard link is to be created in a world-writable directory.
-- The current user is not the owner of the directory where the
hard link is to be created.
-- The current user is not the owner of the file object
underlying the link.
· Prevents moving a hard link into a world-writable directory by
causing rename() to fail if all the following conditions are true:
-- The from parameter is not a directory.
-- The from parameter is not a symlink.
-- The link count for from is greater than 1.
-- The current user is not privileged.
-- The to parameter specifies a world-writable directory.
-- The current user does not own the parent directory of the to
parameter.
Default value: 0 (disabled)
For best system security, it is recommended that the
restricted_hardlink_creat attribute be changed to 1 (enabled).
* restricted_symlink_follow
A value that affects the behavior of the open() system call with
respect to symbolic links. If enabled (1), this attribute prevents
open() from following a symbolic link if all the following conditions
are true:
· The directory that contains the symbolic link is world-writable.
· The owner of the symbolic link is not root.
· The owner of the symbolic link is not the current user.
· The symbolic link and the directory that contains it do not have
the same owner.
If these conditions are true, the open() call fails and return [EACCES]
to the caller.
Default value: 0 (disabled)
For best system security, it is recommended that the
restricted_symlink_follow attribute be changed to 1 (enabled).
* ufs_proplist_max_entry
The size limit, in bytes, of property list entries on UFS file systems.
Default value: 8192 (bytes)
Minimum value: 320
Maximum value: 18,446,744,073,709,551,615
In a TruCluster environment, the value of this attribute must be the
same on all member systems.
On AdvFS file systems, a property list entry has a hard size limit of
1560 bytes. The ufs_proplist_max_entry attribute facilitates
interoperation of UFS and AdvFS property list entries. Set this
attribute to 1560 if you want to use all property list entries on your
system with both UFS and AdvFS file systems. See proplist(4) for more
information about property lists.
The ufs_proplist_max_entry attribute interacts with the
ufs_sec_proplist_max_entry attribute. The latter is used to configure
the size of ACLs on UFS file systems. Because ACLs are stored in
property lists, ufs_sec_proplist_max_entry cannot be greater than
(ufs_proplist_max_entry - 64) bytes. If ufs_sec_proplist_max_entry is
set to exceed this limit, the value of ufs_proplist_max_entry is
automatically increased.
* ufs_sec_proplist_max_entry
The size limit, in bytes, of ACLs on UFS file systems.
Default value: 1548 (bytes)
Minimum value: 256
Maximum value: 18,446,744,073,709,551,551
In a TruCluster environment, the value of this attribute must be the
same on all member systems.
ACLs are implemented by using property lists. On AdvFS file systems,
there is a hard size limit of 1560 bytes for a property list entry.
This limit allows 2548 bytes for the ACL data, or a total of 65
entries, plus the three required entries of user::, group::, and
other::. Files have only one ACL, an Access ACL. Directories can have
up to three ACLs: an Access ACL, a Default ACL, and a Default Directory
ACL. The AdvFS limit is placed on each of the three ACLs for a
directory, meaning that each can have up to 65 entries. See acl(4) and
the Security manual for more information about ACLs.
By default, the ufs_sec_proplist_max_entry attribute is set to ensure
that the size limit of ACLs on UFS file systems is the same as the size
limit of ACLs on AdvFS file systems. This ensures that ACLs on your
system can be copied between UFS and AdvFS file systems. It is
recommended that you not modify the default setting of
ufs_sec_proplist_max_entry unless you have strong need for larger ACLs.
The ufs_sec_proplist_max_entry attribute interacts with the
ufs_proplist_max_entry attribute. See the description of
ufs_proplist_max_entry for a description of this relationship.
SEE ALSO
Files: acl(4), proplist(4)
Others: sys_attrs(5)
Security
|
Index for
Section 5 |
|
|
Alphabetical
listing for S |
|
 |
Top of
page |
|