user_attr(4)

NAME

     user_attr - extended user attributes database

SYNOPSIS

     /etc/user_attr

DESCRIPTION

     /etc/user_attr is a  local  source  of  extended  attributes
     associated  with users and roles. user_attr can be used with
     other user attribute sources, including  the  user_attr  NIS
     map  and  NIS+  table.  Programs use the getuserattr(3SECDB)
     routines to gain access to this information.

     The search order for multiple user_attr sources is specified
     in   the   /etc/nsswitch.conf  file,  as  described  in  the
     nsswitch.conf(4) man page.  The search  order  follows  that
     for passwd(4).

     Each entry in the user_attr databases consists of  a  single
     line   with  five  fields separated by colons (:). Line con-
     tinuations using the backslash (\) character are  permitted.
     Each entry has the form:

     user:qualifier:res1:res2:attr

     user  The name of the user as  specified  in  the  passwd(4)
           database.

     qualifier
           Reserved for future use.

     res1  Reserved for future use.

     res2  Reserved for future use.

     attr  An optional list of semicolon-separated (;)  key-value
           pairs  that  describe the security attributes to apply
           to the object upon execution. Zero or more keys may be
           specified. There are five valid keys: auths, profiles,
           roles, type, and project.

           auths Specifies a comma-separated list  of  authoriza-
                 tion  names  chosen  from those names defined in
                 the auth_attr(4) database.  Authorization  names
                 may  be specified using the asterisk (*) charac-
                 ter    as    a    wildcard.     For     example,
                 solaris.printer.*  means  all  of  Sun's printer
                 authorizations.

           profiles
                 Contains an  ordered,  comma-separated  list  of
                 profile   names   chosen   from    prof_attr(4).
                 Profiles are enforced  by  the  profile  shells,
                 pfcsh,  pfksh, and pfsh. See pfsh(1). If no pro-
                 files are assigned, the profile  shells  do  not
                 allow the user to execute any commands.

           roles Can be assigned a comma-separated list  of  role
                 names  from  the  set  of  user accounts in this
                 database whose type field indicates the  account
                 is  a role. If the roles key value is not speci-
                 fied, the user is not permitted  to  assume  any
                 role.

           type  Can be assigned one of these  strings:   normal,
                 indicating  that  this  account  is for a normal
                 user, one who logs in; or role, indicating  that
                 this  account  is  for a role. Roles can only be
                 assumed by  a normal user  after  the  user  has
                 logged in.

           project
                 Can be assigned a name of one project  from  the
                 project(4) database to be used as a default pro-
                 ject to place the user in  at  login  time.  For
                 more information, see getdefaultproj(3PROJECT).

EXAMPLES

     Example 1: Assigning a Profile to Root

     The following example entry assigns to root the All profile,
     which  allows  root  to  use all commands in the system, and
     also assigns two authorizations:

     root::::auths=solaris.*,solaris.grant;profiles=All;type=normal

     The  solaris.* wildcard authorization shown above gives root
     all   the  solaris  authorizations;  and  the  solaris.grant
     authorization gives root the right to grant to   others  any
     solaris  authorizations  that  root  has. The combination of
     authorizations  enables root to  grant  to  others  all  the
     solaris  authorizations.  See  auth_attr(4)  for  more about
     authorizations.

FILES

     /etc/nsswitch.conf
           configuration file for the name service switch

     /etc/user_attr
           extended user attributes database

SEE ALSO


     auths(1),   pfcsh(1),   pfksh(1),   pfsh(1),    profiles(1),
     roles(1),   getdefaultproj(3PROJECT),   getuserattr(3SECDB),
     auth_attr(4),  exec_attr(4),  nsswitch.conf(4),   passwd(4),
     prof_attr(4), project(4)

NOTES

     When deciding which authorization source  to  use,  keep  in
     mind that NIS+ provides stronger authentication than NIS.

     The root user is usually defined in local  databases  for  a
     number  of reasons, including the fact that root needs to be
     able to log in and  do  system  maintenance  in  single-user
     mode,  before the network name service databases are  avail-
     able. For this reason, an entry should exist for root in the
     local  user_attr file, and the precedence shown in the exam-
     ple  nsswitch.conf(4) file entry under  EXAMPLES  is  highly
     recommended.

     Because the list of legal keys is likely to expand, any code
     that  parses this database must be written to ignore unknown
     key-value pairs without error. When  any  new  keywords  are
     created,  the names should be prefixed with a unique string,
     such as the company's stock symbol, to avoid potential  nam-
     ing conflicts.

     In the  attr field, escape  the  following  symbols  with  a
     backslash  (\)  if  you  use  them in any  value: colon (:),
     semicolon  (;),  carriage  return  (\n),  equals   (=),   or
     backslash (\).
Man(1) output converted with man2html