Sun and Oracle Channel Sun How to Buy Log In United States [Change] English

Trusted Solaris Operating System - Technical FAQs

Question

What are things to watch out for when installing an application?

Answer

Several things can trip you up when you add an application:

  • Forgetting to make shared libraries trusted when an application needs privilege(s)

    When an application is given privileges, its dynamically-linked shared libraries must be trusted. See the FAQ on making libraries trusted.

  • Forgetting to set allowed privileges on the privileged program's executable.

    When an application or script is added to a profile and assigned some privileges, the executable file needs the same allowed privileges. See the FAQ on setting allowed privileges on executables.

  • When installing an application, running a privileged program from a CD-ROM, but forgetting to set allowed privileges when mounting the CD-ROM.

    If an installation program (application or script) uses any executables from the CD-ROM that need privileges, or if the installation program runs from the CD-ROM and needs privileges itself, the CD-ROM must be mounted with allowed privileges.

    To have the device allocation manager automatically mount the CD-ROM with allowed privileges, the security administrator can specify the allowed privileges for the CD-ROM in the vfstab_adjunct(4TSOL) file. See Procedure.

  • Forgetting to add a command to a profile when the command needs the trusted path attribute. Trusted Solaris 8 does not need this step because the trusted path is always asserted when a role does something.

    Read the FAQ about the trusted path WARNING and the trusted path requirement for certain commands. Listing a command in a profile allows it to run with the trusted path attribute.

    For how to add a command to an execution profile, see Use of the Profile Manager to Create or Modify Execution Profiles.

  • Forgetting to make sure that the Name Service Switch file entry for tsolprof has the appropriate ordering.

    The tsolprof entry in the nsswitch.conf(4TSOL) must be set according to whether or not the NIS+ tsolprof map or local tsolprof file is used.

    Name Service Acceptable entry
    No name service tsolprof: files
    NIS+ tsolprof: nisplus


    See Procedure step 2.
Procedure

This procedure shows how to set up to install an application when its installation program(s) are on a CD-ROM and when the program(s) need to be added to an execution profile, either because the program(s) need specific privilege(s) or they need to run with the trusted path or both.

  1. Assume the admin role.
  2. Ensure that the /etc/nsswitch.conf file entry for tsolprof has the correct entry.
    1. Double-click the Application Manager icon in the right front panel. (The icon looks like a file drawer with a ruler, calculator, and pencil sticking up.)
    2. Double-click the System_Admin folder.
    3. Double-click the Name Service Switch action to open the /etc/nsswitch.conf file for editing.
    4. See table for acceptable entries.
  3. Assume the secadmin role.
  4. In the Trusted Solaris 8 environment, go to an ADMIN_HIGH workspace. In earlier release, go to an ADMIN_LOW workspace.
  5. To mount applications with allowed privileges, make an entry in the vfstab_adjunct file.
    1. Double-click the Application Manager icon.
    2. Double-click the System_Admin folder.
    3. Double-click the Set Mount Attributes action to open the /etc/security/tsol/vfstab_adjunct file for editing.
    4. Make an entry like the following entry in the vfstab_adjunct file.
      /cdrom/cdrom0; \
      allowed=all;
    5. Write and quit the file.

      :wq
  6. Use the Device Allocation Manager to allocate the device, and answer Yes when asked if you want the CD-ROM to be mounted.

    Do you want cdrom_0 mounted: (y/n)? y
  7. Modify the appropriate profile.
    1. Launch the Profile Manager and load the profile.
    2. From the Profile Manager View menu, choose Commands.
    3. In the Pathname: field, enter the pathname where the CD-ROM is mounted, and click the "Add to" button.

      Add to Pathname: /cdrom/cdrom0
    4. In the list of excluded commands, double-click the name of the /cdrom/cdrom0 directory to expand the list of commands it contains.
    5. Add the installation commands that need to inherit privileges (or, for Trusted Solaris 2.5.1 or 7, to have the trusted path attribute)
      1. Click on a command to move it from the Excluded to the Included List.>/li>
      2. Choose the Set Privileges button to bring up the Set Privileges dialog.>/li>
      3. Click on a privilege to move it to the Included list and repeat until all the needed privileges are included.

        Suggested privileges for installation programs to succeed in all cases
        2 file_chown
        4 file_dac_read
        5 file_dac_search
        6 file_dac_write
        10 file_mac_read
        11 file_mac_search
        12 file_mac_write
        14 file_owner
        15 file_setdac
        16 file_setid
                 		17 file_set_priv
        18 file_upgrade_il
        19 file_upgrade_sl
        50 proc_nofloat
        51 proc_owner
        53 proc_setid
        61 sys_devices
        66 sys_minfree
        71 sys_translabel

      5. Click the OK button.

    7. On the Profile Manager, choose Save Profile from the Profiles menu.
    8. Choose Close from the Profiles menu.
    9. If needed, assign the modified profile to the role that is doing the installation.
    10. Assume the role that has the modified profile.
    11. Start a new dtterm or command shell to take advantage of the changed profile.
    12. Enter the command name for the install program. For example:

      # workshop_install
Applies to Trusted Solaris Release:

2.5.1, 7, 8
Evaluate
»   Product Home
»   Promotions
»   News & Events
 
 
 
Get
»   Support & Services
 
 
 
Use
»   Documentation
»   Technical FAQ
»   Communities & Resources
»   Developer Resources
»   Newsletters