New. New Security Features in the Solaris 8 Release
This section describes security features introduced in the Solaris 8.
New Default Ownership and Permissions on System Files and Directories
The Solaris 8 release provides stricter default ownership and permissions than in previous releases. The following list describes the changes to default ownership and permissions.
NOTE
These changes apply to only some files and directories in the Solaris 8 release. For example, the changes do not apply to OpenWindows or CDE files and directories.
Default file and directory ownership is changed from bin to root.
Files and directories have default permissions of 755 instead of 775.
Files and directories have default permissions of 644 instead of 664.
The default system umask is 022.
When creating a package to be added to a system running the Solaris 8 release, keep the following in mind.
All files and directories must have root as the default owner.
Directories and executables must have default permissions of 555 or 755.
Ordinary files must have default permissions of 644 or 444.
Files with setuid or setgid ownership cannot be writable by the owner unless the owner is root.
Role-Based Access Control
Role-based access control (RBAC) provides a flexible way to package superuser privileges for assignment to user accounts or to role accounts so that you can grant partial superuser privileges to a user who needs to solve a specific problem.
RBAC was introduced in the Solaris 8 release. With the Solaris 8 Version 3 release, the Solaris Operating Environment provides a set of graphical user interface tools in the Solaris Management Console (SMC) to administer RBAC. See Chapter 23, “Role-Based Access Control,” for more information about RBAC and a description of how to use the SMC tools with RBAC.
Sun Enterprise Authentication Mechanism (SEAM) or Kerberos V5 Client Support
The Solaris 8 release provides the Kerberos V5 client-side infrastructure, an addition to the Pluggable Authentication Module (PAM), and commands that you can use to secure RPC-based applications such as the NFS service. Kerberos provides selectable strong user or server level authentication, integrity, or privacy support. You can use the Kerberos client in conjunction with Sun Enterprise Authentication Mechanism (SEAM), a part of Sun Easy Access Server (SEAS) 3.0, or other Kerberos V5 software (for example, the M.I.T. distribution) to create a complete, single-network, sign-on solution.
Note that the Solaris 8 release provides only the client-side part of the SEAM product. To use this product you must install the Key Distribution Center (KDC) with either the SEAS 3.0 release, Solaris 8 Admin Pack, the M.I.T. distribution, or Windows2000.
SEAM is available as a free download from www.sun.com/bigadmin/content/adminPack as part of the Solaris 8 Admin Pack.
Describing how to administer SEAM is beyond the scope of this book. For more information, refer to the Sun SEAM documentation or to the Solaris System Administration Guide, Volume II. Sun documentation is available online at http://docs.sun.com.