1.Create user account
root@solaris:~# useradd -d /export/home/user1 -m user1
80 blocks
root@solaris:~# passwd user1
New Password:
Re-enter new Password:
passwd: password successfully changed for user1
root@solaris:~# su - user1
Oracle Corporation SunOS 5.11 11.0 November 2011
user1@solaris:~$ pwd
/home/user1
user1@solaris:~$ exit
logout
To see user information
root@solaris:~# logins -x -l user1
user1 60005 staff 10
/home/user1
/usr/bin/bash
PS 120712 -1 -1 -1
root@solaris:~# cat /etc/passwd |grep user1
user1:x:60005:10::/home/user1:/usr/bin/bash
root@solaris:~# cat /etc/shadow|grep user1
user1:$5$J4sNmKst$IiHkgscUqzJJtuJpJTYk.Rc17TY.Dq8FJcgeIKfbFDB:15681::::::
3.To add group
root@solaris:~# groupadd -g 200 testgrp
root@solaris:~# cat /etc/group|grep testgrp
testgrp::200:
root@solaris:~# useradd -u 200 -g 200 -c "test user2" -d /export/home/user2 -k /etc/skel -s /bin/csh -m user2
80 blocks
root@solaris:~# passwd user2
New Password:
Re-enter new Password:
passwd: password successfully changed for user2
4.Add group2 as secondary group
root@solaris:~# groupadd group2
root@solaris:~# usermod -G group2 user2
Found user in files repository.
root@solaris:~# cat /etc/group |grep group2
group2::201:user2
root@solaris:~# su - user2
Oracle Corporation SunOS 5.11 11.0 November 2011
solaris% groups
testgrp group2
solaris% groups
testgrp group2
solaris% roles
No roles
solaris% profiles
Basic Solaris User
All
solaris% auths
solaris.admin.wusb.read,solaris.device.mount.removable,solaris.mail.mailq
solaris% ppriv -v $$
10867: -csh
flags = <none>
E: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session
I: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session
P: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session
L: contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
root@solaris:~# logins -x -l user1
user1 60005 staff 10
/home/user1
/usr/bin/bash
PS 120712 -1 -1 -1
root@solaris:~# logins -x -l user2
user2 200 testgrp 200 test user2
/home/user2
/bin/csh
PS 120712 -1 -1 -1
5.to delete users
root@solaris:~# userdel -r user1
Found user in files repository.
root@solaris:~# userdel -r user2
Found user in files repository.
6.To see project for current user
root@solaris:~# id -p
uid=0(root) gid=0(root) projid=1(user.root)
7.To see primary and supplement users information
root@solaris:~# id -a
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon)
root@solaris:~# id -a
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon)
root@solaris:~# /usr/xpg4/bin/id -p
uid=0(root) gid=0(root) groups=1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon) projid=1(user.root)
root@solaris:~# /usr/xpg4/bin/id -a
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon)
8.Outputs all different group IDs [effective, real and supplementary]
root@solaris:~# /usr/xpg4/bin/id -G
0 1 2 3 4 5 6 7 8 9 12
root@solaris:~# id -G
0 1 2 3 4 5 6 7 8 9 12
9.Outputs only the effective group ID
root@solaris:~# id -g
0
root@solaris:~# /usr/xpg4/bin/id -g
0
10.Outputs only the effective user ID
root@solaris:~# /usr/xpg4/bin/id -u
0
root@solaris:~# id -u
0
11.To check password less users
root@solaris:~# logins -p
root@solaris:~# useradd -d /export/home/user1 -m user1
80 blocks
root@solaris:~# passwd user1
New Password:
Re-enter new Password:
passwd: password successfully changed for user1
root@solaris:~# logins –p
To delete password of a user
root@solaris:~# passwd -d user1
passwd: password information changed for user1
root@solaris:~# logins -p
user1 60005 staff 10
to check status of password
root@solaris:~# passwd -s user1
user1 NP
to lock user’s password
root@solaris:~# passwd -l user1
passwd: password information changed for user1
root@solaris:~# passwd -s user1
user1 LK
To unlock user’s password
root@solaris:~# passwd -u user1
passwd: password information changed for user1
root@solaris:~# passwd -s user1
user1 NP
login as: user1
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
root@solaris:~# passwd user1
New Password:
Re-enter new Password:
passwd: password successfully changed for user1
login as: user1
Using keyboard-interactive authentication.
Password:
Last login: Wed Nov 7 09:28:09 2012 from 10.48.8.168
Oracle Corporation SunOS 5.11 11.0 November 2011
user1@solaris:~$
user1@solaris:~$ profiles
Basic Solaris User
All
user1@solaris:~$ clear
user1@solaris:~$ id -a
uid=60005(user1) gid=10(staff) groups=10(staff)
user1@solaris:~$ projects
default group.staff
root@solaris:~# cat /etc/passwd|grep user1
user1:x:60005:10::/home/user1:/usr/bin/bash
root@solaris:~# cat /etc/shadow|grep user1
user1:$5$vv/VlwvT$4VY//QHDCKSvriN69VSHXo4z2zhQVnvuz/W/p7089S0:15681::::::
root@solaris:~# cat /etc/group|grep testgrp
testgrp::200:
To change users group id
root@solaris:~# usermod -g 201 user1
Found user in files repository.
UX: usermod: ERROR: user1 is in use. Cannot change it. ///if user is logged in
root@solaris:~# usermod -g 201 user1
To Check users password min days, max days ,expiry date
root@solaris:~# date
Friday, December 7, 2012 08:50:05 PM IST
root@solaris:~# passwd -n 5 -x 10 -w 7 user1
passwd: password information changed for user1
root@solaris:~# logins -x -l user1
user1 60005 group2 201
/home/user1
/usr/bin/bash
PS 120712 5 10 7
As a root
root@solaris:~# passwd user1
New Password:
Re-enter new Password:
passwd: password successfully changed for user1
As a user
user1@solaris:~$ passwd
passwd: Changing password for user1
Enter existing login password:
passwd: Sorry: less than 5 days since the last change.
Permission denied
root@solaris:~# date
Friday, December 7, 2012 08:55:25 PM IST
root@solaris:~# date 121322222012
Thursday, December 13, 2012 10:22:00 PM IST
To calculate date from l972 to last password chaged time
root@solaris:~# perl -e 'print scalar localtime(15681* 24 *3600)';
Fri Dec 7 05:30:00 2012
root@solaris:~# logins -x -l user1
user1 60005 group2 201
/home/user1
/usr/bin/bash
PS 120712 5 10 7
Note : Using last password changed time we can calculate when user’s password will expire.
Default group in solaris11 is 10 ===STAF
Default group in solaris 10 is 1===other
Switching from one group to another group:
root@solaris:~# logins -x -l sai
sai 60005 staff 10
/home/sai
/usr/bin/bash
PS 120912 -1 -1 -1
root@solaris:~# id -a sai
uid=60005(sai) gid=10(staff) groups=200(testgrp),201(group2)
root@solaris:~# su - sai
Oracle Corporation SunOS 5.11 11.0 November 2011
sai@solaris:~$ ls
local.cshrc local.login local.profile
sai@solaris:~$ ls -l
total 6
-rw-r--r-- 1 sai staff 165 Dec 10 00:12 local.cshrc
-rw-r--r-- 1 sai staff 170 Dec 10 00:12 local.login
-rw-r--r-- 1 sai staff 130 Dec 10 00:12 local.profile
sai@solaris:~$ touch a
sai@solaris:~$ ls
a local.cshrc local.login local.profile
sai@solaris:~$ newgrp testgrp
sai@solaris:~$ touch b
sai@solaris:~$ ls -lrth
total 8
-rw-r--r-- 1 sai staff 130 Dec 10 00:12 local.profile
-rw-r--r-- 1 sai staff 165 Dec 10 00:12 local.cshrc
-rw-r--r-- 1 sai staff 170 Dec 10 00:12 local.login
-rw-r--r-- 1 sai staff 0 Dec 10 00:21 a
-rw-r--r-- 1 sai testgrp 0 Dec 10 00:22 b
To assign password to group
1.edit manually /etc/group file copy password
2.if the switching group is supplementary group it does not asks password.
3.if the switching group is not supplementary group it asks password.
root@solaris:~# su - sai
Oracle Corporation SunOS 5.11 11.0 November 2011
sai@solaris:~$ newgrp newtest
newgrp: Password:
sai@solaris:~$ touch third party
sai@solaris:~$ ls -l
total 12
-rw-r--r-- 1 sai staff 0 Dec 10 00:21 a
-rw-r--r-- 1 sai testgrp 0 Dec 10 00:22 b
-rw-r--r-- 1 sai group2 0 Dec 10 00:26 c
-rw-r--r-- 1 sai testgrp 0 Dec 10 00:27 d
-rw-r--r-- 1 sai staff 165 Dec 10 00:12 local.cshrc
-rw-r--r-- 1 sai staff 170 Dec 10 00:12 local.login
-rw-r--r-- 1 sai staff 130 Dec 10 00:12 local.profile
-rw-r--r-- 1 sai newtest 0 Dec 10 00:32 party
-rw-r--r-- 1 sai newtest 0 Dec 10 00:32 third
How to change default user information:
root@solaris:/etc/skel# useradd -D
group=staff,10 project=default,3 basedir=/export/home
skel=/etc/skel shell=/usr/bin/bash inactive=0
expire= auths= profiles= roles= limitpriv=
defaultpriv= lock_after_retries=
root@solaris# useradd -D -g newtest
group=newtest,202 project=default,3 basedir=/export/home
skel=/etc/skel shell=/usr/bin/bash inactive=0
expire= auths= profiles= roles= limitpriv=
defaultpriv= lock_after_retries=
root@solaris:# ls
local.cshrc local.login local.profile
root@solaris:/etc/skel# cat /usr/sadm/defadduser
# Default values for useradd. Changed Mon Dec 10 00:45:30 2012
defgroup=202
defgname=newtest
defparent=/export/home
defskel=/etc/skel
defshell=/usr/bin/bash
definact=0
defexpire=
defauthorization=
defrole=
defprofile=
defproj=3
defprojname=default
deflimitpriv=
defdefaultpriv=
deflock_after_retries=
ex:
root@solaris# useradd -D -g 10
group=staff,10 project=default,3 basedir=/export/home
skel=/etc/skel shell=/usr/bin/bash inactive=0
expire= auths= profiles= roles= limitpriv=
defaultpriv= lock_after_retries=
root@solaris# cat /usr/sadm/defadduser
# Default values for useradd. Changed Mon Dec 10 00:48:22 2012
defgroup=10
defgname=staff
defparent=/export/home
defskel=/etc/skel
defshell=/usr/bin/bash
definact=0
defexpire=
defauthorization=
defrole=
defprofile=
defproj=3
defprojname=default
deflimitpriv=
defdefaultpriv=
deflock_after_retries=
restricted shell:
#ls -l /usr/lib/rsh
lrwxrwxrwx 1 root root 12 Oct 29 16:08 /usr/lib/rsh -> ../bin/ksh93
#useradd -s /usr/lib/rsh -m ruser
80 blocks
#passwd ruser
New Password:
Re-enter new Password:
passwd: password successfully changed for ruser
#su - ruser
-rsh[3]: /usr/bin/hostname: /usr/bin/hostname: restricted
ruser@:~$ -rsh[1]: /dev/null: restricted
-rsh[3]: /usr/bin/hostname: /usr/bin/hostname: restricted
ruser@:~$ pwd
/home/ruser
-rsh[3]: /usr/bin/hostname: /usr/bin/hostname: restricted
ruser@:~$ bash
ruser@solaris:~$ cd
ruser@solaris:~$ cd /tmp
ruser@solaris:/tmp$ echo $SHELL
/usr/lib/rsh
ruser@solaris:/tmp$ echo $0
bash
ruser@solaris:/tmp$
note: if user changes another shell there is no restrictions.
Using the Secure by Default Configuration
#netservices limited
restarting svc:/system/system-log:default
restarting svc:/network/smtp:sendmail
#
#netservices open
restarting svc:/system/system-log:default
restarting svc:/network/smtp:sendmail
set uid:
#ls -l /usr/sbin/format
-r-sr-xr-x 1 root bin 248012 Oct 21 2011 /usr/sbin/format
#chmod u+s /usr/sbin/format
#ls -l /usr/sbin/format
-r-sr-xr-x 1 root bin 248012 Oct 21 2011 /usr/sbin/format
#su - sai
Oracle Corporation SunOS 5.11 11.0 November 2011
sai@solaris:~$ format
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c3t0d0 <SUN72G cyl 14087 alt 2 hd 24 sec 424>
/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/sd@0,0
1. c3t1d0 <FUJITSU-MAY2073RCSUN72G-0401-68.37GB>
/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/sd@1,0
Specify disk (enter its number): ^C
sai@solaris:~$ exit
logout
#su - ruser
-rsh[3]: /usr/bin/hostname: /usr/bin/hostname: restricted
ruser@:~$ -rsh[1]: /dev/null: restricted
-rsh[3]: /usr/bin/hostname: /usr/bin/hostname: restricted
ruser@:~$ format
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c3t0d0 <SUN72G cyl 14087 alt 2 hd 24 sec 424>
/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/sd@0,0
1. c3t1d0 <FUJITSU-MAY2073RCSUN72G-0401-68.37GB>
/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/sd@1,0
Specify disk (enter its number): ^C
-rsh[3]: /usr/bin/hostname: /usr/bin/hostname: restricted
ruser@:~$ exit
Note: set uid applicable to all users. There is no security…
Setgid:
# mkdir /test
root@solaris:~# ls -ld /test
drwxr-xr-x 2 root root 2 Dec 12 11:44 /test
root@solaris:~# chmod g+s /test
root@solaris:~# ls -ld /test
drwxr-sr-x 2 root root 2 Dec 12 11:44 /test
root@solaris:~# chmod 777 /test
root@solaris:~# ls
root@solaris:~# ls -ld /test
drwxrwsrwx 2 root root 2 Dec 12 11:44 /test
su - test
Oracle Corporation SunOS 5.11 11.0 November 2011
test@solaris:~$ cd /test
test@solaris:/test$ touch a bc
test@solaris:/test$ ls
a bc
test@solaris:/test$ ls -l
total 2
-rw-r--r-- 1 test root 0 Dec 12 11:46 a
-rw-r--r-- 1 test root 0 Dec 12 11:46 bc
test@solaris:/test$ exit
logout
root@solaris:~# su - test2
Oracle Corporation SunOS 5.11 11.0 November 2011
test2@solaris:~$ cd /central
-bash: cd: /central: No such file or directory
test2@solaris:~$ cd /test
test2@solaris:/test$ ls
a bc
test2@solaris:/test$ touch aa bb
test2@solaris:/test$ ls -l
total 4
-rw-r--r-- 1 test root 0 Dec 12 11:46 a
-rw-r--r-- 1 test2 root 0 Dec 12 11:47 aa
-rw-r--r-- 1 test2 root 0 Dec 12 11:47 bb
-rw-r--r-- 1 test root 0 Dec 12 11:46 bc
Sticky bit:
root@solaris:~# mkdir /sticky
root@solaris:~# chmod 777 /sticky
root@solaris:~# su - test2
Oracle Corporation SunOS 5.11 11.0 November 2011
test2@solaris:~$ cd /sticky
test2@solaris:/sticky$ cat > a
this is created by test2 user
test2@solaris:/sticky$ exit
logout
root@solaris:~# su - test3
Oracle Corporation SunOS 5.11 11.0 November 2011
test3@solaris:~$ cd /sticky
test3@solaris:/sticky$ cat >> a
-bash: a: Permission denied
test3@solaris:/sticky$ ls -l
total 2
-rw-r--r-- 1 test2 staff 30 Dec 12 11:51 a
test3@solaris:/sticky$ cat test2
cat: cannot open test2: No such file or directory
test3@solaris:/sticky$ ls
a
test3@solaris:/sticky$ rm a
rm: a: override protection 644 (yes/no)? yes
test3@solaris:/sticky$ ls
test3@solaris:/sticky$ cat > a
this is created by test3
test3@solaris:/sticky$ exit
logout
root@solaris:~# chmod +t /sticky
root@solaris:~# ls -ld /sticky/
drwxrwxrwt 2 root root 4 Dec 12 11:53 /sticky/
root@solaris:~# su - test2
Oracle Corporation SunOS 5.11 11.0 November 2011
test2@solaris:~$ cd /sticky
test2@solaris:/sticky$ cat >b
this is by test2
test2@solaris:/sticky$ exit
logout
root@solaris:~# su - test3
Oracle Corporation SunOS 5.11 11.0 November 2011
test3@solaris:~$ cd /sticky
test3@solaris:/sticky$ ls
a b
test3@solaris:/sticky$ ls -l
total 3
-rw-r--r-- 1 test3 staff 25 Dec 12 11:52 a
-rw-r--r-- 1 test2 staff 17 Dec 12 11:53 b
test3@solaris:/sticky$ rm b
rm: b: override protection 644 (yes/no)? yes
rm: b not removed: Permission denied
Example 3-1 Displaying a User's Login Status
In the following example, the login status for the user jdoe is displayed.
# logins -x -l jdoe
jdoe 500 staff 10 Jaylee Jaye Doe
/home/jdoe
/bin/bash
PS 010103 10 7 -1
jdoe
Identifies the user's login name.
500
Identifies the user ID (UID).
staff
Identifies the user's primary group.
10
Identifies the group ID (GID).
Jaylee Jaye Doe
Identifies the comment.
/home/jdoe
Identifies the user's home directory.
/bin/bash
Identifies the login shell.
PS 010170 10 7 -1
Specifies the password aging information:
• Last date that the password was changed
• Number of days that are required between changes
• Number of days before a change is required
• Warning period
Temporarly disable userid:
#touch /etc/nologin
#cat >/etc/nologin
User login in temporarly disable
Ctrl+D
Default File Permissions (umask)
The user mask contains the following octal values:
• The first digit sets permissions for the user
• The second digit sets permissions for group
• The third digit sets permissions for other, also referred to as world
Default umask value is 0022
How to Change Account Defaults For All Roles:
root@solaris:~# roleadd -D
group=staff,10 project=default,3 basedir=/export/home
skel=/opt shell=/usr/bin/pfbash inactive=0
expire= auths= profiles=All limitpriv=
defaultpriv= lock_after_retries= roleauth=role
root@solaris:~# roleadd -D -k /etc/skel
group=staff,10 project=default,3 basedir=/export/home
skel=/etc/skel shell=/usr/bin/pfbash inactive=0
expire= auths= profiles=All limitpriv=
defaultpriv= lock_after_retries= roleauth=role
root@solaris:~# ls -l /usr/sadm/defaddrole
-rw-r--r-- 1 root root 313 Dec 12 09:10 /usr/sadm/defaddrole
Create users on shared file system:
root@solaris:~# svcs autofs
STATE STIME FMRI
online Dec_10 svc:/system/filesystem/autofs:default
root@solaris:~# zpool create users c3t1d0
#zfs set sharenfs=on users
root@solaris:~# useradd -d /users/test -m test
80 blocks
root@solaris:~# passwd test
New Password:
Re-enter new Password:
passwd: password successfully changed for test
root@solaris:~# cat /etc/passwd |grep test
test:x:60007:10::/home/test:/usr/bin/bash
root@solaris:~# cat /etc/shadow|grep test
test:$5$fYO.f4WQ$6xXu0js7RVE08LphnVEo3YRDdhmnLJ0TXcdb4Aa8Aq1:15686::::::
root@solaris:~# cat /etc/auto_home |grep test
test localhost:/users/test
root@solaris:~# logins -x -l test
test 60007 staff 10
/home/test
/usr/bin/bash
PS 121212 -1 -1 -1
root@solaris:~# useradd -d /export/home/test2 -m test2
80 blocks
root@solaris:~# passwd test2
New Password:
Re-enter new Password:
passwd: password successfully changed for test2
root@solaris:~# cat /etc/passwd |grep test
test:x:60007:10::/home/test:/usr/bin/bash
test2:x:60008:10::/home/test2:/usr/bin/bash
root@solaris:~# cat /etc/shadow|grep test
test:$5$fYO.f4WQ$6xXu0js7RVE08LphnVEo3YRDdhmnLJ0TXcdb4Aa8Aq1:15686::::::
test2:$5$JVm8ei7z$.gduufngK1NCb6rfdE.gkrWFjJOJ6Mn.wPLc7nzv2y.:15686::::::
root@solaris:~# cat /etc/auto_home |grep test
test localhost:/users/test
test2 localhost:/export/home/test2
root@solaris:~# useradd -d localhost:/users/test3 -m test3
80 blocks
root@solaris:~# passwd test3
New Password:
Re-enter new Password:
passwd: password successfully changed for test3
root@solaris:~# cat /etc/passwd |grep test
test:x:60007:10::/home/test:/usr/bin/bash
test2:x:60008:10::/home/test2:/usr/bin/bash
test3:x:60009:10::/home/test3:/usr/bin/bash
root@solaris:~# cat /etc/shadow|grep test
test:$5$fYO.f4WQ$6xXu0js7RVE08LphnVEo3YRDdhmnLJ0TXcdb4Aa8Aq1:15686::::::
test2:$5$JVm8ei7z$.gduufngK1NCb6rfdE.gkrWFjJOJ6Mn.wPLc7nzv2y.:15686::::::
test3:$5$jSxzUbdP$P/G/BPR6qw95fT3qegXalY7aI1zWHiQsQJAalI4FUP9:15686::::::
root@solaris:~# cat /etc/auto_home |grep test
test localhost:/users/test
test2 localhost:/export/home/test2
test3 localhost:/users/test3
how to monitor failed login attempts:
root@solaris:~# ls -l /var/adm/loginlog
/var/adm/loginlog: No such file or directory
root@solaris:~# touch /var/adm/loginlog
root@solaris:~# ls -l /var/adm/loginlog
-rw-r--r-- 1 root root 0 Dec 12 09:41 /var/adm/loginlog
root@solaris:~# chgrp sys /var/adm/loginlog
root@solaris:~# ls -l /var/adm/loginlog
-rw-r--r-- 1 root sys 0 Dec 12 09:41 /var/adm/loginlog
root@solaris:~# chmod 600 /var/adm/loginlog
root@solaris:~# ls -l /var/adm/loginlog
-rw------- 1 root sys 0 Dec 12 09:41 /var/adm/loginlog
root@solaris:~# ls -l /var/adm/loginlog
-rw------- 1 root sys 0 Dec 12 09:41 /var/adm/loginlog
root@solaris:~# cat /var/adm/loginlog
root@solaris:~# telnet IP
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
login: ruser
Password:
Login incorrect
login: ruser
Password:
Login incorrect
login: ruser
Password:
Login incorrect
login: ruser
Password:
Login incorrect
login: ruser
Password:
Login incorrect
root@solaris:~# cat /var/adm/loginlog
ruser:/dev/pts/2:Wed Dec 12 10:05:49 2012
ruser:/dev/pts/2:Wed Dec 12 10:05:59 2012
ruser:/dev/pts/2:Wed Dec 12 10:06:09 2012
ruser:/dev/pts/2:Wed Dec 12 10:06:17 2012
ruser:/dev/pts/2:Wed Dec 12 10:06:25 2012
How to Monitor All Failed Login Attempts:
#vi /etc/default/login
SYSLOG=YES
SYSLOG_FAILED_LOGINS=0
root@solaris:~# ls -l /var/adm/authlog
/var/adm/authlog: No such file or directory
root@solaris:~# touch /var/adm/authlog
root@solaris:~# chmod 600 /var/adm/authlog
root@solaris:~# ls -l /var/adm/authlog
-rw------- 1 root root 0 Dec 12 10:15 /var/adm/authlog
root@solaris:~# chgrp sys /var/adm/authlog
root@solaris:~# ls -l /var/adm/authlog
-rw------- 1 root sys 0 Dec 12 10:15 /var/adm/authlog
root@solaris:~# vi /etc/syslog.conf
auth.notice ifdef(`LOGHOST', /var/adm/authlog, @loghost)
================OR=================
auth.notice <Press Tab> /var/adm/authlog
root@solaris:~# svcadm restart system-log
root@solaris:~# cat /var/adm/authlog
Dec 12 10:23:26 solaris login: [ID 507249 auth.notice] Login failure on /dev/pts/3 from solaris, ruser
Dec 12 10:23:53 solaris login: [ID 507249 auth.notice] Login failure on /dev/pts/3 from solaris, test
How to lock user account after successful failure of attemptes:
#vi /etc/security/policy.conf
LOCK_AFTER_RETRIES=NO to LOCK_AFTER_RETRIES=YES
:wq!
then once we edit /etc/default/login variables RETRIES & SYSLOG_FAILED_LOGINS it lock that user aacount.
Ex:
root@solaris:/etc/security# vi /etc/security/plicy.conf
LOCK_AFTER_RETRIES=YES
root@solaris:# vi /etc/default/login
RETRIES=3
root@solaris:/etc/security# logins -x -l test2
test2 60008 staff 10
/home/test2
/usr/bin/bash
PS 121212 -1 -1 -1
root@solaris:/etc/security# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
login: test2
Password:
Login incorrect
login: test2
Password:
Login incorrect
login: test2
Password:
Login incorrect
Connection to 0 closed by foreign host.
root@solaris:/etc/security# logins -x -l test2
test2 60008 staff 10
/home/test2
/usr/bin/bash
LK 121212 -1 -1 -1
How to Monitor Who Is Using the su Command:
The sulog file lists every use of the switch user (su) command, not only the su attempts that are used to switch from user to root.
Before You Begin
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.
• Monitor the contents of the /var/adm/sulog file on a regular basis.
# more /var/adm/sulog
SU 12/20 16:26 + pts/0 stacey-root
SU 12/21 10:59 + pts/0 stacey-root
SU 01/12 11:11 + pts/0 root-rimmer
SU 01/12 14:56 + pts/0 jdoe-root
SU 01/12 14:57 + pts/0 jdoe-root
The entries display the following information:
o The date and time that the command was entered.
o If the attempt was successful. A plus sign (+) indicates a successful attempt. A minus sign (-) indicates an unsuccessful attempt.
o The port from which the command was issued.
o The name of the user and the name of the switched identity.
The su logging in this file is enabled by default through the following entry in the /etc/default/su file:
SULOG=/var/adm/sulog
How to Restrict and Monitor root Logins:
1.unhash CONSOLE=/dev/console in /etc/default/login file
2.verify root can not login in remotely boot cui,gui
3.monitor su attempts to become root user
Controlling Access to System Hardware (Tasks):
1.In a terminal window, type the PROM security mode.
#eeprom security-mode=command
Changing PROM password:
New password: <Type password>
2.To change the PROM password, type the following command:
# eeprom security-password= Press Return
Changing PROM password:
New password: <Type password>
Note:Do not forget the PROM password. The hardware is unusable without this password.
How to change keyboard layout:
root@solaris:~# kbd -s
USB keyboard
1. Albanian 25. Latin-American
2. Arabic 26. Lithuanian
3. Belarusian 27. Latvian
4. Belgian 28. Macedonian
5. Brazilian 29. Malta_UK
6. Bulgarian 30. Malta_US
7. Canadian-Bilingual 31. Norwegian
8. Croatian 32. Polish
9. Czech 33. Portuguese
10. Danish 34. Romanian
11. Dutch 35. Russian
12. Dvorak 36. Serbia-And-Montenegro
13. Estonian 37. Slovak
14. Finnish 38. Slovenian
15. French 39. Spanish
16. French-Canadian 40. Swedish
17. Hungarian 41. Swiss-French
18. German 42. Swiss-German
19. Greek 43. Traditional-Chinese
20. Icelandic 44. TurkishF
21. Italian 45. TurkishQ
22. Japanese-type6 46. UK-English
23. Japanese 47. US-English
24. Korean
To select the keyboard layout, enter a number [default 47]:
How to Disable a System's Abort Sequence:
To permanently change the software default effect of the keyboard abort sequence, first add or change the value of the keymap/keyboard_abort property in the keymap service to:
#svc:/system/keymap:default
svccfg -s keymap:default setprop keymap/keyboard_abort=disable
$ svcadm refresh keymap
2.Displaying Information: The following example displays keyboard type and layout code. It also displays auto repeat delay and rate settings.
# kbd -l
type=6
layout=33 (0x21)
delay(ms)=500
rate(ms)=40
root@solaris:~# kbd -D 100
root@solaris:~# kbd -R 50
root@solaris:~# kbd -l
type=6
layout=33 (0x21)
delay(ms)=100
rate(ms)=50
root@solaris:~# kbd -t
USB keyboard
root@solaris:~# kbd -i
kbd ioctl (keyclick): Invalid argument
root@solaris:~# kbd -l
type=6
layout=33 (0x21)
delay(ms)=500
rate(ms)=40
Note:to make permanent edit service properties
#svccfg -s keymap:default setprop keymap/keyboard_abort=alternate
# svcadm refresh keymap
#svccfg -s keymap:default setprop keymap/keyboard_abort=enable
# svcadm refresh keymap
#svccfg -s keymap:default setprop keymap/repeate_delay=500
# svcadm refresh keymap
#svccfg -s keymap:default setprop keymap/repeate_rate=40
#svcadm refresh keymap
#svccfg -s keymap:default setprop keymap/layout=Spanish
# svcadm refresh keymap
#svccfg -s keymap:default setprop keymap/kbd_beeper_freq=2000
#svcadm refresh keymap
Enables, disables, or alternates the keyboard abort sequence effect. By default, a keyboard abort sequence suspends the operating system on most systems. This sequence is typically Stop-A or L1-A and Shift-Pause onthe keyboard on SPARC systems, F1-A and Shift-Pause on x86 systems, and BREAK on the serial console device.The default keyboard behavior can be changed using this option. The -a option can only be used by a super user.
enable Enables the default effect of the keyboar abort sequence (suspend the operating system and enter the debugger or the monitor).
disable Disables the default/alternate effect and ignores keyboard abort sequences.
alternate Enables the alternate effect of the keyboard abort sequences (suspend the operat ing system and enter the debugger or the monitor) upon receiving the Alternate Break character sequence on the console. The Alternate Break sequence is defined by the drivers zs(7D), se(7D), asy(7D). Due to a risk of incorrect sequence interpretation binary protocols cannot be run over the serial console port when this value is used.
RBAC:
The root role cannot log in. You must log in as the user you created during the installation. After you log in, you can assume the root role to configure the system. To assume the role, open a terminal window and use the su - root command.
• You can change the root role to a user account that can log in. To change root to a user, type the following command in a terminal window:
# rolemod -K type=normal root
root@solaris:~# cat /etc/user_attr|grep root
venkat::::type=normal;lock_after_retries=no;profiles=System Administrator;roles=root
root::::type=role
#rolemod -K type=normal root
Found user in files repository.
How to assign role to root user:
root@solaris:~# usermod -K type=role root
Found user in files repository.
UX: usermod: root is currently logged in, some changes may not take effect until next login.
root@solaris:~# cat /etc/user_attr
#
# The system provided entries are stored in different files
# under "/etc/user_attr.d". They should not be copied to this file.
#
# Only local changes should be stored in this file.
# This line should be kept in this file or it will be overwritten.
#
venkat::::type=normal;lock_after_retries=no;profiles=System Administrator;roles=root
root::::type=role
To list all authorizations:
getent auth_attr|more
solaris.smf.value.tcsd:::Change TPM Administation value properties::
solaris.smf.manage.tcsd:::Manage TPM Administration service states::
solaris.smf.manage.dhcp:::Manage ISC DHCP Server and Relay Agent Service States::help=SmfDHCPStates.html
.
.
List all rights profiles:
getent prof_attr
DTrace Toolkit::::
LDoms Review:::Review LDoms configuration:auths=solaris.ldoms.read
LDoms Management:::Manage LDoms domains:auths=solaris.ldoms.*
……….
List all commands with security attributes:
# getent exec_attr|more
DTrace Toolkit:solaris:cmd:::/usr/dtrace/DTT/*/*:privs=dtrace_kernel,dtrace_proc,dtrace_user
All:solaris:cmd:RO::*:
Audit Control:solaris:cmd:RO::/usr/sbin/audit:privs=proc_owner,sys_audit
Audit Configuration:solaris:cmd:RO::/usr/sbin/auditconfig:privs=sys_audit
Audit Review:solaris:cmd:RO::/usr/sbin/auditreduce:euid=0
How to View user Assigned Rights:
1)authorizations
2)profiles
3)roles
4)privileges
$auths
solaris.account.activate,solaris.admin.wusb.read,solaris.device.*,solaris.group.manage,solaris.hotplug.*,solaris.jobs.*,solaris.label.range,so
……….
$ profiles
System Administrator
LDoms Management
Audit Review
Printer Management
$profiles –l //in detail manner
System Administrator
profiles=LDoms Manage
$ roles
Root
$ ppriv -vl basic
file_link_any
Allows a process to create hardlinks to files owned by a uid
different from the process' effective uid.
…….
enkat@solaris:~$ auths root
solaris.*
venkat@solaris:~$ auths test
solaris.admin.wusb.read,solaris.device.mount.removable,solaris.mail.mailq
venkat@solaris:~$ profiles test
test:
Basic Solaris User
All
venkat@solaris:~$ profiles -l test
test:
Basic Solaris User
auths=solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.wusb.read
profiles=All
/usr/bin/cdrecord.bin privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,net_privaddr
/usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr
/usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr
All
*
venkat@solaris:~$ ppriv $$
12926: -bash
flags = <none>
E: basic
I: basic
P: basic
L: all
To create our own roles:
oot@solaris:~# cat /etc/security/prof_attr
#
# The system provided entries are stored in different files
# under "/etc/security/prof_attr.d". They should not be
# copied to this file.
#
# Only local changes should be stored in this file.
# This line should be kept in this file or it will be overwritten.
#
test::::
root@solaris:~# cat /etc/security/exec_attr
#
# The system provided entries are stored in different files
# under "/etc/security/exec_attr.d". They should not be
# copied to this file.
#
# Only local changes should be stored in this file.
# This line should be kept in this file or it will be overwritten.
#
test:solaris:cmd:::/usr/sbin/format:euid=0
root@solaris:~# roleadd -d /users/role1 -m role1
80 blocks
root@solaris:~# rolemod -P test role1
Found user in files repository.
root@solaris:~# usermod -R role1 test2
Found user in files repository.
root@solaris:~# roles test2
role1
root@solaris:~# profiles test2
test2:
Basic Solaris User
All
oot@solaris:~# profiles -l test2
test2:
Basic Solaris User
auths=solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.wusb.read
profiles=All
/usr/bin/cdrecord.bin privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,net_privaddr
/usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr
/usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr
All
*
root@solaris:~# auths test2
solaris.admin.wusb.read,solaris.device.mount.removable,solaris.mail.mailq
root@solaris:~# passwd role1
New Password:
Re-enter new Password:
passwd: password successfully changed for role1
root@solaris:~# ppriv $$
13140: -bash
flags = <none>
E: all
I: basic
P: all
L: all
root@solaris:~# su - test2
Oracle Corporation SunOS 5.11 11.0 November 2011
test2@solaris:~$ profiles
Basic Solaris User
All
test2@solaris:~$ roles
role1
test2@solaris:~$ su - role1
Password:
Oracle Corporation SunOS 5.11 11.0 November 2011
role1@solaris:~$ echo $0
-bash
role1@solaris:~$ auths
solaris.admin.wusb.read,solaris.device.mount.removable,solaris.mail.mailq
role1@solaris:~$ profiles
test
Basic Solaris User
All
role1@solaris:~$ format
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c3t0d0 <SUN72G cyl 14087 alt 2 hd 24 sec 424>
/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/sd@0,0
1. c3t1d0 <FUJITSU-MAY2073RCSUN72G-0401-68.37GB>
/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/sd@1,0
Specify disk (enter its number): ^C
role1@solaris:~$
role1@solaris:~$ exit
logout
test2@solaris:~$ echo $0
-bash
test2@solaris:~$ exit
logout
How to Disable Programs From Using Executable Stacks:
Edit the /etc/system file, and add the following line:
set noexec_user_stack=1
# reboot
Disabling the Logging of Executable Stack Messages:
#cat /etc/system
set noexec_user_stack=1
set noexec_user_stack_log=0
# reboot
ACL’s on ZFS:
1.#mkdir /test
#chmod 777 /test
# cd /test
# cat >file1
this is file one
# cat file1
this is file one
# chmod 600 file1
# su - test
Oracle Corporation SunOS 5.11 11.0 November 2011
test@solaris:~$ cd /test
test@solaris:/test$ ls
file1
test@solaris:/test$ cat file1
cat: cannot open file1: Permission denied
# cd /test
root@solaris:/test# ls
file1
root@solaris:/test# ls -v
total 2
-rw------- 1 root root 17 Dec 12 16:33 file1
0:owner@:read_data/write_data/append_data/read_xattr/write_xattr
/read_attributes/write_attributes/read_acl/write_acl/write_owner
/synchronize:allow
1:group@:read_xattr/read_attributes/read_acl/synchronize:allow
2:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
# chmod A=user::rw-,group::---,other::---,mask::rwx,user:test:r-- file1
ls -v
total 2
-rw-------+ 1 root root 17 Dec 12 16:33 file1
0:owner@:read_data/write_data/append_data/read_attributes
/write_attributes/read_acl/write_acl/synchronize:allow
1:owner@:execute:deny
2:user:test:write_attributes/write_acl:deny
3:user:test:read_data/read_attributes/read_acl/synchronize:allow
4:user:test:write_data/append_data/execute/write_attributes/write_acl
:deny
5:group@:write_attributes/write_acl:deny
6:group@:read_attributes/read_acl/synchronize:allow
7:group@:read_data/write_data/append_data/execute/write_attributes
/write_acl:deny
8:everyone@:read_attributes/read_acl/synchronize:allow
9:everyone@:read_data/write_data/append_data/execute/write_attributes
/write_acl:deny
su - test
Oracle Corporation SunOS 5.11 11.0 November 2011
test@solaris:~$ ls
local.cshrc local.login local.profile
test@solaris:~$ cat /test/file1
this is file one
psudo users:
bash-4.1# cd /var/log
-bash-4.1# ls
authlog cups install pool syslog syslog.1 zones
beadm ilomconfig pkg snmpd.log syslog.0 syslog.2
#touch sudolog
-bash-4.1# chown root:sys sudolog
#visudo or #vi /etc/sudoers
Defaults logfile=/var/log/sudolog
Wq:
#cat /var/log/sudolog
Dec 13 10:07:40 : root : TTY=pts/1 ; PWD=/etc/sudoers.d ; USER=root ; COMMAND=/usr/bin/ls
Dec 13 10:07:49 : venkat : TTY=pts/1 ; PWD=/home/venkat ; USER=root ; COMMAND=/usr/bin/ls
Dec 13 10:07:58 : venkat : TTY=pts/1 ; PWD=/home/venkat ; USER=root ;
COMMAND=/usr/bin/ls -l /
Dec 13 10:09:24 : venkat : TTY=pts/1 ; PWD=/home/venkat ; USER=root ;
COMMAND=/usr/bin/ls -l /etc/sudoers.d/
Dec 13 10:14:48 : venkat : TTY=pts/1 ; PWD=/home/venkat ; USER=root ;
COMMAND=/usr/bin/su –
To assign full privileges to normal user:
#vi /etc/sudoers
<User Name> ALL=(ALL) ALL
:wq
SWAP SPACE MANAGEMENT:
# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
-bash-4.1# swap -s
total: 142040k bytes allocated + 10728k reserved = 152768k used, 30348168k available
# zfs list
rpool/swap 4.13G 43.7G 4.00G -
-bash-4.1# zfs set volsize=8g rpool/swap
-bash-4.1# swap -s
total: 142040k bytes allocated + 10728k reserved = 152768k used, 30346472k available
-bash-4.1# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
-bash-4.1# zfs list
rpool/swap 8.25G 39.7G 8.00G -
-bash-4.1# zfs set volsize=4g rpool/swap
-bash-4.1# zfs list rpool/swap
NAME USED AVAIL REFER MOUNTPOINT
rpool/swap 4.13G 43.7G 4.00G -
-bash-4.1# swap -s
total: 142040k bytes allocated + 10728k reserved = 152768k used, 30344432k available
-bash-4.1# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
Adding swap:
-bash-4.1# zfs create -V 1g rpool/swap1
-bash-4.1# swap -a /dev/zvol/dsk/rpool/swap1
-bash-4.1# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
/dev/zvol/dsk/rpool/swap1 228,10 16 2097136 2097136
-bash-4.1# swap -s
total: 144744k bytes allocated + 10720k reserved = 155464k used, 31384464k available
========
-bash-4.1# zfs create -V 2g users/swap2
#zfs set dedup=off users/swap2
# zfs get all users
NAME PROPERTY VALUE SOURCE
users type filesystem -
users creation Wed Dec 12 9:16 2012 -
users used 2.06G -
users available 64.9G -
users referenced 35K -
users compressratio 1.00x -
users mounted yes -
users quota none default
users reservation none default
users recordsize 128K default
users mountpoint /users default
users sharenfs on local
users checksum on default
users compression off default
users atime on default
users devices on default
users exec on default
users setuid on default
users readonly off default
users zoned off default
users snapdir hidden default
users aclmode discard default
users aclinherit restricted default
users canmount on default
users xattr on default
users copies 1 default
users version 5 -
users utf8only off -
users normalization none -
users casesensitivity mixed -
users vscan off default
users nbmand off default
users sharesmb off default
users refquota none default
users refreservation none default
users primarycache all default
users secondarycache all default
users usedbysnapshots 0 -
users usedbydataset 35K -
users usedbychildren 2.06G -
users usedbyrefreservation 0 -
users logbias latency default
users dedup off default
users mlslabel none -
users sync standard default
users encryption off -
users keysource none default
users keystatus none -
users rekeydate - default
users rstchown on default
users shadow none -
-bash-4.1# swap -a /dev/zvol/dsk/users/swap2
-bash-4.1# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
/dev/zvol/dsk/rpool/swap1 228,10 16 2097136 2097136
/dev/zvol/dsk/users/swap2 228,11 16 4194288 4194288
-bash-4.1#
====
-bash-4.1# mkdir /swap/
-bash-4.1# cd /swap
-bash-4.1# ls
-bash-4.1# mkfile 2g swap
-bash-4.1# swap -a /swap/swap
"/swap/swap" may contain holes - can't swap on it.
-bash-4.1# lofiadm -a /swap/swap
/dev/lofi/1
-bash-4.1# swap -a /dev/lofi/1
-bash-4.1# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
/dev/zvol/dsk/rpool/swap1 228,10 16 2097136 2097136
/dev/zvol/dsk/users/swap2 228,11 16 4194288 4194288
/dev/lofi/1 167,1 16 4194288 4194288
-bash-4.1#
Deleting swap file system
-bash-4.1# swap -d /dev/lofi/1
-bash-4.1# lofiadm -d /swap/swap
-bash-4.1# rm /swap/swap
==
-bash-4.1# swap -d /dev/zvol/dsk/users/swap2
-bash-4.1# zfs destroy users/swap2
-bash-4.1# swap -d /dev/zvol/dsk/rpool/swap1
-bash-4.1# zfs destroy rpool/swap1
-bash-4.1# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
===
Note: To make permanent make entry in /etc/vfstab file
On a SPARC based system, create your swap area. Set the block size to 8 KB.
#zfs create –V 2G –b 8k rpool/swap1
On an x86 based system, create your swap area. Set the block size to 4 KB.
#zfs create –V 2G –b 4k rpool/swap1
#cat /etc/vfstab
/dev/zvol/dsk/rpool/swap - - swap - no -
CRASH DUMPS:
-bash-4.1# cat /etc/dumpadm.conf
#
# dumpadm.conf
#
# Configuration parameters for system crash dump.
# Do NOT edit this file by hand -- use dumpadm(1m) instead.
#
DUMPADM_DEVICE=/dev/zvol/dsk/rpool/dump
DUMPADM_SAVDIR=/var/crash
DUMPADM_CONTENT=kernel
DUMPADM_ENABLE=yes
DUMPADM_CSAVE=on
Services:
svc:/system/dumpadm:default
to see crash dump info:
bash-4.1# dumpadm
Dump content: kernel pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash
Savecore enabled: yes
Save compressed: on
to generate crah dumps online:
bash-4.1# savecore -L
dumping to /dev/zvol/dsk/rpool/dump, offset 65536, content: kernel
0:13 100% done
100% done: 195926 pages dumped, dump succeeded
savecore: System dump time: Thu Dec 13 12:07:10 2012
savecore: Saving compressed system crash dump in /var/crash/vmdump.0
savecore: Decompress the crash dump with
'savecore -vf /var/crash/vmdump.0'
bash-4.1# cd /var/crash
-bash-4.1# ls
bounds vmdump.0
-bash-4.1# ls -lrth
total 632537
-rw-r--r-- 1 root root 2 Dec 13 12:07 bounds
-rw-r--r-- 1 root root 309M Dec 13 12:07 vmdump.0
To display verbose manner:
bash-4.1# savecore -v
savecore: dump already processed
-bash-4.1# savecore -Lv
dumping to /dev/zvol/dsk/rpool/dump, offset 65536, content: kernel
0:20 100% done
100% done: 196132 pages dumped, dump succeeded
savecore: System dump time: Thu Dec 13 12:11:58 2012
savecore: Saving compressed system crash dump in /var/crash/vmdump.1
savecore: Copying /dev/zvol/dsk/rpool/dump to /var/crash/vmdump.1
savecore: Decompress the crash dump with
'savecore -vf /var/crash/vmdump.1'
0:28 dump copy is done
1.After the system reboots, log in as the root user.
2.Clear out the savecore directory, typically, /var/crash/, by removing existing crash dump files that have already been sent to your service provider.
3.Alternatively, you can manually run the savecore command to specify an alternate directory that has sufficient disk space
bash-4.1# savecore /dumpdir
How to Force a Crash Dump and Reboot of the System
1. Bring the system to the ok PROM prompt.
2. Synchronize the file systems and write the crash dump.
> n
ok sync
After the crash dump is written to disk, the system will continue to reboot.
3. Verify that the system boots to run level 3.
The login prompt is displayed when the boot process has finished successfully.
hostname console login:
SPARC: Forcing a Crash Dump and Reboot of a System by Using the halt -d Command
This example shows how to force a crash dump and reboot of the system by using the halt -d and boot commands.
#halt –d
SPARC: Booting a System With the Kernel Debugger (kmdb) Enabled
Ok boot kmdb
===
-bash-4.1# dumpadm
Dump content: kernel pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -c all
Dump content: all pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -c curproc
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -m 20%
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -y
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -n
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: no
Save compressed: on
-bash-4.1# dumpadm -y
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -z off
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: off
-bash-4.1# dumpadm -z on
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
-bash-4.1# savecore -L v
dumping to /dev/zvol/dsk/rpool/dump, offset 65536, content: kernel + curproc
0:15 100% done
100% done: 196385 pages dumped, dump succeeded
savecore: System dump time: Thu Dec 13 12:32:08 2012
savecore: chdir("v"): No such file or directory
#ls –l /var/crash
-rw-r--r-- 1 root root 2 Dec 13 12:12 bounds
-rw------- 1 root root 8 Dec 13 12:29 minfree
-rw-r--r-- 1 root root 323551232 Dec 13 12:07 vmdump.0
-rw-r--r-- 1 root root 324861952 Dec 13 12:12 vmdump.1
dumpadm
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -s /swap
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /swap
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -s /var/crash
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
#zfs create -V 20g rpool/dump1
#dumpadm -d /dev/zvol/dsk/rpool/dump1
#dumpadm
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
CORE DUMPS:
bash-4.1# svcs coreadm
STATE STIME FMRI
online 16:52:30 svc:/system/coreadm:default
TO SEE COREDUMP INFORMATION
-bash-4.1# coreadm
global core file pattern:
global core file content: default
init core file pattern: core
init core file content: default
global core dumps: disabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
TO INITIATE CORE DUMPS:
Variable Name Variable Definition
%d Executable file directory name, up to a maximum of MAXPATHLEN characters
%f Executable file name, up to a maximum of MAXCOMLEN characters
%g Effective group ID
%m Machine name (uname -m)
%n System node name (uname -n)
%p Process ID
%t Decimal value of time(2)
%u Effective user ID
%z Name of the zone in which process is executed (zonename)
%% Literal %
global
Allow core dumps that use global core pattern.
global-setid
Allow set-id core dumps that use global core pat-
tern.
log
Generate a syslog(3C) message when generation of a
global core file is attempted.
process
Allow core dumps that use per-process core pattern.
proc-setid
Allow set-id core dumps that use per-process core
pattern.
Multiple -e and -d options can be specified on the
command line. Only users and roles belonging to the
"Maintenance and Repair" RBAC profile can use this
option.
-bash-4.1# coreadm -i /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
-bash-4.1# sleep 1000&
[1] 14392
-bash-4.1# jobs
[1]+ Running sleep 1000 &
-bash-4.1# kill -8 14392
-bash-4.1# coreadm
global core file pattern:
global core file content: default
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: disabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
[1]+ Arithmetic Exception sleep 1000
bash-4.1# coreadm
global core file pattern:
global core file content: default
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: disabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
to enable process dumps
-bash-4.1# coreadm -e process
-bash-4.1# coreadm
global core file pattern:
global core file content: default
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: disabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
to enable global dumps:
-bash-4.1# coreadm -e global
-bash-4.1# coreadm
global core file pattern:
global core file content: default
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
bash-4.1# coreadm -e global -g /var/core/core.%f.%p
-bash-4.1# coreadm
global core file pattern: /var/core/core.%f.%p
global core file content: default
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
-bash-4.1# svcadm restart coreadm
-bash-4.1# svcs coreadm
STATE STIME FMRI
online 16:41:08 svc:/system/coreadm:default
-bash-4.1# cd /var/core
-bash-4.1# ls
core.sleep.14460
to change content type:
bash-4.1# coreadm -G all -g /var/cores/%d/%f.%p.%n
-bash-4.1# coreadm
global core file pattern: /var/cores/%d/%f.%p.%n
global core file content: all
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
to enable global-setuid cores:
-bash-4.1# coreadm
global core file pattern: /var/cores/%d/%f.%p.%n
global core file content: all
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
-bash-4.1# coreadm -e global-setid -g /var/cores/%d/%f.%p.%n
-bash-4.1# coreadm
global core file pattern: /var/cores/%d/%f.%p.%n
global core file content: all
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: enabled
per-process setid core dumps: disabled
global core dump logging: disabled
to enable proc-setuid cores:
-bash-4.1# coreadm -e proc-setid
-bash-4.1# coreadm
global core file pattern: /var/cores/%d/%f.%p.%n
global core file content: all
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: enabled
per-process setid core dumps: enabled
global core dump logging: disabled
to enable global-log cores:
-bash-4.1# coreadm -e log
-bash-4.1# coreadm
global core file pattern: /var/cores/%d/%f.%p.%n
global core file content: all
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: enabled
per-process setid core dumps: enabled
global core dump logging: enabled
How to configure GUI in solaris11:-
#pkg install pkg://solaris/group/system/solaris-desktop
#pkg install system/locale/extra
-bash-4.1# cat /etc/gdm/custom.conf
# GDM configuration storage
[daemon]
[security]
[xdmcp]
Port=177
DisplaysPerHost=1
Enable=true
HonorIndirect=true
[greeter]
[chooser]
[debug]
#Reboot server
#init 6
root@solaris:~# useradd -d /export/home/user1 -m user1
80 blocks
root@solaris:~# passwd user1
New Password:
Re-enter new Password:
passwd: password successfully changed for user1
root@solaris:~# su - user1
Oracle Corporation SunOS 5.11 11.0 November 2011
user1@solaris:~$ pwd
/home/user1
user1@solaris:~$ exit
logout
To see user information
root@solaris:~# logins -x -l user1
user1 60005 staff 10
/home/user1
/usr/bin/bash
PS 120712 -1 -1 -1
root@solaris:~# cat /etc/passwd |grep user1
user1:x:60005:10::/home/user1:/usr/bin/bash
root@solaris:~# cat /etc/shadow|grep user1
user1:$5$J4sNmKst$IiHkgscUqzJJtuJpJTYk.Rc17TY.Dq8FJcgeIKfbFDB:15681::::::
3.To add group
root@solaris:~# groupadd -g 200 testgrp
root@solaris:~# cat /etc/group|grep testgrp
testgrp::200:
root@solaris:~# useradd -u 200 -g 200 -c "test user2" -d /export/home/user2 -k /etc/skel -s /bin/csh -m user2
80 blocks
root@solaris:~# passwd user2
New Password:
Re-enter new Password:
passwd: password successfully changed for user2
4.Add group2 as secondary group
root@solaris:~# groupadd group2
root@solaris:~# usermod -G group2 user2
Found user in files repository.
root@solaris:~# cat /etc/group |grep group2
group2::201:user2
root@solaris:~# su - user2
Oracle Corporation SunOS 5.11 11.0 November 2011
solaris% groups
testgrp group2
solaris% groups
testgrp group2
solaris% roles
No roles
solaris% profiles
Basic Solaris User
All
solaris% auths
solaris.admin.wusb.read,solaris.device.mount.removable,solaris.mail.mailq
solaris% ppriv -v $$
10867: -csh
flags = <none>
E: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session
I: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session
P: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session
L: contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
root@solaris:~# logins -x -l user1
user1 60005 staff 10
/home/user1
/usr/bin/bash
PS 120712 -1 -1 -1
root@solaris:~# logins -x -l user2
user2 200 testgrp 200 test user2
/home/user2
/bin/csh
PS 120712 -1 -1 -1
5.to delete users
root@solaris:~# userdel -r user1
Found user in files repository.
root@solaris:~# userdel -r user2
Found user in files repository.
6.To see project for current user
root@solaris:~# id -p
uid=0(root) gid=0(root) projid=1(user.root)
7.To see primary and supplement users information
root@solaris:~# id -a
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon)
root@solaris:~# id -a
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon)
root@solaris:~# /usr/xpg4/bin/id -p
uid=0(root) gid=0(root) groups=1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon) projid=1(user.root)
root@solaris:~# /usr/xpg4/bin/id -a
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon)
8.Outputs all different group IDs [effective, real and supplementary]
root@solaris:~# /usr/xpg4/bin/id -G
0 1 2 3 4 5 6 7 8 9 12
root@solaris:~# id -G
0 1 2 3 4 5 6 7 8 9 12
9.Outputs only the effective group ID
root@solaris:~# id -g
0
root@solaris:~# /usr/xpg4/bin/id -g
0
10.Outputs only the effective user ID
root@solaris:~# /usr/xpg4/bin/id -u
0
root@solaris:~# id -u
0
11.To check password less users
root@solaris:~# logins -p
root@solaris:~# useradd -d /export/home/user1 -m user1
80 blocks
root@solaris:~# passwd user1
New Password:
Re-enter new Password:
passwd: password successfully changed for user1
root@solaris:~# logins –p
To delete password of a user
root@solaris:~# passwd -d user1
passwd: password information changed for user1
root@solaris:~# logins -p
user1 60005 staff 10
to check status of password
root@solaris:~# passwd -s user1
user1 NP
to lock user’s password
root@solaris:~# passwd -l user1
passwd: password information changed for user1
root@solaris:~# passwd -s user1
user1 LK
To unlock user’s password
root@solaris:~# passwd -u user1
passwd: password information changed for user1
root@solaris:~# passwd -s user1
user1 NP
login as: user1
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
root@solaris:~# passwd user1
New Password:
Re-enter new Password:
passwd: password successfully changed for user1
login as: user1
Using keyboard-interactive authentication.
Password:
Last login: Wed Nov 7 09:28:09 2012 from 10.48.8.168
Oracle Corporation SunOS 5.11 11.0 November 2011
user1@solaris:~$
user1@solaris:~$ profiles
Basic Solaris User
All
user1@solaris:~$ clear
user1@solaris:~$ id -a
uid=60005(user1) gid=10(staff) groups=10(staff)
user1@solaris:~$ projects
default group.staff
root@solaris:~# cat /etc/passwd|grep user1
user1:x:60005:10::/home/user1:/usr/bin/bash
root@solaris:~# cat /etc/shadow|grep user1
user1:$5$vv/VlwvT$4VY//QHDCKSvriN69VSHXo4z2zhQVnvuz/W/p7089S0:15681::::::
root@solaris:~# cat /etc/group|grep testgrp
testgrp::200:
To change users group id
root@solaris:~# usermod -g 201 user1
Found user in files repository.
UX: usermod: ERROR: user1 is in use. Cannot change it. ///if user is logged in
root@solaris:~# usermod -g 201 user1
To Check users password min days, max days ,expiry date
root@solaris:~# date
Friday, December 7, 2012 08:50:05 PM IST
root@solaris:~# passwd -n 5 -x 10 -w 7 user1
passwd: password information changed for user1
root@solaris:~# logins -x -l user1
user1 60005 group2 201
/home/user1
/usr/bin/bash
PS 120712 5 10 7
As a root
root@solaris:~# passwd user1
New Password:
Re-enter new Password:
passwd: password successfully changed for user1
As a user
user1@solaris:~$ passwd
passwd: Changing password for user1
Enter existing login password:
passwd: Sorry: less than 5 days since the last change.
Permission denied
root@solaris:~# date
Friday, December 7, 2012 08:55:25 PM IST
root@solaris:~# date 121322222012
Thursday, December 13, 2012 10:22:00 PM IST
To calculate date from l972 to last password chaged time
root@solaris:~# perl -e 'print scalar localtime(15681* 24 *3600)';
Fri Dec 7 05:30:00 2012
root@solaris:~# logins -x -l user1
user1 60005 group2 201
/home/user1
/usr/bin/bash
PS 120712 5 10 7
Note : Using last password changed time we can calculate when user’s password will expire.
Default group in solaris11 is 10 ===STAF
Default group in solaris 10 is 1===other
Switching from one group to another group:
root@solaris:~# logins -x -l sai
sai 60005 staff 10
/home/sai
/usr/bin/bash
PS 120912 -1 -1 -1
root@solaris:~# id -a sai
uid=60005(sai) gid=10(staff) groups=200(testgrp),201(group2)
root@solaris:~# su - sai
Oracle Corporation SunOS 5.11 11.0 November 2011
sai@solaris:~$ ls
local.cshrc local.login local.profile
sai@solaris:~$ ls -l
total 6
-rw-r--r-- 1 sai staff 165 Dec 10 00:12 local.cshrc
-rw-r--r-- 1 sai staff 170 Dec 10 00:12 local.login
-rw-r--r-- 1 sai staff 130 Dec 10 00:12 local.profile
sai@solaris:~$ touch a
sai@solaris:~$ ls
a local.cshrc local.login local.profile
sai@solaris:~$ newgrp testgrp
sai@solaris:~$ touch b
sai@solaris:~$ ls -lrth
total 8
-rw-r--r-- 1 sai staff 130 Dec 10 00:12 local.profile
-rw-r--r-- 1 sai staff 165 Dec 10 00:12 local.cshrc
-rw-r--r-- 1 sai staff 170 Dec 10 00:12 local.login
-rw-r--r-- 1 sai staff 0 Dec 10 00:21 a
-rw-r--r-- 1 sai testgrp 0 Dec 10 00:22 b
To assign password to group
1.edit manually /etc/group file copy password
2.if the switching group is supplementary group it does not asks password.
3.if the switching group is not supplementary group it asks password.
root@solaris:~# su - sai
Oracle Corporation SunOS 5.11 11.0 November 2011
sai@solaris:~$ newgrp newtest
newgrp: Password:
sai@solaris:~$ touch third party
sai@solaris:~$ ls -l
total 12
-rw-r--r-- 1 sai staff 0 Dec 10 00:21 a
-rw-r--r-- 1 sai testgrp 0 Dec 10 00:22 b
-rw-r--r-- 1 sai group2 0 Dec 10 00:26 c
-rw-r--r-- 1 sai testgrp 0 Dec 10 00:27 d
-rw-r--r-- 1 sai staff 165 Dec 10 00:12 local.cshrc
-rw-r--r-- 1 sai staff 170 Dec 10 00:12 local.login
-rw-r--r-- 1 sai staff 130 Dec 10 00:12 local.profile
-rw-r--r-- 1 sai newtest 0 Dec 10 00:32 party
-rw-r--r-- 1 sai newtest 0 Dec 10 00:32 third
How to change default user information:
root@solaris:/etc/skel# useradd -D
group=staff,10 project=default,3 basedir=/export/home
skel=/etc/skel shell=/usr/bin/bash inactive=0
expire= auths= profiles= roles= limitpriv=
defaultpriv= lock_after_retries=
root@solaris# useradd -D -g newtest
group=newtest,202 project=default,3 basedir=/export/home
skel=/etc/skel shell=/usr/bin/bash inactive=0
expire= auths= profiles= roles= limitpriv=
defaultpriv= lock_after_retries=
root@solaris:# ls
local.cshrc local.login local.profile
root@solaris:/etc/skel# cat /usr/sadm/defadduser
# Default values for useradd. Changed Mon Dec 10 00:45:30 2012
defgroup=202
defgname=newtest
defparent=/export/home
defskel=/etc/skel
defshell=/usr/bin/bash
definact=0
defexpire=
defauthorization=
defrole=
defprofile=
defproj=3
defprojname=default
deflimitpriv=
defdefaultpriv=
deflock_after_retries=
ex:
root@solaris# useradd -D -g 10
group=staff,10 project=default,3 basedir=/export/home
skel=/etc/skel shell=/usr/bin/bash inactive=0
expire= auths= profiles= roles= limitpriv=
defaultpriv= lock_after_retries=
root@solaris# cat /usr/sadm/defadduser
# Default values for useradd. Changed Mon Dec 10 00:48:22 2012
defgroup=10
defgname=staff
defparent=/export/home
defskel=/etc/skel
defshell=/usr/bin/bash
definact=0
defexpire=
defauthorization=
defrole=
defprofile=
defproj=3
defprojname=default
deflimitpriv=
defdefaultpriv=
deflock_after_retries=
restricted shell:
#ls -l /usr/lib/rsh
lrwxrwxrwx 1 root root 12 Oct 29 16:08 /usr/lib/rsh -> ../bin/ksh93
#useradd -s /usr/lib/rsh -m ruser
80 blocks
#passwd ruser
New Password:
Re-enter new Password:
passwd: password successfully changed for ruser
#su - ruser
-rsh[3]: /usr/bin/hostname: /usr/bin/hostname: restricted
ruser@:~$ -rsh[1]: /dev/null: restricted
-rsh[3]: /usr/bin/hostname: /usr/bin/hostname: restricted
ruser@:~$ pwd
/home/ruser
-rsh[3]: /usr/bin/hostname: /usr/bin/hostname: restricted
ruser@:~$ bash
ruser@solaris:~$ cd
ruser@solaris:~$ cd /tmp
ruser@solaris:/tmp$ echo $SHELL
/usr/lib/rsh
ruser@solaris:/tmp$ echo $0
bash
ruser@solaris:/tmp$
note: if user changes another shell there is no restrictions.
Using the Secure by Default Configuration
#netservices limited
restarting svc:/system/system-log:default
restarting svc:/network/smtp:sendmail
#
#netservices open
restarting svc:/system/system-log:default
restarting svc:/network/smtp:sendmail
set uid:
#ls -l /usr/sbin/format
-r-sr-xr-x 1 root bin 248012 Oct 21 2011 /usr/sbin/format
#chmod u+s /usr/sbin/format
#ls -l /usr/sbin/format
-r-sr-xr-x 1 root bin 248012 Oct 21 2011 /usr/sbin/format
#su - sai
Oracle Corporation SunOS 5.11 11.0 November 2011
sai@solaris:~$ format
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c3t0d0 <SUN72G cyl 14087 alt 2 hd 24 sec 424>
/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/sd@0,0
1. c3t1d0 <FUJITSU-MAY2073RCSUN72G-0401-68.37GB>
/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/sd@1,0
Specify disk (enter its number): ^C
sai@solaris:~$ exit
logout
#su - ruser
-rsh[3]: /usr/bin/hostname: /usr/bin/hostname: restricted
ruser@:~$ -rsh[1]: /dev/null: restricted
-rsh[3]: /usr/bin/hostname: /usr/bin/hostname: restricted
ruser@:~$ format
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c3t0d0 <SUN72G cyl 14087 alt 2 hd 24 sec 424>
/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/sd@0,0
1. c3t1d0 <FUJITSU-MAY2073RCSUN72G-0401-68.37GB>
/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/sd@1,0
Specify disk (enter its number): ^C
-rsh[3]: /usr/bin/hostname: /usr/bin/hostname: restricted
ruser@:~$ exit
Note: set uid applicable to all users. There is no security…
Setgid:
# mkdir /test
root@solaris:~# ls -ld /test
drwxr-xr-x 2 root root 2 Dec 12 11:44 /test
root@solaris:~# chmod g+s /test
root@solaris:~# ls -ld /test
drwxr-sr-x 2 root root 2 Dec 12 11:44 /test
root@solaris:~# chmod 777 /test
root@solaris:~# ls
root@solaris:~# ls -ld /test
drwxrwsrwx 2 root root 2 Dec 12 11:44 /test
su - test
Oracle Corporation SunOS 5.11 11.0 November 2011
test@solaris:~$ cd /test
test@solaris:/test$ touch a bc
test@solaris:/test$ ls
a bc
test@solaris:/test$ ls -l
total 2
-rw-r--r-- 1 test root 0 Dec 12 11:46 a
-rw-r--r-- 1 test root 0 Dec 12 11:46 bc
test@solaris:/test$ exit
logout
root@solaris:~# su - test2
Oracle Corporation SunOS 5.11 11.0 November 2011
test2@solaris:~$ cd /central
-bash: cd: /central: No such file or directory
test2@solaris:~$ cd /test
test2@solaris:/test$ ls
a bc
test2@solaris:/test$ touch aa bb
test2@solaris:/test$ ls -l
total 4
-rw-r--r-- 1 test root 0 Dec 12 11:46 a
-rw-r--r-- 1 test2 root 0 Dec 12 11:47 aa
-rw-r--r-- 1 test2 root 0 Dec 12 11:47 bb
-rw-r--r-- 1 test root 0 Dec 12 11:46 bc
Sticky bit:
root@solaris:~# mkdir /sticky
root@solaris:~# chmod 777 /sticky
root@solaris:~# su - test2
Oracle Corporation SunOS 5.11 11.0 November 2011
test2@solaris:~$ cd /sticky
test2@solaris:/sticky$ cat > a
this is created by test2 user
test2@solaris:/sticky$ exit
logout
root@solaris:~# su - test3
Oracle Corporation SunOS 5.11 11.0 November 2011
test3@solaris:~$ cd /sticky
test3@solaris:/sticky$ cat >> a
-bash: a: Permission denied
test3@solaris:/sticky$ ls -l
total 2
-rw-r--r-- 1 test2 staff 30 Dec 12 11:51 a
test3@solaris:/sticky$ cat test2
cat: cannot open test2: No such file or directory
test3@solaris:/sticky$ ls
a
test3@solaris:/sticky$ rm a
rm: a: override protection 644 (yes/no)? yes
test3@solaris:/sticky$ ls
test3@solaris:/sticky$ cat > a
this is created by test3
test3@solaris:/sticky$ exit
logout
root@solaris:~# chmod +t /sticky
root@solaris:~# ls -ld /sticky/
drwxrwxrwt 2 root root 4 Dec 12 11:53 /sticky/
root@solaris:~# su - test2
Oracle Corporation SunOS 5.11 11.0 November 2011
test2@solaris:~$ cd /sticky
test2@solaris:/sticky$ cat >b
this is by test2
test2@solaris:/sticky$ exit
logout
root@solaris:~# su - test3
Oracle Corporation SunOS 5.11 11.0 November 2011
test3@solaris:~$ cd /sticky
test3@solaris:/sticky$ ls
a b
test3@solaris:/sticky$ ls -l
total 3
-rw-r--r-- 1 test3 staff 25 Dec 12 11:52 a
-rw-r--r-- 1 test2 staff 17 Dec 12 11:53 b
test3@solaris:/sticky$ rm b
rm: b: override protection 644 (yes/no)? yes
rm: b not removed: Permission denied
Example 3-1 Displaying a User's Login Status
In the following example, the login status for the user jdoe is displayed.
# logins -x -l jdoe
jdoe 500 staff 10 Jaylee Jaye Doe
/home/jdoe
/bin/bash
PS 010103 10 7 -1
jdoe
Identifies the user's login name.
500
Identifies the user ID (UID).
staff
Identifies the user's primary group.
10
Identifies the group ID (GID).
Jaylee Jaye Doe
Identifies the comment.
/home/jdoe
Identifies the user's home directory.
/bin/bash
Identifies the login shell.
PS 010170 10 7 -1
Specifies the password aging information:
• Last date that the password was changed
• Number of days that are required between changes
• Number of days before a change is required
• Warning period
Temporarly disable userid:
#touch /etc/nologin
#cat >/etc/nologin
User login in temporarly disable
Ctrl+D
Default File Permissions (umask)
The user mask contains the following octal values:
• The first digit sets permissions for the user
• The second digit sets permissions for group
• The third digit sets permissions for other, also referred to as world
Default umask value is 0022
How to Change Account Defaults For All Roles:
root@solaris:~# roleadd -D
group=staff,10 project=default,3 basedir=/export/home
skel=/opt shell=/usr/bin/pfbash inactive=0
expire= auths= profiles=All limitpriv=
defaultpriv= lock_after_retries= roleauth=role
root@solaris:~# roleadd -D -k /etc/skel
group=staff,10 project=default,3 basedir=/export/home
skel=/etc/skel shell=/usr/bin/pfbash inactive=0
expire= auths= profiles=All limitpriv=
defaultpriv= lock_after_retries= roleauth=role
root@solaris:~# ls -l /usr/sadm/defaddrole
-rw-r--r-- 1 root root 313 Dec 12 09:10 /usr/sadm/defaddrole
Create users on shared file system:
root@solaris:~# svcs autofs
STATE STIME FMRI
online Dec_10 svc:/system/filesystem/autofs:default
root@solaris:~# zpool create users c3t1d0
#zfs set sharenfs=on users
root@solaris:~# useradd -d /users/test -m test
80 blocks
root@solaris:~# passwd test
New Password:
Re-enter new Password:
passwd: password successfully changed for test
root@solaris:~# cat /etc/passwd |grep test
test:x:60007:10::/home/test:/usr/bin/bash
root@solaris:~# cat /etc/shadow|grep test
test:$5$fYO.f4WQ$6xXu0js7RVE08LphnVEo3YRDdhmnLJ0TXcdb4Aa8Aq1:15686::::::
root@solaris:~# cat /etc/auto_home |grep test
test localhost:/users/test
root@solaris:~# logins -x -l test
test 60007 staff 10
/home/test
/usr/bin/bash
PS 121212 -1 -1 -1
root@solaris:~# useradd -d /export/home/test2 -m test2
80 blocks
root@solaris:~# passwd test2
New Password:
Re-enter new Password:
passwd: password successfully changed for test2
root@solaris:~# cat /etc/passwd |grep test
test:x:60007:10::/home/test:/usr/bin/bash
test2:x:60008:10::/home/test2:/usr/bin/bash
root@solaris:~# cat /etc/shadow|grep test
test:$5$fYO.f4WQ$6xXu0js7RVE08LphnVEo3YRDdhmnLJ0TXcdb4Aa8Aq1:15686::::::
test2:$5$JVm8ei7z$.gduufngK1NCb6rfdE.gkrWFjJOJ6Mn.wPLc7nzv2y.:15686::::::
root@solaris:~# cat /etc/auto_home |grep test
test localhost:/users/test
test2 localhost:/export/home/test2
root@solaris:~# useradd -d localhost:/users/test3 -m test3
80 blocks
root@solaris:~# passwd test3
New Password:
Re-enter new Password:
passwd: password successfully changed for test3
root@solaris:~# cat /etc/passwd |grep test
test:x:60007:10::/home/test:/usr/bin/bash
test2:x:60008:10::/home/test2:/usr/bin/bash
test3:x:60009:10::/home/test3:/usr/bin/bash
root@solaris:~# cat /etc/shadow|grep test
test:$5$fYO.f4WQ$6xXu0js7RVE08LphnVEo3YRDdhmnLJ0TXcdb4Aa8Aq1:15686::::::
test2:$5$JVm8ei7z$.gduufngK1NCb6rfdE.gkrWFjJOJ6Mn.wPLc7nzv2y.:15686::::::
test3:$5$jSxzUbdP$P/G/BPR6qw95fT3qegXalY7aI1zWHiQsQJAalI4FUP9:15686::::::
root@solaris:~# cat /etc/auto_home |grep test
test localhost:/users/test
test2 localhost:/export/home/test2
test3 localhost:/users/test3
how to monitor failed login attempts:
root@solaris:~# ls -l /var/adm/loginlog
/var/adm/loginlog: No such file or directory
root@solaris:~# touch /var/adm/loginlog
root@solaris:~# ls -l /var/adm/loginlog
-rw-r--r-- 1 root root 0 Dec 12 09:41 /var/adm/loginlog
root@solaris:~# chgrp sys /var/adm/loginlog
root@solaris:~# ls -l /var/adm/loginlog
-rw-r--r-- 1 root sys 0 Dec 12 09:41 /var/adm/loginlog
root@solaris:~# chmod 600 /var/adm/loginlog
root@solaris:~# ls -l /var/adm/loginlog
-rw------- 1 root sys 0 Dec 12 09:41 /var/adm/loginlog
root@solaris:~# ls -l /var/adm/loginlog
-rw------- 1 root sys 0 Dec 12 09:41 /var/adm/loginlog
root@solaris:~# cat /var/adm/loginlog
root@solaris:~# telnet IP
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
login: ruser
Password:
Login incorrect
login: ruser
Password:
Login incorrect
login: ruser
Password:
Login incorrect
login: ruser
Password:
Login incorrect
login: ruser
Password:
Login incorrect
root@solaris:~# cat /var/adm/loginlog
ruser:/dev/pts/2:Wed Dec 12 10:05:49 2012
ruser:/dev/pts/2:Wed Dec 12 10:05:59 2012
ruser:/dev/pts/2:Wed Dec 12 10:06:09 2012
ruser:/dev/pts/2:Wed Dec 12 10:06:17 2012
ruser:/dev/pts/2:Wed Dec 12 10:06:25 2012
How to Monitor All Failed Login Attempts:
#vi /etc/default/login
SYSLOG=YES
SYSLOG_FAILED_LOGINS=0
root@solaris:~# ls -l /var/adm/authlog
/var/adm/authlog: No such file or directory
root@solaris:~# touch /var/adm/authlog
root@solaris:~# chmod 600 /var/adm/authlog
root@solaris:~# ls -l /var/adm/authlog
-rw------- 1 root root 0 Dec 12 10:15 /var/adm/authlog
root@solaris:~# chgrp sys /var/adm/authlog
root@solaris:~# ls -l /var/adm/authlog
-rw------- 1 root sys 0 Dec 12 10:15 /var/adm/authlog
root@solaris:~# vi /etc/syslog.conf
auth.notice ifdef(`LOGHOST', /var/adm/authlog, @loghost)
================OR=================
auth.notice <Press Tab> /var/adm/authlog
root@solaris:~# svcadm restart system-log
root@solaris:~# cat /var/adm/authlog
Dec 12 10:23:26 solaris login: [ID 507249 auth.notice] Login failure on /dev/pts/3 from solaris, ruser
Dec 12 10:23:53 solaris login: [ID 507249 auth.notice] Login failure on /dev/pts/3 from solaris, test
How to lock user account after successful failure of attemptes:
#vi /etc/security/policy.conf
LOCK_AFTER_RETRIES=NO to LOCK_AFTER_RETRIES=YES
:wq!
then once we edit /etc/default/login variables RETRIES & SYSLOG_FAILED_LOGINS it lock that user aacount.
Ex:
root@solaris:/etc/security# vi /etc/security/plicy.conf
LOCK_AFTER_RETRIES=YES
root@solaris:# vi /etc/default/login
RETRIES=3
root@solaris:/etc/security# logins -x -l test2
test2 60008 staff 10
/home/test2
/usr/bin/bash
PS 121212 -1 -1 -1
root@solaris:/etc/security# telnet 0
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
login: test2
Password:
Login incorrect
login: test2
Password:
Login incorrect
login: test2
Password:
Login incorrect
Connection to 0 closed by foreign host.
root@solaris:/etc/security# logins -x -l test2
test2 60008 staff 10
/home/test2
/usr/bin/bash
LK 121212 -1 -1 -1
How to Monitor Who Is Using the su Command:
The sulog file lists every use of the switch user (su) command, not only the su attempts that are used to switch from user to root.
Before You Begin
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.
• Monitor the contents of the /var/adm/sulog file on a regular basis.
# more /var/adm/sulog
SU 12/20 16:26 + pts/0 stacey-root
SU 12/21 10:59 + pts/0 stacey-root
SU 01/12 11:11 + pts/0 root-rimmer
SU 01/12 14:56 + pts/0 jdoe-root
SU 01/12 14:57 + pts/0 jdoe-root
The entries display the following information:
o The date and time that the command was entered.
o If the attempt was successful. A plus sign (+) indicates a successful attempt. A minus sign (-) indicates an unsuccessful attempt.
o The port from which the command was issued.
o The name of the user and the name of the switched identity.
The su logging in this file is enabled by default through the following entry in the /etc/default/su file:
SULOG=/var/adm/sulog
How to Restrict and Monitor root Logins:
1.unhash CONSOLE=/dev/console in /etc/default/login file
2.verify root can not login in remotely boot cui,gui
3.monitor su attempts to become root user
Controlling Access to System Hardware (Tasks):
1.In a terminal window, type the PROM security mode.
#eeprom security-mode=command
Changing PROM password:
New password: <Type password>
2.To change the PROM password, type the following command:
# eeprom security-password= Press Return
Changing PROM password:
New password: <Type password>
Note:Do not forget the PROM password. The hardware is unusable without this password.
How to change keyboard layout:
root@solaris:~# kbd -s
USB keyboard
1. Albanian 25. Latin-American
2. Arabic 26. Lithuanian
3. Belarusian 27. Latvian
4. Belgian 28. Macedonian
5. Brazilian 29. Malta_UK
6. Bulgarian 30. Malta_US
7. Canadian-Bilingual 31. Norwegian
8. Croatian 32. Polish
9. Czech 33. Portuguese
10. Danish 34. Romanian
11. Dutch 35. Russian
12. Dvorak 36. Serbia-And-Montenegro
13. Estonian 37. Slovak
14. Finnish 38. Slovenian
15. French 39. Spanish
16. French-Canadian 40. Swedish
17. Hungarian 41. Swiss-French
18. German 42. Swiss-German
19. Greek 43. Traditional-Chinese
20. Icelandic 44. TurkishF
21. Italian 45. TurkishQ
22. Japanese-type6 46. UK-English
23. Japanese 47. US-English
24. Korean
To select the keyboard layout, enter a number [default 47]:
How to Disable a System's Abort Sequence:
To permanently change the software default effect of the keyboard abort sequence, first add or change the value of the keymap/keyboard_abort property in the keymap service to:
#svc:/system/keymap:default
svccfg -s keymap:default setprop keymap/keyboard_abort=disable
$ svcadm refresh keymap
2.Displaying Information: The following example displays keyboard type and layout code. It also displays auto repeat delay and rate settings.
# kbd -l
type=6
layout=33 (0x21)
delay(ms)=500
rate(ms)=40
root@solaris:~# kbd -D 100
root@solaris:~# kbd -R 50
root@solaris:~# kbd -l
type=6
layout=33 (0x21)
delay(ms)=100
rate(ms)=50
root@solaris:~# kbd -t
USB keyboard
root@solaris:~# kbd -i
kbd ioctl (keyclick): Invalid argument
root@solaris:~# kbd -l
type=6
layout=33 (0x21)
delay(ms)=500
rate(ms)=40
Note:to make permanent edit service properties
#svccfg -s keymap:default setprop keymap/keyboard_abort=alternate
# svcadm refresh keymap
#svccfg -s keymap:default setprop keymap/keyboard_abort=enable
# svcadm refresh keymap
#svccfg -s keymap:default setprop keymap/repeate_delay=500
# svcadm refresh keymap
#svccfg -s keymap:default setprop keymap/repeate_rate=40
#svcadm refresh keymap
#svccfg -s keymap:default setprop keymap/layout=Spanish
# svcadm refresh keymap
#svccfg -s keymap:default setprop keymap/kbd_beeper_freq=2000
#svcadm refresh keymap
Enables, disables, or alternates the keyboard abort sequence effect. By default, a keyboard abort sequence suspends the operating system on most systems. This sequence is typically Stop-A or L1-A and Shift-Pause onthe keyboard on SPARC systems, F1-A and Shift-Pause on x86 systems, and BREAK on the serial console device.The default keyboard behavior can be changed using this option. The -a option can only be used by a super user.
enable Enables the default effect of the keyboar abort sequence (suspend the operating system and enter the debugger or the monitor).
disable Disables the default/alternate effect and ignores keyboard abort sequences.
alternate Enables the alternate effect of the keyboard abort sequences (suspend the operat ing system and enter the debugger or the monitor) upon receiving the Alternate Break character sequence on the console. The Alternate Break sequence is defined by the drivers zs(7D), se(7D), asy(7D). Due to a risk of incorrect sequence interpretation binary protocols cannot be run over the serial console port when this value is used.
RBAC:
The root role cannot log in. You must log in as the user you created during the installation. After you log in, you can assume the root role to configure the system. To assume the role, open a terminal window and use the su - root command.
• You can change the root role to a user account that can log in. To change root to a user, type the following command in a terminal window:
# rolemod -K type=normal root
root@solaris:~# cat /etc/user_attr|grep root
venkat::::type=normal;lock_after_retries=no;profiles=System Administrator;roles=root
root::::type=role
#rolemod -K type=normal root
Found user in files repository.
How to assign role to root user:
root@solaris:~# usermod -K type=role root
Found user in files repository.
UX: usermod: root is currently logged in, some changes may not take effect until next login.
root@solaris:~# cat /etc/user_attr
#
# The system provided entries are stored in different files
# under "/etc/user_attr.d". They should not be copied to this file.
#
# Only local changes should be stored in this file.
# This line should be kept in this file or it will be overwritten.
#
venkat::::type=normal;lock_after_retries=no;profiles=System Administrator;roles=root
root::::type=role
To list all authorizations:
getent auth_attr|more
solaris.smf.value.tcsd:::Change TPM Administation value properties::
solaris.smf.manage.tcsd:::Manage TPM Administration service states::
solaris.smf.manage.dhcp:::Manage ISC DHCP Server and Relay Agent Service States::help=SmfDHCPStates.html
.
.
List all rights profiles:
getent prof_attr
DTrace Toolkit::::
LDoms Review:::Review LDoms configuration:auths=solaris.ldoms.read
LDoms Management:::Manage LDoms domains:auths=solaris.ldoms.*
……….
List all commands with security attributes:
# getent exec_attr|more
DTrace Toolkit:solaris:cmd:::/usr/dtrace/DTT/*/*:privs=dtrace_kernel,dtrace_proc,dtrace_user
All:solaris:cmd:RO::*:
Audit Control:solaris:cmd:RO::/usr/sbin/audit:privs=proc_owner,sys_audit
Audit Configuration:solaris:cmd:RO::/usr/sbin/auditconfig:privs=sys_audit
Audit Review:solaris:cmd:RO::/usr/sbin/auditreduce:euid=0
How to View user Assigned Rights:
1)authorizations
2)profiles
3)roles
4)privileges
$auths
solaris.account.activate,solaris.admin.wusb.read,solaris.device.*,solaris.group.manage,solaris.hotplug.*,solaris.jobs.*,solaris.label.range,so
……….
$ profiles
System Administrator
LDoms Management
Audit Review
Printer Management
$profiles –l //in detail manner
System Administrator
profiles=LDoms Manage
$ roles
Root
$ ppriv -vl basic
file_link_any
Allows a process to create hardlinks to files owned by a uid
different from the process' effective uid.
…….
enkat@solaris:~$ auths root
solaris.*
venkat@solaris:~$ auths test
solaris.admin.wusb.read,solaris.device.mount.removable,solaris.mail.mailq
venkat@solaris:~$ profiles test
test:
Basic Solaris User
All
venkat@solaris:~$ profiles -l test
test:
Basic Solaris User
auths=solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.wusb.read
profiles=All
/usr/bin/cdrecord.bin privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,net_privaddr
/usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr
/usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr
All
*
venkat@solaris:~$ ppriv $$
12926: -bash
flags = <none>
E: basic
I: basic
P: basic
L: all
To create our own roles:
oot@solaris:~# cat /etc/security/prof_attr
#
# The system provided entries are stored in different files
# under "/etc/security/prof_attr.d". They should not be
# copied to this file.
#
# Only local changes should be stored in this file.
# This line should be kept in this file or it will be overwritten.
#
test::::
root@solaris:~# cat /etc/security/exec_attr
#
# The system provided entries are stored in different files
# under "/etc/security/exec_attr.d". They should not be
# copied to this file.
#
# Only local changes should be stored in this file.
# This line should be kept in this file or it will be overwritten.
#
test:solaris:cmd:::/usr/sbin/format:euid=0
root@solaris:~# roleadd -d /users/role1 -m role1
80 blocks
root@solaris:~# rolemod -P test role1
Found user in files repository.
root@solaris:~# usermod -R role1 test2
Found user in files repository.
root@solaris:~# roles test2
role1
root@solaris:~# profiles test2
test2:
Basic Solaris User
All
oot@solaris:~# profiles -l test2
test2:
Basic Solaris User
auths=solaris.mail.mailq,solaris.device.mount.removable,solaris.admin.wusb.read
profiles=All
/usr/bin/cdrecord.bin privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,net_privaddr
/usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr
/usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr
All
*
root@solaris:~# auths test2
solaris.admin.wusb.read,solaris.device.mount.removable,solaris.mail.mailq
root@solaris:~# passwd role1
New Password:
Re-enter new Password:
passwd: password successfully changed for role1
root@solaris:~# ppriv $$
13140: -bash
flags = <none>
E: all
I: basic
P: all
L: all
root@solaris:~# su - test2
Oracle Corporation SunOS 5.11 11.0 November 2011
test2@solaris:~$ profiles
Basic Solaris User
All
test2@solaris:~$ roles
role1
test2@solaris:~$ su - role1
Password:
Oracle Corporation SunOS 5.11 11.0 November 2011
role1@solaris:~$ echo $0
-bash
role1@solaris:~$ auths
solaris.admin.wusb.read,solaris.device.mount.removable,solaris.mail.mailq
role1@solaris:~$ profiles
test
Basic Solaris User
All
role1@solaris:~$ format
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c3t0d0 <SUN72G cyl 14087 alt 2 hd 24 sec 424>
/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/sd@0,0
1. c3t1d0 <FUJITSU-MAY2073RCSUN72G-0401-68.37GB>
/pci@7c0/pci@0/pci@1/pci@0,2/LSILogic,sas@2/sd@1,0
Specify disk (enter its number): ^C
role1@solaris:~$
role1@solaris:~$ exit
logout
test2@solaris:~$ echo $0
-bash
test2@solaris:~$ exit
logout
How to Disable Programs From Using Executable Stacks:
Edit the /etc/system file, and add the following line:
set noexec_user_stack=1
# reboot
Disabling the Logging of Executable Stack Messages:
#cat /etc/system
set noexec_user_stack=1
set noexec_user_stack_log=0
# reboot
ACL’s on ZFS:
1.#mkdir /test
#chmod 777 /test
# cd /test
# cat >file1
this is file one
# cat file1
this is file one
# chmod 600 file1
# su - test
Oracle Corporation SunOS 5.11 11.0 November 2011
test@solaris:~$ cd /test
test@solaris:/test$ ls
file1
test@solaris:/test$ cat file1
cat: cannot open file1: Permission denied
# cd /test
root@solaris:/test# ls
file1
root@solaris:/test# ls -v
total 2
-rw------- 1 root root 17 Dec 12 16:33 file1
0:owner@:read_data/write_data/append_data/read_xattr/write_xattr
/read_attributes/write_attributes/read_acl/write_acl/write_owner
/synchronize:allow
1:group@:read_xattr/read_attributes/read_acl/synchronize:allow
2:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
# chmod A=user::rw-,group::---,other::---,mask::rwx,user:test:r-- file1
ls -v
total 2
-rw-------+ 1 root root 17 Dec 12 16:33 file1
0:owner@:read_data/write_data/append_data/read_attributes
/write_attributes/read_acl/write_acl/synchronize:allow
1:owner@:execute:deny
2:user:test:write_attributes/write_acl:deny
3:user:test:read_data/read_attributes/read_acl/synchronize:allow
4:user:test:write_data/append_data/execute/write_attributes/write_acl
:deny
5:group@:write_attributes/write_acl:deny
6:group@:read_attributes/read_acl/synchronize:allow
7:group@:read_data/write_data/append_data/execute/write_attributes
/write_acl:deny
8:everyone@:read_attributes/read_acl/synchronize:allow
9:everyone@:read_data/write_data/append_data/execute/write_attributes
/write_acl:deny
su - test
Oracle Corporation SunOS 5.11 11.0 November 2011
test@solaris:~$ ls
local.cshrc local.login local.profile
test@solaris:~$ cat /test/file1
this is file one
psudo users:
bash-4.1# cd /var/log
-bash-4.1# ls
authlog cups install pool syslog syslog.1 zones
beadm ilomconfig pkg snmpd.log syslog.0 syslog.2
#touch sudolog
-bash-4.1# chown root:sys sudolog
#visudo or #vi /etc/sudoers
Defaults logfile=/var/log/sudolog
Wq:
#cat /var/log/sudolog
Dec 13 10:07:40 : root : TTY=pts/1 ; PWD=/etc/sudoers.d ; USER=root ; COMMAND=/usr/bin/ls
Dec 13 10:07:49 : venkat : TTY=pts/1 ; PWD=/home/venkat ; USER=root ; COMMAND=/usr/bin/ls
Dec 13 10:07:58 : venkat : TTY=pts/1 ; PWD=/home/venkat ; USER=root ;
COMMAND=/usr/bin/ls -l /
Dec 13 10:09:24 : venkat : TTY=pts/1 ; PWD=/home/venkat ; USER=root ;
COMMAND=/usr/bin/ls -l /etc/sudoers.d/
Dec 13 10:14:48 : venkat : TTY=pts/1 ; PWD=/home/venkat ; USER=root ;
COMMAND=/usr/bin/su –
To assign full privileges to normal user:
#vi /etc/sudoers
<User Name> ALL=(ALL) ALL
:wq
SWAP SPACE MANAGEMENT:
# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
-bash-4.1# swap -s
total: 142040k bytes allocated + 10728k reserved = 152768k used, 30348168k available
# zfs list
rpool/swap 4.13G 43.7G 4.00G -
-bash-4.1# zfs set volsize=8g rpool/swap
-bash-4.1# swap -s
total: 142040k bytes allocated + 10728k reserved = 152768k used, 30346472k available
-bash-4.1# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
-bash-4.1# zfs list
rpool/swap 8.25G 39.7G 8.00G -
-bash-4.1# zfs set volsize=4g rpool/swap
-bash-4.1# zfs list rpool/swap
NAME USED AVAIL REFER MOUNTPOINT
rpool/swap 4.13G 43.7G 4.00G -
-bash-4.1# swap -s
total: 142040k bytes allocated + 10728k reserved = 152768k used, 30344432k available
-bash-4.1# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
Adding swap:
-bash-4.1# zfs create -V 1g rpool/swap1
-bash-4.1# swap -a /dev/zvol/dsk/rpool/swap1
-bash-4.1# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
/dev/zvol/dsk/rpool/swap1 228,10 16 2097136 2097136
-bash-4.1# swap -s
total: 144744k bytes allocated + 10720k reserved = 155464k used, 31384464k available
========
-bash-4.1# zfs create -V 2g users/swap2
#zfs set dedup=off users/swap2
# zfs get all users
NAME PROPERTY VALUE SOURCE
users type filesystem -
users creation Wed Dec 12 9:16 2012 -
users used 2.06G -
users available 64.9G -
users referenced 35K -
users compressratio 1.00x -
users mounted yes -
users quota none default
users reservation none default
users recordsize 128K default
users mountpoint /users default
users sharenfs on local
users checksum on default
users compression off default
users atime on default
users devices on default
users exec on default
users setuid on default
users readonly off default
users zoned off default
users snapdir hidden default
users aclmode discard default
users aclinherit restricted default
users canmount on default
users xattr on default
users copies 1 default
users version 5 -
users utf8only off -
users normalization none -
users casesensitivity mixed -
users vscan off default
users nbmand off default
users sharesmb off default
users refquota none default
users refreservation none default
users primarycache all default
users secondarycache all default
users usedbysnapshots 0 -
users usedbydataset 35K -
users usedbychildren 2.06G -
users usedbyrefreservation 0 -
users logbias latency default
users dedup off default
users mlslabel none -
users sync standard default
users encryption off -
users keysource none default
users keystatus none -
users rekeydate - default
users rstchown on default
users shadow none -
-bash-4.1# swap -a /dev/zvol/dsk/users/swap2
-bash-4.1# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
/dev/zvol/dsk/rpool/swap1 228,10 16 2097136 2097136
/dev/zvol/dsk/users/swap2 228,11 16 4194288 4194288
-bash-4.1#
====
-bash-4.1# mkdir /swap/
-bash-4.1# cd /swap
-bash-4.1# ls
-bash-4.1# mkfile 2g swap
-bash-4.1# swap -a /swap/swap
"/swap/swap" may contain holes - can't swap on it.
-bash-4.1# lofiadm -a /swap/swap
/dev/lofi/1
-bash-4.1# swap -a /dev/lofi/1
-bash-4.1# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
/dev/zvol/dsk/rpool/swap1 228,10 16 2097136 2097136
/dev/zvol/dsk/users/swap2 228,11 16 4194288 4194288
/dev/lofi/1 167,1 16 4194288 4194288
-bash-4.1#
Deleting swap file system
-bash-4.1# swap -d /dev/lofi/1
-bash-4.1# lofiadm -d /swap/swap
-bash-4.1# rm /swap/swap
==
-bash-4.1# swap -d /dev/zvol/dsk/users/swap2
-bash-4.1# zfs destroy users/swap2
-bash-4.1# swap -d /dev/zvol/dsk/rpool/swap1
-bash-4.1# zfs destroy rpool/swap1
-bash-4.1# swap -l
swapfile dev swaplo blocks free
/dev/zvol/dsk/rpool/swap 228,2 16 8388592 8388592
===
Note: To make permanent make entry in /etc/vfstab file
On a SPARC based system, create your swap area. Set the block size to 8 KB.
#zfs create –V 2G –b 8k rpool/swap1
On an x86 based system, create your swap area. Set the block size to 4 KB.
#zfs create –V 2G –b 4k rpool/swap1
#cat /etc/vfstab
/dev/zvol/dsk/rpool/swap - - swap - no -
CRASH DUMPS:
-bash-4.1# cat /etc/dumpadm.conf
#
# dumpadm.conf
#
# Configuration parameters for system crash dump.
# Do NOT edit this file by hand -- use dumpadm(1m) instead.
#
DUMPADM_DEVICE=/dev/zvol/dsk/rpool/dump
DUMPADM_SAVDIR=/var/crash
DUMPADM_CONTENT=kernel
DUMPADM_ENABLE=yes
DUMPADM_CSAVE=on
Services:
svc:/system/dumpadm:default
to see crash dump info:
bash-4.1# dumpadm
Dump content: kernel pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash
Savecore enabled: yes
Save compressed: on
to generate crah dumps online:
bash-4.1# savecore -L
dumping to /dev/zvol/dsk/rpool/dump, offset 65536, content: kernel
0:13 100% done
100% done: 195926 pages dumped, dump succeeded
savecore: System dump time: Thu Dec 13 12:07:10 2012
savecore: Saving compressed system crash dump in /var/crash/vmdump.0
savecore: Decompress the crash dump with
'savecore -vf /var/crash/vmdump.0'
bash-4.1# cd /var/crash
-bash-4.1# ls
bounds vmdump.0
-bash-4.1# ls -lrth
total 632537
-rw-r--r-- 1 root root 2 Dec 13 12:07 bounds
-rw-r--r-- 1 root root 309M Dec 13 12:07 vmdump.0
To display verbose manner:
bash-4.1# savecore -v
savecore: dump already processed
-bash-4.1# savecore -Lv
dumping to /dev/zvol/dsk/rpool/dump, offset 65536, content: kernel
0:20 100% done
100% done: 196132 pages dumped, dump succeeded
savecore: System dump time: Thu Dec 13 12:11:58 2012
savecore: Saving compressed system crash dump in /var/crash/vmdump.1
savecore: Copying /dev/zvol/dsk/rpool/dump to /var/crash/vmdump.1
savecore: Decompress the crash dump with
'savecore -vf /var/crash/vmdump.1'
0:28 dump copy is done
1.After the system reboots, log in as the root user.
2.Clear out the savecore directory, typically, /var/crash/, by removing existing crash dump files that have already been sent to your service provider.
3.Alternatively, you can manually run the savecore command to specify an alternate directory that has sufficient disk space
bash-4.1# savecore /dumpdir
How to Force a Crash Dump and Reboot of the System
1. Bring the system to the ok PROM prompt.
2. Synchronize the file systems and write the crash dump.
> n
ok sync
After the crash dump is written to disk, the system will continue to reboot.
3. Verify that the system boots to run level 3.
The login prompt is displayed when the boot process has finished successfully.
hostname console login:
SPARC: Forcing a Crash Dump and Reboot of a System by Using the halt -d Command
This example shows how to force a crash dump and reboot of the system by using the halt -d and boot commands.
#halt –d
SPARC: Booting a System With the Kernel Debugger (kmdb) Enabled
Ok boot kmdb
===
-bash-4.1# dumpadm
Dump content: kernel pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -c all
Dump content: all pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -c curproc
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -m 20%
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -y
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -n
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: no
Save compressed: on
-bash-4.1# dumpadm -y
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -z off
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: off
-bash-4.1# dumpadm -z on
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
-bash-4.1# savecore -L v
dumping to /dev/zvol/dsk/rpool/dump, offset 65536, content: kernel + curproc
0:15 100% done
100% done: 196385 pages dumped, dump succeeded
savecore: System dump time: Thu Dec 13 12:32:08 2012
savecore: chdir("v"): No such file or directory
#ls –l /var/crash
-rw-r--r-- 1 root root 2 Dec 13 12:12 bounds
-rw------- 1 root root 8 Dec 13 12:29 minfree
-rw-r--r-- 1 root root 323551232 Dec 13 12:07 vmdump.0
-rw-r--r-- 1 root root 324861952 Dec 13 12:12 vmdump.1
dumpadm
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -s /swap
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /swap
Savecore enabled: yes
Save compressed: on
-bash-4.1# dumpadm -s /var/crash
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
#zfs create -V 20g rpool/dump1
#dumpadm -d /dev/zvol/dsk/rpool/dump1
#dumpadm
Dump content: kernel and current process pages
Dump device: /dev/zvol/dsk/rpool/dump (dedicated)
Savecore directory: /var/crash (minfree = 9180525KB)
Savecore enabled: yes
Save compressed: on
CORE DUMPS:
bash-4.1# svcs coreadm
STATE STIME FMRI
online 16:52:30 svc:/system/coreadm:default
TO SEE COREDUMP INFORMATION
-bash-4.1# coreadm
global core file pattern:
global core file content: default
init core file pattern: core
init core file content: default
global core dumps: disabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
TO INITIATE CORE DUMPS:
Variable Name Variable Definition
%d Executable file directory name, up to a maximum of MAXPATHLEN characters
%f Executable file name, up to a maximum of MAXCOMLEN characters
%g Effective group ID
%m Machine name (uname -m)
%n System node name (uname -n)
%p Process ID
%t Decimal value of time(2)
%u Effective user ID
%z Name of the zone in which process is executed (zonename)
%% Literal %
global
Allow core dumps that use global core pattern.
global-setid
Allow set-id core dumps that use global core pat-
tern.
log
Generate a syslog(3C) message when generation of a
global core file is attempted.
process
Allow core dumps that use per-process core pattern.
proc-setid
Allow set-id core dumps that use per-process core
pattern.
Multiple -e and -d options can be specified on the
command line. Only users and roles belonging to the
"Maintenance and Repair" RBAC profile can use this
option.
-bash-4.1# coreadm -i /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
-bash-4.1# sleep 1000&
[1] 14392
-bash-4.1# jobs
[1]+ Running sleep 1000 &
-bash-4.1# kill -8 14392
-bash-4.1# coreadm
global core file pattern:
global core file content: default
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: disabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
[1]+ Arithmetic Exception sleep 1000
bash-4.1# coreadm
global core file pattern:
global core file content: default
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: disabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
to enable process dumps
-bash-4.1# coreadm -e process
-bash-4.1# coreadm
global core file pattern:
global core file content: default
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: disabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
to enable global dumps:
-bash-4.1# coreadm -e global
-bash-4.1# coreadm
global core file pattern:
global core file content: default
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
bash-4.1# coreadm -e global -g /var/core/core.%f.%p
-bash-4.1# coreadm
global core file pattern: /var/core/core.%f.%p
global core file content: default
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
-bash-4.1# svcadm restart coreadm
-bash-4.1# svcs coreadm
STATE STIME FMRI
online 16:41:08 svc:/system/coreadm:default
-bash-4.1# cd /var/core
-bash-4.1# ls
core.sleep.14460
to change content type:
bash-4.1# coreadm -G all -g /var/cores/%d/%f.%p.%n
-bash-4.1# coreadm
global core file pattern: /var/cores/%d/%f.%p.%n
global core file content: all
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
to enable global-setuid cores:
-bash-4.1# coreadm
global core file pattern: /var/cores/%d/%f.%p.%n
global core file content: all
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
-bash-4.1# coreadm -e global-setid -g /var/cores/%d/%f.%p.%n
-bash-4.1# coreadm
global core file pattern: /var/cores/%d/%f.%p.%n
global core file content: all
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: enabled
per-process setid core dumps: disabled
global core dump logging: disabled
to enable proc-setuid cores:
-bash-4.1# coreadm -e proc-setid
-bash-4.1# coreadm
global core file pattern: /var/cores/%d/%f.%p.%n
global core file content: all
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: enabled
per-process setid core dumps: enabled
global core dump logging: disabled
to enable global-log cores:
-bash-4.1# coreadm -e log
-bash-4.1# coreadm
global core file pattern: /var/cores/%d/%f.%p.%n
global core file content: all
init core file pattern: /var/core/core.%f.%g.%d.%m.%n.%p.%t.%s.%z
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: enabled
per-process setid core dumps: enabled
global core dump logging: enabled
How to configure GUI in solaris11:-
#pkg install pkg://solaris/group/system/solaris-desktop
#pkg install system/locale/extra
-bash-4.1# cat /etc/gdm/custom.conf
# GDM configuration storage
[daemon]
[security]
[xdmcp]
Port=177
DisplaysPerHost=1
Enable=true
HonorIndirect=true
[greeter]
[chooser]
[debug]
#Reboot server
#init 6
Are you trying to earn money from your websites/blogs by popunder ads?
ReplyDeleteIn case you do, have you considered using PopAds?