prof_attr - profile description database




     /etc/security/prof_attr is a local source for execution pro-
     file  names, descriptions, and other attributes of execution
     profiles. The prof_attr file can be used with other  profile
     sources,  including  the  prof_attr  NIS map and NIS+ table.
     Programs use the getprofattr(3SECDB) routines to gain access
     to this information.

     The search order for multiple prof_attr sources is specified
     in   the   /etc/nsswitch.conf  file,  as  described  in  the
     nsswitch.conf(4) man page.

     An execution profile is a mechanism used to bundle  together
     the commands and authorizations needed to perform a specific
     function. An execution profile can also contain other execu-
     tion profiles. Each entry in the prof_attr database consists
     of one line of text  containing  five  fields  separated  by
     colons (:). Line continuations using the backslash (\) char-
     acter are permitted. The format of each entry is:


           The name of  the  profile.  Profile  names  are  case-

     res1  Reserved for future use.

     res2  Reserved for future use.

     desc  A long description. This field should explain the pur-
           pose of the profile, including what type of user would
           be interested in using it. The long description should
           be  suitable  for  displaying  in  the help text of an

     attr  An optional list of semicolon-separated (;)  key-value
           pairs  that  describe the security attributes to apply
           to the object upon execution. Zero or more keys may be
           specified.  There  are  three valid keys: help, profs,
           and auths.

           help is assigned the name of a file ending in .htm  or

           auths specifies a comma-separated list  of  authoriza-
           tion  names  chosen  from  those  names defined in the
           auth_attr(4)  database.  Authorization  names  may  be
           specified  using the asterisk (*) character as a wild-
           card. For example, solaris.printer.* would mean all of
           Sun's authorizations for printing.

           profs specifies  a  comma-separated  list  of  profile
           names chosen from those names defined in the prof_attr


     Example 1: Allowing execution of all commands

     The following entry allows the user to execute all commands:

     All:::Use this profile to give a :help=All.html

     Example 2: Consulting the local prof_attr file first

     With the following nsswitch.conf entry, the local  prof_attr
     file is consulted before the NIS+ table:

     prof_attr: files nisplus





     When  deciding  which  authorization  source  to  use   (see
     DESCRIPTION),  keep  in  mind  that  NIS+  provides stronger
     authentication than NIS.

     The root user is usually defined in local databases  because
     root needs to be able to log in and do system maintenance in
     single-user mode and at other times when  the  network  name
     service  databases  are  not  available. So that the profile
     definitions for root can be located at  such  times,  root's
     profiles  should be defined in the local prof_attr file, and
     the order shown in the example  nsswitch.conf(4) file  entry
     under EXAMPLES is highly recommended.

     Because the list of legal keys is likely to expand, any code
     that  parses this database must be written to ignore unknown
     key-value pairs without error. When  any  new  keywords  are
     created,  the names should be prefixed with a unique string,
     such as the company's stock symbol, to avoid potential  nam-
     ing conflicts.

     Each application has its own requirements  for  whether  the
     help  value  must  be  a  relative  pathname  ending  with a
     filename or the name of a file. The only  known  requirement
     is for the name of a file.

     The following characters are used in describing the database
     format and must be escaped with a backslash if used as data:
     colon (:), semicolon (;), equals (=), and backslash (\).


     auths(1),         profiles(1),          getauthattr(3SECDB),
     getprofattr(3SECDB),    getuserattr(3SECDB),   auth_attr(4),
     exec_attr(4), user_attr(4)

Man(1) output converted with man2html