Sun and OracleChannel SunHow to BuyLog InPortuguês brasileiro

Man Pages (1MTSOL): Maintenance and Administration Commands
  Procure somente este livro
Pesquisar Ajuda
Contidos dentro
Localizar Mais Documentação
Destaques de Recursos de Suporte
 Fazer download desta apostila em PDF

NAME

Intro, intro - introduction to maintenance and administration commands

AVAILABILITY

SUNWman

NOTE

In the 1MTSOL section of the Trusted Solaris Reference Manual, the AVAILABILITY section indicates which package contains the command being described on the current man page. Before the command can be used, the indicated package must be installed. The security administrator role (in the default system) can use pkginfo(1) to check which packages are installed, and use pkgadd (1)to add a package.
In the Trusted Solaris operating environment, even if a particular command is installed, the command may not be usable by anyone unless the site's security administrator has included that command in an execution profile that has been assigned to one or more users. The security administrator can restrict the use of any command and can change any of a command's security attributes using the profile mechanism. Security administrator, security attributes, execution profiles , and other new Trusted Solaris terms mentioned on the administrative commands man pages are defined in the DEFINITIONS section of Intro(1TSOL) and explained further in the Trusted Solaris Administration Overview and Trusted Solaris Administrator's Procedures manuals. If any of the commands described in this section do not work at all or they do not work as expected, check with your security administrator.

DESCRIPTION

Section 1M of the Trusted Solaris Reference Manual describes, in alphabetical order, commands that are used chiefly for system maintenance and administration of the Trusted Solaris operating system. The Trusted Solaris operating environment is based on the Solaris operating environment, the Common Desktop Environment (CDE) window system, and the Solstice AdminSuite set of system administration tools. Man pages whose section IDs end with the 1MTSOL suffix describe administrative commands that are either new or or modified from the base Solaris or bundled products to work within Trusted Solaris security policy. An example of a new Trusted Solaris administrative command added to the combined base Solaris, CDE, and Solstice functionality is adminvi, which is described on the adminvi(1MTSOL) man page. The adminvi command is a modified version of the vi(1) command that allows administrators and other users to edit files on the command line or in the Admin Editor while preventing certain vi actions that present a security risk.
Modified commands are commands from any of the base products that have been modified to work within the Trusted Solaris security policy, such as: mount . Man pages for modified commands have been rewritten to remove information that is not accurate for how the command behaves within the Trusted Solaris system. Modified man pages, such as mount (1MTSOL)C, also add descriptions for any new features, options, and arguments added to the base.
Because of command restructuring for the Virtual File System architecture, there are several instances of multiple manual pages that begin with the same name. For example, the mount ,pages - mount (1MTSOL)C, mount_hsfs(1MTSOL)C ,
mount_nfs(1MTSOL)C , mount_tmpfs(1MTSOL)C , and, mount_ufs(1MTSOL). In each
such case the first of the multiple pages describes the syntax and options of the generic command, that is, those options applicable to all FSTypes (file system types). The succeeding pages describe the functionality of the FSType-specific modules of the command. These pages list the command followed by an underscore ( _ ) and the FSType to which they pertain. Note that the administrator should not attempt to call these modules directly. The generic command provides a common interface to all of them. Thus the FSType-specific manual pages should not be viewed as describing distinct commands, but rather as detailing those aspects of a command that are specific to a particular FSType.

NOTE

The answerbook(1) and the printed versions of the Trusted Solaris Reference Manual include only the Trusted Solaris new man pages along with those modified from the base and bundled products, while the online man pages that are viewable with the man (1) command include all the base man pages along with the Trusted Solaris man pages. The man command without any options always displays the Trusted Solaris version, so when both a base man page and a Trusted Solaris version exist, if you want to view the original man page you must use the man command with the -s option followed by the base section ID of the man page. For example, to display the mount (1M)man page instead of the modified mount (1MTSOL)man page, you would enter: man -s1m mount. To find out all the sections that contain man pages with the same name, enter: man -l <man_page_name>.

COMMAND SYNTAX

Unless otherwise noted, commands described in this section accept options and other arguments according to the following syntax:
name [option(s)] [cmdarg(s)]
where:
name
The name of an executable file
option
- noargletter(s) or,
- argletter< >optarg
where < > is optional white space
noargletter
A single letter representing an option without an argument
argletter
A single letter representing an option requiring an argument
optarg
Argument (character string) satisfying preceding argletter
cmdarg
Pathname (or other command argument) not beginning with - or, - by itself indicating the standard input

RULES FOR THE ENTERING AND

When entering labels on the command line in a UNIX shell, follow these rules. For rules for entering labels in graphical user interfaces, see Intro(1TSOL). For rules for entering labels in configuration files, see Intro(4TSOL).

DISPLAY OF LABELS

Enter a sensitivity label (SL), information label (IL), or clearance, in ASCII in the form:
{ + } { classification } { { +|- }word } ...
Items in curly brackets are optional. A vertical bar (|) represents a choice between two items. Items followed by an ellipsis may be repeated zero or more times. Leading and trailing white space is ignored. Items may be separated by blanks, tabs, commas or slashes (/).
The system always displays labels in uppercase. Users may enter labels in any combination of uppercase and lowercase.
The classification part of the label must be a valid classification name as defined in label_encodings(4TSOL). Classification names may contain embedded blanks or punctuation, if they are so defined in label_encodings. Short and long forms of classification names may be used interchangeably.
The words (compartments and markings) used in labels must be valid words as defined in label_encodings. Words may contain embedded blanks or punctuation if they are so defined in label_encodings.
Short and long forms of words may be used interchangeably. Words may be specified in any order; however they are processed left to right, so that where words conflict with each other, the word furthest to the right takes precedence.
NOTE: By convention, words appear in sensitivity labels in reverse order to the way they appear in information labels. Order doesn't matter on input. TS A B in an SL is displayed as TS B A in an IL.
You may used plus and minus signs when modifying an existing label to turn on or off the compartments and markings associated with the words.
A CMW label is represented in ASCII in the form:
{ INFORMATION LABEL } { [ SENSITIVITY LABEL ] }
Items in curly brackets are optional. Leading and trailing white space is ignored. Items may be separated by blanks, tabs, commas, or slashes (/).

EXAMPLES

On the command line, enclose any label with more than one word in in double quotes because, without quotes, a second word or letter separated by a space is interpreted as a second argument.
setlabel -i "C A B" somefile
setlabel -s SECRET somefile
Enclose labels containing [ and ] characters in quotes to suppress the shell's use of those characters in filename substitution.
setlabel -s "[SECRET ]"somefile
Use any combination of upper and lowercase letters. You may separate items in a label with blanks, tabs, commas or slashes (/). Don't use any other punctuation.
setlabel "CONFIDENTIAL[ts a b]" somefile
setlabel "confidential[ts,a,b] somefile
setlabel "confidential[ts/a  b]" somefile
When entering a full CMW label, enter the IL first, followed by the SL in brackets. Information Label[Sensitivity Label]
When entering an SL with a command option that sets the SL, you do not need to use brackets around the SL.
setlabel -s "TOP SECRET A B" somefile
To set somefile's IL to CONFIDENTIAL.
setlabel -i confidential somefile
To set somefile's IL to ADMIN_LOW and SL to CONFIDENTIAL. setlabel "admin_low[confidential]" somefile
To set somefile's SL to SECRET A.
setlabel "[Secret a]" somefile
To turn on compartment B in somefile's SL.
setlabel -s +b somefile
To turn off compartment A in somefile's SL.
setlabel -s -A somefile
To set somefile's IL to SECRET B A. (Remember that the words in an IL appear in reverse order to the words in an SL.)
setlabel -i secret,b/a somefile
When the IL is SECRET B A, reset the IL to CONFIDENTIAL.
setlabel -i +confidential somefile
To set somefile's IL to SECRET B.
setlabel -i "secret a B -A" somefile

TRUSTED SOLARIS

The responsibilities and privileges of the super-user have been divided among several administrative roles. When a man page that has not been modified for the Trusted Solaris system states that super-user is required to execute a certain command or option, remember that one or more privileges are required instead. The site's security administrator can perform privilege debugging [see runpd(1MTSOL)C ] to find out which privileges are needed and can then decide to give the privilege to the command after assessing whether the command and any users set up to use that command can make use of the privilege in a manner that does not violate the site's security policy.

DIFFERENCES


The ability of the UNIX super-user to bypass access restrictions, to execute restricted commands, and to use some command options not available to other users has been replaced with the profile mechanism, which allows the security administrator to assign to various users different sets of commands and to assign different privileges to the commands using execution profiles. When a command or one of its options needs a privilege in order to succeed, that privilege is a required privilege; if the required privilege is not forced on the command or given to the command in the user's execution profile by the security administrator, the command or the option will not work at all. Required privileges are indicated on the man page with the words "must have," as shown in this sentence: "The ifconfig (1MTSOL)command must have the sys_net_config privilege to modify network interfaces."
In other cases, when the command is designed to work within security policy, and then it fails when certain DAC or MAC checks are not passed, an override privilege may be assigned at the security administrator's discretion. On man pages, the names of privileges that may be used to override access restrictions are given in the ERRORS section. The override privileges that may be given to bypass DAC or MAC restrictions on files or directories are given below:
The DAC override privileges are file_dac_read and file_dac_write. If a user does not have DAC access to a file, the security administrator may assign one or both of these privileges to the command, depending on whether read or write access or both are desired. The MAC override privileges are file_mac_read and file_mac_write. If a user doesn't have MAC access to a file, the security administrator may assign one or both of these privileges to the command, depending on whether read or write access or both are desired.
Besides being able to assign an override privilege, the security administrator has other options. For example, to avoid the use of privilege the security administrator may specify that the command will execute with another user's ID or alternate group ID, one that allows access to the file or directory based on its permissions or its ACL.
To find out how privileges are made available to commands and to find out exactly which tasks, commands, and privileges are assigned to each of the roles' by means of execution profiles shipped with the default system, see the Trusted Solaris Administrator's Procedures.
Also, check with your security administrator to find out which roles are configured at your site and if any of the roles have been reconfigured to suit your site's security policy.

SUMMARY OF TRUSTED

The printed reference manual contains only the Trusted Solaris new and modified man pages, while the on-line set of man pages viewed by the man command contains both the man pages from the base product and the Trusted Solaris man pages.

SOLARIS CHANGES

Commands may not work as expected in the Trusted Solaris system because Trusted Solaris administrators may limit the conditions under which commands may be accessed by each user or restrict commands from being accessed by certain users.
Besides the usual UNIX DAC checks performed when a executing command acting on behalf of a user attempts to access a file or directory, there are mandatory access checks that also must be passed. For each type of access failure that can occur there is an override privilege that may be assigned to the command at the security administrator's discretion.

NOTE

When a SUMMARY OF TRUSTED SOLARIS CHANGES is provided on a modified man page, it is intended as a convenience to summarize for you the major changes all in one place. Do not rely on the SUMMARY OF TRUSTED SOLARIS CHANGES alone, but also read the entire man page.

SEE ALSO

getopt(1), pkgadd (1M),runpd(1MTSOL), getopt(3C), the Trusted Solaris Administration Overview, and the Trusted Solaris Administrator's Procedures.

DIAGNOSTICS

Upon termination, each command returns 0 for normal termination and non-zero to indicate troubles such as erroneous parameters, bad or inaccessible data, or other inability to cope with the task at hand. It is called variously ``exit code,'' ``exit status,'' or ``return code,'' and is described only where special conventions are involved.

NOTES

Unfortunately, not all commands adhere to the standard syntax.
Name                                Description
accept(1MTSOL)
accept or reject print requests
add_allocatable(1MTSOL)
add entries to allocation databases and create ancil-
lary file
add_drv(1MTSOL)
add a new device driver to the system
add_install_client(1MTSOL)
See install_scripts(1MTSOL)
adminvi(1MTSOL)
edit text with restrictions
allocate(1MTSOL)
device allocation
arp (1MTSOL)
address resolution display and control
atohexlabel(1MTSOL)
convert an ASCII coded label to its hexadecimal
audit(1MTSOL)
control the behavior of the audit daemon
auditconfig(1MTSOL)
configure auditing
auditd(1MTSOL)
audit daemon
auditreduce(1MTSOL)
merge and select audit records from audit trail files
auditstat(1MTSOL)
display kernel audit statistics
audit_startup(1MTSOL)
audit subsystem initialization script
audit_warn(1MTSOL)
audit daemon warning script
automount (1MTSOL)
install automatic mount points
automountd(1MTSOL)
autofs mount/unmount daemon
autopush(1MTSOL)
configures lists of automatically pushed STREAMS
modules
bootparamd(1MTSOL)
See rpc.bootparamd (1MTSOL)
bsmconv(1MTSOL)
enable/disable the auditing module
bsmunconv(1MTSOL)
See bsmconv(1MTSOL)
check(1MTSOL)
See install_scripts(1MTSOL)
chk_encodings(1MTSOL)
check label-encodings file syntax
chroot(1MTSOL)
change root directory for a command
clist(1MTSOL)
See pfsh(1MTSOL)
cron (1MTSOL)
clock daemon
deallocate(1MTSOL)
device deallocation
device_clean(1MTSOL)
device clean programs
devpolicy (1MTSOL)
configure device policy
dfmounts(1MTSOL)
display mounted resource information
dfshares(1MTSOL)
list available resources from remote or local systems
dispadmin(1MTSOL)
process scheduler administration
dl_booting (1MTSOL)
inform the kernel that a machine is in the state of
disklessly booting or in the normal state
dl_restore(1MTSOL)
See dl_booting (1MTSOL)
dminfo(1MTSOL)
report information about a device entry in a device
maps file
drvconfig(1MTSOL)
configure the /devices directory
du(1MTSOL)
summarize disk usage
eeprom(1MTSOL)
EEPROM display and load utility
format(1MTSOL)
disk partitioning and maintenance utility
fsdb_ufs(1MTSOL)
ufs file system debugger
ftpd(1MTSOL)
See in.ftpd(1MTSOL)
fuser(1MTSOL)
identify processes using a file or file structure
getfsattr(1MTSOL)
display the file system security attributes
getfsattr_ufs(1MTSOL)
display ufs file system security attributes
halt(1MTSOL)
stop the processor
hextoalabel(1MTSOL)
convert a hexadecimal label to its ASCII coded
equivalent
ifconfig (1MTSOL)
configure network-interface parameters
in.ftpd(1MTSOL)
file-transfer protocol server
in.named(1MTSOL)
Internet domain name server
in.rarpd(1MTSOL)
DARPA Reverse Address Resolution Protocol
server
in.rdisc(1MTSOL)
network router discovery daemon
in.rexecd(1MTSOL)
remote execution server
in.rlogind(1MTSOL)
remote login server
in.routed(1MTSOL)
network routing daemon
in.rshd(1MTSOL)
remote shell server
in.tftpd(1MTSOL)
Internet Trivial File Transfer Protocol server
inetd(1MTSOL)
Internet services daemon
init(1MTSOL)
process control initialization
install(1MTSOL)
install commands
install_scripts(1MTSOL)
scripts used to install the Solaris software
list_devices(1MTSOL)
list allocatable devices
lockd(1MTSOL)
network lock daemon
lpadmin(1MTSOL)
configure the LP print service
lpfilter(1MTSOL)
administer filters used with the LP print service
lpforms(1MTSOL)
administer forms used with the LP print service
lpmove(1MTSOL)
See lpsched(1MTSOL)
lpsched(1MTSOL)
start/stop the LP print service and move requests
lpshut(1MTSOL)
See lpsched(1MTSOL)
lpsystem(1MTSOL)
register remove systems with the print service
lpusers(1MTSOL)
set printing queue priorities
modload(1MTSOL)
load a kernel module
modunload(1MTSOL)
unload a module
mount (1MTSOL)
mount or unmount file systems and remote
resources
mount_hsfs(1MTSOL)
mount hsfs file systems
mount_nfs(1MTSOL)
mount remote NFS resources
mount_pcfs(1MTSOL)
mount pcfs file systems
mount_tmpfs(1MTSOL)
mount tmpfs file systems
mount_ufs(1MTSOL)
mount ufs file systems
mountall(1MTSOL)
mount, unmount multiple file systems
mountd(1MTSOL)
NFS mount request server
named-xfer(1MTSOL)
See in.named(1MTSOL)
named(1MTSOL)
See in.named(1MTSOL)
ndd(1MTSOL)
get and set driver configuration parameters
netstat(1MTSOL)
show network status
newsecfs(1MTSOL)
See setfsattr(1MTSOL)
nfsd(1MTSOL)
NFS daemon
nfsstat(1MTSOL)
NFS statistics
nis_cachemgr(1MTSOL)
NIS+ utility to cache location information about
NIS+ servers
nisd(1MTSOL)
See rpc.nisd(1MTSOL)
nisd_resolv(1MTSOL)
See rpc.nisd_resolv(1MTSOL)
nispasswdd(1MTSOL)
See rpc.nispasswdd(1MTSOL)
nispopulate(1MTSOL)
populate the NIS+ tables in a NIS+ domain
nissetup(1MTSOL)
initialize a NIS+ domain
nscd(1MTSOL)
name service cache daemon
nslookup(1MTSOL)
query name servers interactively
nstest(1MTSOL)
DNS test shell
pbind(1MTSOL)
control and query bindings of processes to proces-
sors
pfsh(1MTSOL)
profile shell
praudit(1MTSOL)
print contents of an audit trail file
prtconf(1MTSOL)
print system configuration halt(1MTSOL)
psradm(1MTSOL)
set processors on line or off line
rarpd (1MTSOL)
See in.rarpd(1MTSOL)
rdate(1MTSOL)
set system date from a remote host
rdisc(1MTSOL)
See in.rdisc(1MTSOL)
reboot(1MTSOL)
restart the operating system
reject(1MTSOL)
See accept(1MTSOL)
rem_drv(1MTSOL)
remove a device driver from the system
remove_allocatable(1MTSOL)
remove entries from allocation databases and delete
ancillary file
rm_install_client(1MTSOL)
See install_scripts(1MTSOL)
route(1MTSOL)
manually manipulate the routing tables
routed (1MTSOL)
See in.routed(1MTSOL)
rpc.bootparamd (1MTSOL)
boot parameter server
rpc.getpeerinfod(1MTSOL)
getpeerinfo service daemon
rpc.nisd(1MTSOL)
NIS+ service daemon
rpc.nisd_resolv(1MTSOL)
NIS+ service daemon
rpc.nispasswdd(1MTSOL)
NIS+ password update daemon
rpc.tbootparamd(1MTSOL)
Trusted Solaris boot parameter server
rpcbind(1MTSOL)
universal addresses to RPC program number
mapper
rpcinfo(1MTSOL)
report RPC information
runpd(1MTSOL)
run a command for privilege debugging
rwall(1MTSOL)
write to all users over a network
sendmail(1MTSOL)
send mail over the internet
setaudit(1MTSOL)
run a command with the audit mask set
setfsattr(1MTSOL)
set security attributes on an existing or newly
created file system
setmnt(1MTSOL)
establish mount table
setuname(1MTSOL)
change machine information
setup_install_server(1MTSOL)
See install_scripts(1MTSOL)
share(1MTSOL)
make local resource available for mounting by
remote systems
share_nfs(1MTSOL)
make local NFS file systems available for mounting
by remote systems
shareall(1MTSOL)
share, unshare multiple resources
showmount(1MTSOL)
show all remote mounts
snoop(1MTSOL)
capture and inspect network packets
spray (1MTSOL)
spray packets
statd(1MTSOL)
network status monitor
swap(1MTSOL)
swap administrative interface
sysdef(1MTSOL)
output system definition
sysh(1MTSOL)
system shell
tbootparam(1MTSOL)
send a request to rpc.tbootparamd to inform it that
a host is in normal (labeled) state now
telinit(1MTSOL)
See init(1MTSOL)
tftpd(1MTSOL)
See in.tftpd(1MTSOL)
tnchkdb(1MTSOL)
check file syntax of trusted network databases
tnctl(1MTSOL)
configure Trusted Solaris network daemon control
parameters
tnd(1MTSOL)
trusted network daemon
tninfo(1MTSOL)
print out kernel level network information and
statistics
tokmapctl(1MTSOL)
configure token-mapping daemon
tokmapd(1MTSOL)
token-mapping daemon
uadmin(1MTSOL)
administrative control
umount(1MTSOL)
See mount (1MTSOL)
umountall(1MTSOL)
See mountall(1MTSOL)
unshare(1MTSOL)
make local resource unavailable for mounting by
remote systems
unshare_nfs(1MTSOL)
make local NFS file systems unavailable for mount-
ing by remote systems
unshareall(1MTSOL)
See shareall(1MTSOL)
updatehome(1MTSOL)
update the home-directory copy and link files for
the current label
writeaudit(1MTSOL)
write an audit record