Certification Summary

System security is performed at two access levels: access to the system and access to the resources on the system such as files. System access is secured by monitoring and controlling it. You can monitor system access by making sure that each user has a password and by managing login by monitoring failed login attempts in the /var/adm/loginlog file or by disabling all non-root user logins by creating the /etc/nologins file in the event of system maintenance or system shutdown. You can also improve system security by restricting remote access to the system, such as ftp access, by using the /etc/ftpd/ftpusers and /etc/ftpd/ftphosts files.

System security is performed either by issuing the command chmod or by creating files such as /etc/nologins. In order to perform most security-related tasks, you must be logged in as superuser: the root account created by default will do it.

Everything on a Solaris system, as in any UNIX-based system, is file, as files represent regular files, directories, sockets, and devices. The Solaris file permission system divides the world of users into three continents: the user that owns the file called owner, the group of users that owns the file called group, and the rest of the world called others. The permissions on a file are assigned to these continents, and you can move the users in and out of these continents with the chown and chgrp commands. The executable files when executed can access other files, and this access is managed by special file permissions called setuid, setgid, and sticky bits.

Files are an important resource on the system. In addition to using files, users also employ the system to use printers and to run programs (processes). In the next chapter we discuss managing processes and printers.

Inside the Exam

Comprehend

• If you are logged in as a root user, you can switch to other users using the su command, and you will not be asked for a password. If you are not logged in as root, you will be asked for a password when you want to switch to another account.

• A user can take advantage of the setgid permission to create files in the directory on which the setgid permission is set, even if the user does not normally have the permission to do so. However, the created files will still, belong to the group to which the directory belongs, not the group to which the user belongs.

Look Out

• The passwd command with -d option will delete the password, not the account. It means that the system will not prompt for a password.

• All attempts to switch users by using the su command, not just attempts to switch to superuser, are recorded into the /var/adm/sulog file.

• The users listed in the /etc/ftpd/ftpusers files are denied ftp access, whereas the users using the shell not listed in the /etc/shell file are also denied access to the system. If you do not create an /etc/shell file, the system supports all the default shells.

• The = operator in the chmod command overwrites the permission bits for the user.

• The chown command can also be used to change the group ownership of a file.

• If you want to change the ownership of a file by using chown on the link that points to the file, do not use the -h option.

• The setuid and setgid options pose security threats, but the sticky bit enhances the security on a file.

Memorize

• The command su refers to switching users and it does not necessarily mean switch to superuser.

• The term Superuser is commonly used for the account named root, which is created by default. There is no account named Supersuser created by default.

• When you are logged in as root, the prompt sign is # (a pound sign).

• When the remote superuser access is disabled, you can still log in as another user and then switch to the superuser account with the su command.

• The existence of the /etc/nologin file will not prevent a superuser from logging into the system.