Skip to content

Instantly share code, notes, and snippets.

@alanc

alanc/SRU39-man-page-changes.diff

Last active November 16, 2021 22:42
Show Gist options
  • Save alanc/d14fc0ae865b1061634459b19521724e to your computer and use it in GitHub Desktop.
Save alanc/d14fc0ae865b1061634459b19521724e to your computer and use it in GitHub Desktop.
Download ZIP
Man page changes in Solaris 11.4.39
Raw
Solaris-11.4-SRU39-man-page-changes.txt
Man page changes between Solaris 11.4.36 & 11.4.39, including changes for:
25561878 logadm -o -g -m does not work if being called with -c option
27407958 svc periodic-restart spinning on CPU
28181620 C11 v*wprintf_s() are not documented in vfwprintf(3C) man page
28181670 C11 *wprintf_s() are not documented in fwprintf(3C) man page
29044237 Improve path lookup by avoiding 8.3 name mangling
29121857 Request for "noacl" NFS (v3/v2) mount option - or some way to disable GETACL requests
30630346 Optimize netgroup behaviour
31534454 p2open() needs some attention
31709332 Improve mechanism used for nfs/cleanup
31885630 printf family man page missing some info in return section
32361935 Add kernel zone support for Intel's next generation Ice Lake cpu
32599625 Remove ntfsprogs, parted, and associated libraries (PSARC/2021/029)
32735438 zpool status should be able to choose sections to be displayed
32832402 zoneadm list should show the zone description as well
32887971 Need way to distinguish between hostnames and netgroups in SMB exceptions
32960358 existence of "<name>-recovery" ZBE after zone installation from recovery UAR should be documented
32987794 Add network daemon service property to enable privilege error reporting
33022021 isdnio(4i) man page should have been removed when driver & header were
33038532 Assorted fixes for security man pages
33090679 adding a new "-m" option for ldm add-spconfig CLI in ldoms man page
33097876 Would like a way to set the string length limit for ::printf
33125969 lari should analyze kernel modules
33131638 touch(1) man page missing XPG7, Y2038, and privileges updates
33171786 ice lake KZ migration class is missing a few features.
33172456 dprintf(3C) and vdprintf(3C) missing from man pages
33206947 memalign() in libmalloc, libumem, and libadimalloc does not set errno correctly on invalid inputs
33207052 libumem & watchmalloc incorrectly set errno for valloc(0)
33212210 Broken links in ON man pages
33241420 typographical error on the passwd(1) man page
Copyright (c) 1983, 2021, Oracle and/or its affiliates.
Raw
SRU39-man-page-changes.diff
diff -NurbBw 11.4.36/man1/auths.1 11.4.39/man1/auths.1
--- 11.4.36/man1/auths.1 2021-11-16 13:14:11.672647261 +0000
+++ 11.4.39/man1/auths.1 2021-11-16 13:14:46.532630672 +0000
@@ -18,28 +18,26 @@
auths check [-u user] authorization
- auths add [-S repository] -t description
- [-h help_file_path] authorization
+ auths add [-S repository] -t description authorization
- auths modify [-S repository] [-t description]
- [-h help_file_path] authorization
+ auths modify [-S repository] [-t description] authorization
auths remove [-S repository] authorization
DESCRIPTION
- The auths command prints on standard output the authorizations that you
- or the optionally-specified user or role have been granted. Authoriza-
- tions are rights that are checked by certain privileged programs to
- determine whether a user may execute restricted functionality.
+ Authorizations are rights that are checked by certain privileged pro-
+ grams to determine whether a user may execute restricted functionality.
+ They are part of the Solaris Role Based Access Control system described
+ in rbac(7).
- The command also creates and modifies an authorization and its proper-
- ties in the auth_attr(5) database in the local files name service or
- LDAP name service. The auths command also prints on standard output the
- authorizations that you or the optionally specified user or role have
- been granted.
+ The auths command has various subcommands to manage an authorization
+ and its properties in the auth_attr(5) database in the local files name
+ service or LDAP name service. When run with no subcommand, the auths
+ command prints on standard output the authorizations that the user run-
+ ning it, or the optionally specified user or role have been granted.
An administrator must be granted the Rights Management Profile to be
@@ -54,7 +52,7 @@
rization are separated by dots (.), starting with the reverse order
Internet domain name of the creating organization, and ending with the
specific function within a class of authorizations. Authorizations can-
- not end with a dot (..)
+ not end with a dot (.).
An asterisk (*) indicates all authorizations in a class.
@@ -69,7 +67,7 @@
For each user, there are two sets of profiles, an authenticated set,
- and an unauthenticated set. Authorizations in the authenticated set or
+ and an unauthenticated set. Authorizations in the authenticated set are
always effective, but those in the unauthenticated set only become
effective after a successful response to an authentication challenge.
Such challenges are automatically issued when the user executes a com-
@@ -77,19 +75,19 @@
pfexec(1).
Subcommands
- add [-S repository] -t description [-h help_file_path] authorization
+ add [-S repository] -t description authorization
- Create the specified authorization (authorization) in the specified
- name-service repository (repository).
+ Create the specified authorization in the specified name service
+ repository.
If no repository option is specified, the authorization is created
- in the file's name-service.
+ in the files name service.
check [-u user] authorization
- Check if the specified authorization (authorization) has been
- granted to the specified username (user) or the current user.
+ Check if the specified authorization has been granted to the speci-
+ fied user, or the current user if the -u option was not given.
If the user has the proper authorization, auths exits with exit
code 0. Otherwise, it returns with exit code greater than 1.
@@ -97,54 +95,50 @@
info [-S repository] [-v] [authorization]
- Check if the specified authorization (authorization) is present in
- the specified name-service repository (repository) or looks up
- based on nsswitch.conf(5). If the specified authorization is
- present, it is listed and the auths exits with return code 0.
+ Check if the specified authorization is present in the specified
+ name service repository, or looks up based on nsswitch.conf(5) if
+ no -S is given. If the specified authorization is present, it is
+ listed and the auths exits with return code 0.
If no authorization is specified, auths prints all the authoriza-
- tions present in the specified name-service repository or based on
+ tions present in the specified name service repository or based on
nsswitch.conf(5).
list [-S repository] [-vx] [-u user]
Lists all the authorizations that are assigned to the specified
- user (user) or current user, if no username is specified, based on
- the name-service repository (repository).
+ user or the current user, if no username is specified, based on the
+ name service repository.
If no repository is specified the information is looked up based on
nsswitch.conf(5).
- modify [-S repository] [ -t description ] [ -h help_file_path]
+ modify [-S repository] [ -t description ] authorization
- Modify an existing authorization in the specified name-service
- repository. If no repository is specified the authorization ill be
- modified in the first name-service that it is found in based on
+ Modify an existing authorization in the specified name service
+ repository. If no repository is specified the authorization will be
+ modified in the first name service that it is found in based on
nsswitch.conf(5).
remove [-S repository] authorization
- Remove an existing authorization (authorization) in the specified
- name-service repository (repository).
+ Remove an existing authorization in the specified name service
+ repository.
If no repository is specified, the authorization is removed from
- the first name-service that it is found in based on nss-
+ the first name service that it is found in based on nss-
witch.conf(5).
OPTIONS
The auths subcommands support the following options:
- -h help_file_path Set the location of the help file which contains
- information about the authorization.
-
-
- -S repository Specify the name-service repository (repository)
- to be modified or searched. The supported reposi-
- tory options are files and ldap.
+ -S repository Specify the name service repository to be modified or
+ searched. The supported repository options are files
+ and ldap.
Note -
@@ -153,23 +147,20 @@
When updating the ldap repository, both the LDAP
- server and client must be configured with
- EnableShadowUpdate=true.
-
+ server and client must be configured with Enable-
+ ShadowUpdate=true.
- If this option is omitted, look up is based on
- nsswitch.conf(5).
+ If this option is omitted, look up is based on nss-
+ witch.conf(5).
- -t description Specify the textual description of the authoriza-
- tion.
+ -t description Specify the textual description of the authorization.
- -u user Specify the user name (user) for which to list or
- check authorization.
+ -u user Specify the user for which to list or check autho-
+ rization.
- If this option is omitted, the current user is
- used.
+ If this option is omitted, the current user is used.
-v Print the description for the authorization.
@@ -186,12 +177,9 @@
The output from the auths output looks as follows:
-
-
example% auths tester01 tester02
tester01 : solaris.system.date,solaris.jobs.admin
tester02 : solaris.system.*
- example%
@@ -231,59 +214,40 @@
Set Date & Time
-
-
-
Example 3 Listing Authorizations
The following command lists the authorizations with descriptions in the
- name-service.
-
-
+ name service.
example% auths info -v solaris.user.manage
solaris.user.manage:
Manage user accounts
- example%
-
-
Example 4 Adding an Authorization
- The following adds the authorization solaris.foo.manage with descrip-
- tion manage foo and help file AuthFoo.html to the file's name-service
- repository.
-
-
-
-
- example% auths add -t "manage foo"\
- -h /home/abc/AuthFoo.html solaris.foo.manage
+ The following adds the authorization solaris.foo.manage with a descrip-
+ tion of "manage foo" to the files name service repository.
+ example% auths add -t "manage foo" solaris.foo.manage
Example 5 Modifying an Authorization
- The following example modifies the authorization solaris.foo.manage,
- sets the description to manage foo and bar, and sets the help file to
- AuthFooBar.html in LDAP.
-
-
+ The following example modifies the authorization solaris.foo.manage in
+ LDAP, setting the description to "manage foo and bars".
example% auths -S ldap modify -t " manage foo and bars"\
- -h /home/abc/AuthFooBar.html solaris.foo.manage
-
-
+ solaris.foo.manage
EXIT STATUS
@@ -322,11 +286,28 @@
SEE ALSO
profiles(1), roles(1), getauthattr(3C), auth_attr(5), policy.conf(5),
- prof_attr(5), user_attr(5), attributes(7)
+ prof_attr(5), user_attr(5), attributes(7), rbac(7)
+
+
+ Securing Users and Processes in Oracle Solaris 11.4
Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP
+HISTORY
+ The auths command was added to Oracle Solaris in Solaris 8.
+
+
+ The subcommands add, check, info, list, modify, and remove, and the
+ options -h, -S, -t, -u, and -v were added in Solaris 11.1.0.
+
+
+ The -x option was added in Solaris 11.2.0.
+
+
+ The -h option to provide an html authorization helpfile was obsoleted
+ in Solaris 11.4.0.
+
-Oracle Solaris 11.4 06 Jan 2016 auths(1)
+Oracle Solaris 11.4 21 Jun 2021 auths(1)
diff -NurbBw 11.4.36/man1/digest.1 11.4.39/man1/digest.1
--- 11.4.36/man1/digest.1 2021-11-16 13:14:11.782528157 +0000
+++ 11.4.39/man1/digest.1 2021-11-16 13:14:46.596833171 +0000
@@ -27,7 +27,9 @@
-v Verbose output. Includes the algorithm name and file-
- name in the output.
+ name in the output. This produces output similar to
+ the GNU coreutils digest utilities, md5sum(1),
+ sha1sum(1), sha256sum(1), sha512sum(1), etc.
-t truncation Specifies the digest truncation length, where t is any
@@ -37,43 +39,38 @@
USAGE
Algorithms
- These algorithms are provided by the Cryptographic Framework. These
- values are used with the -a option and are case-sensitive.
+ The supported algorithms are displayed by the -l option. These algo-
+ rithms are provided by the Cryptographic Framework. These values are
+ used with the -a option and are case-sensitive.
EXAMPLES
- Example 1 Simulating Output
+ Example 1 Digesting a File
- The following example simulates output of the common md5sum program:
+ The following example generates the SHA256 digest of the file
+ /etc/motd:
+ example$ digest -a sha256 /etc/motd
+ e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- example$ digest -v -a md5 /usr/bin/vi
- md5 (/usr/bin/vi) = e4e3588c5212903847c66d36b1a828a5
+ The following example displays the SHA512/256 digest of the file
+ /etc/motd:
- Example 2 Digesting a File
-
-
-
- The following example generates the sha1 digest of the file /etc/motd:
-
-
-
-
- example$ digest -a sha1 /etc/motd
- 9498a4f5303d056ad3ecae826b59f41448d63790
+ example $ digest -a sha512_t -t 256 /etc/motd
+ 1917c02fbf36970f354defef8c089adf5767cec93c3ca2b28fe29958c4361e69
- Example 3 Generating a Directory Manifest
+ Example 2 Generating a Directory Manifest
- The following example generates a directory manifest with sha1:
+ The following example generates a directory manifest with SHA-1:
example$ digest -v -a sha1 /usr/lib/inet/*
@@ -87,26 +84,11 @@
sha1 (/usr/lib/inet/in.mpathd) = 5bd6bf0340fd5c4cc0c53f2df158302a0e85f9d0
sha1 (/usr/lib/inet/in.ndpd) = fdb768aebe7e5eb4465e1c1bb5e679b496f5c5c6
sha1 (/usr/lib/inet/in.ripngd) = 4f56a0df2d4a252f581a73c2e84143b920d0b66b
- sha1 (/usr/lib/inet/ncaconfd) = 7219542b5585a8d1104d7ce4a2ced07d8a260ea3
- sha1 (/usr/lib/inet/slpd) = dfa24cc0f0b05f790546d4f0948a9094f7089027
sha1 (/usr/lib/inet/wanboot) = a8b8c51c389c774d0be2ae43cb85d1b1439484ae
sha1 (/usr/lib/inet/ntpd) = 5b4aff102372cea801e7d08acde9655fec81f07c
-
- Example 4 Digesting a File Using sha512_t
-
-
-
- The following example displays the digesting of a file:
-
-
- example $ digest -a sha512_t -t 256 /etc/motd
- 1917c02fbf36970f354defef8c089adf5767cec93c3ca2b28fe29958c4361e69
-
-
-
- Example 5 Displaying a List of Available Algorithms
+ Example 3 Displaying a List of Available Algorithms
@@ -156,6 +136,24 @@
cksum(1), encrypt(1), mac(1), libpkcs11(3LIB), attributes(7),
pkcs11_softtoken(7), bart(8), cryptoadm(8)
+HISTORY
+ The SHA-3 algorithms sha3_224, sha3_256, sha3_384, and sha3_512 were
+ added in Oracle Solaris 11.4.0.
+
+
+ The -t option and sha512_t algorithm were added in Solaris 11.4.0.
+
+
+ The sha224 algorithm was added in Solaris 11.1.0.
+
+
+ The SHA-2 algorithms sha256, sha384, and sha512 were added in Solaris
+ 10 6/06 (Update 2).
+
+
+ The digest command, and all other algorithms & options, were added in
+ Solaris 10 3/05.
+
-Oracle Solaris 11.4 18 Jan 2017 digest(1)
+Oracle Solaris 11.4 21 Jun 2021 digest(1)
diff -NurbBw 11.4.36/man1/encrypt.1 11.4.39/man1/encrypt.1
--- 11.4.36/man1/encrypt.1 2021-11-16 13:14:11.814639850 +0000
+++ 11.4.39/man1/encrypt.1 2021-11-16 13:14:46.629610980 +0000
@@ -22,15 +22,15 @@
[-i input_file] [-o output_file]
DESCRIPTION
- This utility encrypts or decrypts the given file or stdin using the
- algorithm specified. If no output file is specified, output is to stan-
- dard out. If the cryptoadm -i and -o options specify the same file, the
- encrypted output is written to a temporary work file in the same file
- system and then used to replace the original file.
+ These utilities encrypt or decrypt the given input file using the algo-
+ rithm specified. If no input file is specified, input is read from
+ standard input. If no output file is specified, output is printed to
+ standard output.
- Upon decryption, if the cryptoadm -i and -o options specify the same
- file, the cleartext replaces the ciphertext file.
+ If the -i and -o options specify the same file, the output is written
+ to a temporary work file in the same file system and then renamed to
+ replace the original input file.
The output file of encrypt and the input file for decrypt contains the
@@ -44,7 +44,7 @@
work byte order.
- o IV (ivlen bytes)[1]. iv data is generated by random bytes
+ o IV (ivlen bytes)[1]. IV data is generated by random bytes
equal to one block size.
@@ -59,14 +59,13 @@
-a algorithm Specify the name of the algorithm to use during the
encryption or decryption process. Note that some weak
- algorithms may be available for use with decrypt com-
- mand only and not for encryption. See USAGE, Algo-
- rithms for details. For more information on weak
- algorithms, see the decrypt(1) man page.
+ algorithms may be available for use with the decrypt
+ command only and not for encryption. See USAGE, Algo-
+ rithms for details.
- -i input_file Specify the input file. Default is stdin if
- input_file is not specified.
+ -i input_file Specify the input file. The default is standard input
+ if -i is not specified.
-k key_file Specify the file containing the key value for the
@@ -81,7 +80,8 @@
For information on generating a key file, see the
genkey subcommand in pktool(1). Alternatively, dd(8)
- can be used.
+ can be used to read data from the random(4D) device
+ to generate a key file.
-K key_label Specify the label of a symmetric token key in a
@@ -91,19 +91,18 @@
-l Display the list of algorithms available on the sys-
tem. This list can change depending on the configura-
tion of the cryptographic framework. The list is also
- likely to be different for encrypt(1) and decrypt
+ likely to be different for the encrypt and decrypt
commands, as some algorithms such as arcfour and des
- cannot be used for encryption but only for decryp-
- tion. The keysizes are displayed in bits. For more
- information, see the decrypt(1) man page.
+ can no longer be used for encryption, but only for
+ decryption. The keysizes are displayed in bits.
- -o output_file Specify output file. Default is stdout if output_file
- is not specified. If stdout is used without redirect-
- ing to a file, the terminal window can appear to hang
- because the raw encrypted or decrypted data has dis-
- rupted the terminal emulation, much like viewing a
- binary file can do at times.
+ -o output_file Specify output file. The default is standard output
+ if -o is not specified. If standard output is used
+ without redirecting to a file, the terminal window
+ can appear to hang because the raw encrypted or
+ decrypted data has disrupted the terminal emulation,
+ much like viewing a binary file can do at times.
-T token_spec Specify a PKCS#11 token other than the default soft
@@ -118,7 +117,7 @@
option does not require them to be typed as a conve-
nience to the user.
- Colon separates token identification string. If any
+ Colon separated token identification string. If any
of the parts have a literal colon (:) character, it
must be escaped by a backslash (\). If a colon (:) is
not found, the entire string (up to 32 characters) is
@@ -133,7 +132,7 @@
USAGE
Algorithms
The supported algorithms are displayed with their minimum and maximum
- key sizes in the -l option. These algorithms are provided by the cryp-
+ key sizes by the -l option. These algorithms are provided by the cryp-
tographic framework. Each supported algorithm is an alias of the PKCS
#11 mechanism that is the most commonly used and least restricted ver-
sion of a particular algorithm type. For example, aes is an alias to
@@ -151,7 +150,7 @@
When a passphrase is used with encrypt and decrypt, the user entered
passphrase is turned into an encryption key using the PBKDF2 algorithm
- as defined in PKCS #5 v2.0..
+ as defined in PKCS #5 v2.0.
Verbose
If an input file is provided to the command, a progress bar spans the
@@ -168,10 +167,8 @@
The following example lists available algorithms:
-
-
example$ encrypt -l
- Algorithm Keysize: Min Max
+ Algorithm Keysize: Min Max (bits)
-----------------------------------
aes 128 256
3des 128 192
@@ -178,15 +175,11 @@
camellia 128 256
-
Example 2 Encrypting Using AES
- The following example encrypts using AES and prompts for the encryption
- key:
-
-
+ The following example encrypts using AES and prompts for a passphrase:
example$ encrypt -a aes -i myfile.txt -o secretstuff
@@ -201,42 +193,31 @@
created:
-
-
example$ pktool genkey keystore=file keytype=aes keylen=128 \
outkey=key
example$ encrypt -a aes -k key -i myfile.txt -o secretstuff
+ Example 4 Using Pipes to Provide Encrypted Tape Backup
- Example 4 Using an In Pipe to Provide Encrypted Tape Backup
-
-
-
- The following example uses an in pipe to provide encrypted tape backup:
-
-
-
-
- example$ ufsdump 0f - /var | encrypt -a aes \
- -k /etc/mykeys/backup.k | dd of=/dev/rmt/0
+ The following example uses pipes to provide encrypted tape backup:
+ example$ tar xcf - mydata | encrypt -a aes \
+ -k ./backup.key | dd of=/dev/rmt/0
- Example 5 Using an In Pipe to Restore Tape Backup
+ Example 5 Using Pipes to Restore Tape Backup
- The following example uses and in pipe to restore a tape backup:
+ The following example uses pipes to restore a tape backup:
-
- example$ decrypt -a aes -k /etc/mykeys/backup.k \
- -i /dev/rmt/0 | ufsrestore xvf -
-
+ example$ decrypt -a aes -k ./backup.key \
+ -i /dev/rmt/0 | tar zxvf -
Example 6 Encrypting an Input File Using the 3DES Algorithm
@@ -262,9 +240,7 @@
pktool(1):
-
-
- example$ encrypt -a aes -K mydeskey \
+ example$ encrypt -a aes -K myaeskey \
-T "Sun Software PKCS#11 softtoken" -i inputfile \
-o outputfile
@@ -318,12 +289,19 @@
attributes(7), pkcs11_softtoken(7), dd(8)
- https://tools.ietf.org/html/rfc2898
+ Kaliski, B., RFC 2898, PKCS #5: Password-Based Cryptography Specifica-
+ tion, Version 2.0, September 2000. https://tools.ietf.org/html/rfc2898
+
+
+ https://www.oasis-open.org/committees/pkcs11/
+
+HISTORY
+ The -K and -T options were added in Oracle Solaris 11.0.
- https://www.emc.com/emc-plus/rsa-labs/standards-initia-
- tives/pkcs-11-cryptographic-token-interface-standard.htm
+ The encrypt and decrypt commands, and all other options, were added in
+ Solaris 10 3/05.
-Oracle Solaris 11.4 17 Jan 2017 encrypt(1)
+Oracle Solaris 11.4 21 Jun 2021 encrypt(1)
diff -NurbBw 11.4.36/man1/groups.1 11.4.39/man1/groups.1
--- 11.4.36/man1/groups.1 2021-11-16 13:14:11.860875253 +0000
+++ 11.4.39/man1/groups.1 2021-11-16 13:14:46.658221594 +0000
@@ -10,28 +10,22 @@
DESCRIPTION
The command groups prints on standard output the groups to which you or
- the optionally specified user belong. Each user belongs to a group
- specified in /etc/passwd and possibly to other groups as specified in
- /etc/group. Note that /etc/passwd specifies the numerical ID (gid) of
- the group. The groups command converts gid to the group name in the
- output.
+ the optionally specified users belong. Each user belongs to a group
+ specified in the passwd(5) database and possibly to other groups as
+ specified in the group(5) database. Note that the passwd database spec-
+ ifies the numerical ID (gid) of the group. The groups command converts
+ gid to the group name in the output, if it can find a matching group
+ name in the group database.
EXAMPLES
The output takes the following form:
example% groups tester01 tester02
- tester01 : staff
+ tester01 : staff sysadmin
tester02 : staff
example%
-FILES
- /etc/passwd
-
-
- /etc/group
-
-
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
@@ -43,8 +37,8 @@
+-----------------------------+-----------------------------+
SEE ALSO
- group(5), passwd(5), attributes(7)
+ group(5), nsswitch.conf(5), passwd(5), attributes(7)
-Oracle Solaris 11.4 14 Sep 1992 groups(1)
+Oracle Solaris 11.4 21 Jun 2021 groups(1)
diff -NurbBw 11.4.36/man1/kmfcfg.1 11.4.39/man1/kmfcfg.1
--- 11.4.36/man1/kmfcfg.1 2021-11-16 13:14:11.924868172 +0000
+++ 11.4.39/man1/kmfcfg.1 2021-11-16 13:14:46.704616922 +0000
@@ -33,9 +33,7 @@
The format for the create subcommand is as follows:
-
-
- create [dbfile=dbfile] policy=policyname
+ kmfcfg create [dbfile=dbfile] policy=policyname
[ignore-date=true|false]
[ignore-unknown-eku=true|false]
[ignore-trust-anchor=true|false]
@@ -44,7 +42,6 @@
[trust-intermediate-cas=true|false]
[max-cert-path-length=max length in cert path]
[validity-adjusttime=adjusttime]
- [ta-name=trust anchor subject DN]
[ta-name=trust anchor subject DN | search]
[ta-serial=trust anchor serial number]
[http-proxy=URL]
@@ -63,8 +60,8 @@
[crl-ignore-crl-sign=true|false]
[crl-ignore-crl-date=true|false]
[bypass-ipsec-policy=true|false]
- [keyusage=digitalSignature|nonRepudiation
- |keyEncipherment | dataEncipherment |
+ [keyusage=digitalSignature | nonRepudiation |
+ keyEncipherment | dataEncipherment |
keyAgreement |keyCertSign |
cRLSign | encipherOnly | decipherOnly],[...]
[ekunames=serverAuth | clientAuth |
@@ -78,11 +75,9 @@
[mapper-path=full pathname of mapper library]
[mapper-options=mapper options]
-
-
The create subcommand supports the following options:
- cert-revoke-responder-timeout:
+ cert-revoke-responder-timeout=timeout
Set the maximum timeout value in seconds to wait for the CRL or
OCSP responder. The default value is 30 seconds. The maximum
@@ -141,16 +136,6 @@
The default for this attribute is false.
- http-proxy= URL
-
- Sets the proxy server name and port for contacting servers for
- CRLs, OCSP, or downloading certificates.
-
- The port number is optional. If the port number is not speci-
- fied, the default value is 8080. An example crl-proxy setting
- might be: crl-proxy=webcache.sfbay:8080.
-
-
crl-proxy= URL
Sets the proxy server name and port for dynamically retrieving
@@ -159,7 +144,7 @@
The port number is optional. If the port number is not speci-
fied, the default value is 8080. An example crl-proxy setting
- might be: crl-proxy=webcache.sfbay:8080.
+ might be: crl-proxy=webcache.example.com:8080.
dbfile=dbfile
@@ -193,6 +178,16 @@
set, then the extended key usage checking is turned on.
+ http-proxy=URL
+
+ Sets the proxy server name and port for contacting servers for
+ CRLs, OCSP, or downloading certificates.
+
+ The port number is optional. If the port number is not speci-
+ fied, the default value is 8080. An example crl-proxy setting
+ might be: crl-proxy=webcache.example.com:8080.
+
+
ignore-cert-revoke-responder-timeout=true | false
Define the behavior after a cert-revoke-responder-timeout expi-
@@ -212,13 +207,6 @@
their validity.
- ignore-unknown-eku=true | false
-
- Set the Ignore Unknown EKU option for this policy. By default
- this value is false. If true, the policy ignores any unrecog-
- nized EKU values in the Extended Key Usage extension.
-
-
ignore-trust-anchor=true | false
Set the Ignore Trust Anchor option for this policy. By default
@@ -227,6 +215,13 @@
anchor certificate at validation.
+ ignore-unknown-eku=true | false
+
+ Set the Ignore Unknown EKU option for this policy. By default
+ this value is false. If true, the policy ignores any unrecog-
+ nized EKU values in the Extended Key Usage extension.
+
+
keyusage=KUVALUES
A comma separated list of key usage values that are required by
@@ -236,6 +231,30 @@
pherOnly
+ mapper-name=name
+ mapper-dir=directory
+ mapper-path=path
+ mapper-options=options
+
+ These four options support the certificate to name mapping.
+ mapper-name provides the name of the mapper. For example, the
+ name "cn" represents the mapper object kmf_mapper_cn.so.1. map-
+ per-dir overrides the default mapper directory /lib/crypto.
+ mapper-path specifies the full path to the mapper object. map-
+ per-options is an ASCII-only string of a maximum of 255 bytes
+ long. Its format is mapper specific but mappers are expected to
+ accept a comma separated list of options, for example casesen-
+ sitive,ignoredomain. mapper-path and mapper-name are mutually
+ exclusive. mapper-dir can be set only if mapper-name is set.
+ mapper-options can be set only if mapper-name or mapper-path is
+ set. Trying to use any of the above mentioned incorrect set-
+ tings results in an error and the policy database is not modi-
+ fied.
+
+
+
+
+
max-cert-path-length=number
Specifies the maximum certificate length allowed in the cer-
@@ -245,8 +264,7 @@
ocsp-ignore-response-sign=true | false
If this attribute is set to true, the signature of the OCSP
- response is not verified. This attribute value is default to
- false.
+ response is not verified. By default this value is false.
ocsp-proxy=URL
@@ -254,7 +272,7 @@
Set the proxy server name and port for OCSP. The port number is
optional. If the port number is not specified, the default
value is 8080. An example ocsp-proxy setting might be: ocsp-
- proxy="webcache.sfbay:8080"
+ proxy="webcache.example.com:8080"
This value takes precedence over the global http-proxy value.
@@ -285,8 +303,8 @@
ocsp-responder=URL
Set the OCSP responder URL for use with the OCSP validation
- method. For example, ocsp-respon-
- der=http://ocsp.verisign.com/ocsp/status
+ method. For example, ocsp-responder=http://ocsp.exam-
+ ple.com/ocsp/status
ocsp-use-cert-responder=true | false
@@ -348,39 +366,15 @@
These two attributes represent the trust anchor certificate and
are used to find the trust anchor certificate in the keystore.
The ta-name is to specify the distinguished name of the trust
- anchor certificate subject name. For example, ta-name="O=Sun
- Microsystems Inc., \ OU=Solaris Security Technologies Group, \
- L=Ashburn, ST=VA, C=US, CN=John Smith" The serial number of the
- TA certificate. This, along with the Issuer DN, is used to find
- the TA certificate in the keystore. The serial number must be
+ anchor certificate subject name. For example, ta-name="O=Oracle
+ Corporation, OU=Solaris Security Technologies Group, L=Ashburn,
+ ST=VA, C=US, CN=John Smith". The ta-serial is to specify the
+ serial number of the TA certificate. The serial number must be
specified as a hex value, for example,
- 0x0102030405060708090a0b0c0d0e The trust anchor attributes need
- to be set, if the value of ignore-trust-anchor attribute is
- false.
-
-
- mapper-name=name
- mapper-dir=directory
- mapper-path=path
- mapper-options=options
-
- These four options support the certificate to name mapping.
- mapper-name provides the name of the mapper. For example, the
- cn name represents the mapper object kmf_mapper_cn.so.1. map-
- per-dir overrides the default mapper directory /lib/crypto.
- mapper-path specifies the full path to the mapper object. map-
- per-options is an ASCII only string of maximum of 255 bytes
- long. Its format is mapper specific but mappers are expected to
- accept a comma separated list of options, for example casesen-
- sitive,ignoredomain. mapper-path and mapper-name are mutually
- exclusive. mapper-dir can be set only if mapper-name is set.
- mapper-options can be set only if mapper-name or mapper-path is
- set. Trying to use any of the above mentioned incorrect set-
- tings results in an error and the policy database is not modi-
- fied.
-
-
-
+ 0x0102030405060708090a0b0c0d0e. This, along with the Issuer DN,
+ is used to find the TA certificate in the keystore. The trust
+ anchor attributes need to be set if the value of ignore-trust-
+ anchor attribute is false.
@@ -392,18 +386,14 @@
The format for the delete subcommand is as follows:
-
-
- delete [dbfile=dbfile] policy=policyname
-
-
+ kmfcfg delete [dbfile=dbfile] policy=policyname
The delete subcommand supports the following options:
dbfile=dbfile Read policy definitions from the indicated
- file. If dbfile is not specified, , the
- default is the system KMF policy database
- file: /etc/security/kmfpolicy.xml.
+ file. If dbfile is not specified, the default
+ is the system KMF policy database file:
+ /etc/security/kmfpolicy.xml.
policy=policyname The name of the policy to delete. policyname
@@ -448,11 +433,7 @@
The format for the help subcommand is as follows:
-
-
- help
-
-
+ kmfcfg help
@@ -464,24 +445,20 @@
The format for the import subcommand is as follows:
-
-
kmfcfg import policy=policyname infile=inputdbfile [dbfile=dbfile]
-
-
The import subcommand supports the following options:
- policy=policyname The policy record to be imported.
+ dbfile=outdbfile The DB file to add the new policy. If not
+ specified, the default is the system KMF pol-
+ icy database file /etc/security/kmfpol-
+ icy.xml.
infile=inputdbfile The DB file to read the policy from.
- dbfile=outdbfile The DB file to add the new policy. If not
- specified, the default is the system KMF pol-
- icy database file /etc/security/kmfpol-
- icy.xml.
+ policy=policyname The policy record to be imported.
@@ -493,11 +470,7 @@
The format for the list subcommand is as follows:
-
-
- list [dbfile=dbfile] [policy=policyname]
-
-
+ kmfcfg list [dbfile=dbfile] [policy=policyname]
The list subcommand supports the following options:
@@ -520,7 +493,7 @@
The format for the modify subcommand is as follows:
- modify [dbfile=dbfile] policy=policyname
+ kmfcfg modify [dbfile=dbfile] policy=policyname
[ignore-date=true|false]
[ignore-unknown-eku=true|false]
[ignore-trust-anchor=true|false]
@@ -549,16 +522,14 @@
[crl-ignore-crl-date=true|false]
[crl-none=true|false]
[bypass-ipsec-policy=true|false]
- [keyusage=digitalSignature| nonRepudiation
- |keyEncipherment | dataEncipherment |
+ [keyusage=digitalSignature | nonRepudiation |
+ keyEncipherment | dataEncipherment |
keyAgreement |keyCertSign |
cRLSign | encipherOnly | decipherOnly],[...]
[keyusage-none=true|false]
- [ekunames=serverAuth | clientAuth |
- codeSigning | emailProtection |
- ipsecEndSystem | ipsecTunnel |
- ipsecUser | timeStamping |
- OCSPSigning],[...]
+ [ekunames=serverAuth | clientAuth | codeSigning |
+ emailProtection | ipsecEndSystem | ipsecTunnel |
+ ipsecUser | timeStamping | OCSPSigning],[...]
[ekuoids=OID,OID,OID]
[eku-none=true|false]
[mapper-name=name of the mapper]
@@ -578,7 +549,7 @@
attribute is set to true, other CRL attributes cannot be set.
- dfile=[dbfile]
+ dbfile=[dbfile]
The database file to modify a policy. If not specified, the
default is the system KMF policy database file /etc/secu-
@@ -631,20 +602,9 @@
ified.
- mapper-name=name
- mapper-dir=directory
- mapper-path=path
- mapper-options=options
-
- See the create subcommand for more information.
-
-
-
-
-
Plugin Subcommands
- install keystore=keystore_name modulepath=pathname\ [option=option_str]
+ install keystore=keystore_name modulepath=pathname [option=option_str]
Install a plugin into the system. The modulepath field specifies
the pathname to a KMF plugin shared library object. If pathname is
@@ -659,8 +619,8 @@
Display KMF plugin information.
- Without the pluginkeyword, kmfcfg list shows the policy information
- as described in the SUBCOMMANDS section.
+ Without the plugin keyword, kmfcfg list shows the policy informa-
+ tion as described in the SUBCOMMANDS section.
modify plugin keystore=keystore_name option=option_str
@@ -729,6 +684,24 @@
SEE ALSO
attributes(7)
+HISTORY
+ The bypass-ipsec-policy, cert-revoke-responder-timeout, http-proxy,
+ http-proxy-none, ignore-cert-revoke-responder-timeout, max-cert-path-
+ length, and trust-intermediate-cas attributes were added in Oracle
+ Solaris 11.2.0.
+
+
+ The mapper-dir, mapper-name, mapper-path, and mapper-options attributes
+ were added in Solaris 11.0.
+
+
+ Plugin support, including the install, list plugin, modify plugin, and
+ uninstall subcommands, was added in Solaris 11.0.
+
+
+ The kmfcfg command and all other subcommands & attributes were added in
+ Solaris 10 8/07 (Update 4).
+
-Oracle Solaris 11.4 27 Nov 2017 kmfcfg(1)
+Oracle Solaris 11.4 21 Jun 2021 kmfcfg(1)
diff -NurbBw 11.4.36/man1/lari.1 11.4.39/man1/lari.1
--- 11.4.36/man1/lari.1 2021-11-16 13:14:11.966327040 +0000
+++ 11.4.39/man1/lari.1 2021-11-16 13:14:46.750855641 +0000
@@ -36,31 +36,30 @@
file specified on the command line.
- Without the -D option, lari processes files as dynamic ELF objects by
- using ldd(1). This processing uses the following options:
+ The lari utility can analyze userland and kernel objects:
- -r and -e LD_DEBUG=files,bindings,detail
-
-
-
- These options provide information on all bindings that are established
- as part of loading the object. Notice that by using ldd, the specified
- object is not executed, and hence no user controlled loading of
- objects, by dlopen(3C) for example, occurs. To capture all binding
- information from an executing process, the following environment vari-
- ables can be passed directly to the runtime linker, ld.so.1(1):
-
- LD_DEBUG=files,bindings,detail LD_DEBUG_OUTPUT=lari.dbg \
- LD_BIND_NOW=yes
+ Userland Dynamic executable and shared objects are used by user pro-
+ cesses, and are managed at runtime by the runtime linker,
+ ld.so.1(1). The lari utility processes files as dynamic ELF
+ objects by using ldd(1).
+
+ The ldd utility provides information on all bindings that
+ are established as part of loading the object. Due to the
+ use of the ldd, the specified object is not executed, and
+ no user controlled loading of objects by dlopen(3C) occurs.
+ The -D option can be employed to analyze such cases. See
+ Analysis of User Controlled Object Loading under EXTENDED
+ DESCRIPTION.
+ Kernel Kernel modules are used by the unix kernel, and are managed
+ at runtime by the Kernel Runtime Linker (krtld). The lari
+ utility processes kernel modules by using kldd(1). This
+ processing uses the -r and -b kldd options to obtain
+ information on all bindings that are established as part of
+ loading the object. Due to the use of kldd, the specified
+ kernel module is not loaded or executed.
- The resulting debug output, lari.dbg.pid, can be processed by lari
- using the -D option. Note: lari attempts to analyze each object that
- has been processed using the path name defined in the debug output.
- Each object must therefore be accessible to lari for a complete, accu-
- rate analysis to be provided. The debug output file must be generated
- in the C locale.
When displaying interface information, lari analyzes the interfaces of
@@ -111,7 +110,8 @@
-D Interprets any input files as debugging information rather
- than as dynamic objects.
+ than as dynamic objects. See Analysis of User Controlled
+ Object Loading under EXTENDED DESCRIPTION.
-i Displays interesting interface binding information. This
@@ -132,8 +132,8 @@
mation under EXTENDED DESCRIPTION.
- -s Saves the bindings information produced from ldd(1) for
- further analysis. See FILES.
+ -s Saves the bindings information produced from ldd(1), or
+ kldd(1), for further analysis. See FILES.
-v Ignores any objects that are already versioned. Versioned
@@ -170,20 +170,20 @@
Each line describes the interface symbol, symbol-name, together with
the object, object-name, in which the symbol is defined. If the symbol
represents a function, the symbol name is followed by (). If the symbol
- represents a data object, the symbol name is followed by the symbols
+ represents a data object, the symbol name is followed by the symbol
size, enclosed within []. If the -C option is used, the symbol name is
- accompanied by the symbols demangled name, demangled-name. The informa-
- tion field provides one or more of the following tokens that describe
- the symbol's use:
+ accompanied by the demangled name, demangled-name. The information
+ field provides one or more of the following tokens that describe the
+ symbol's use:
cnt:bnd Two decimal values indicate the symbol count, cnt, and the
- number of bindings to this object, bnd. The symbol count is
- the number of occurrences of this symbol definition that
- have been found in the objects that are analyzed. A count
- that is greater than 1 indicates multiple instances of a
- symbol definition. The number of bindings indicate the num-
- ber of objects that have been bound to this symbol defini-
- tion by the runtime linker.
+ number of bindings to this object, bnd. The symbol count
+ is the number of occurrences of this symbol definition
+ that have been found in the objects that are analyzed. A
+ count that is greater than 1 indicates multiple instances
+ of a symbol definition. The number of bindings indicate
+ the number of objects that have been bound to this symbol
+ definition by the runtime linker.
E This symbol definition has been bound to from an external
@@ -194,56 +194,67 @@
object.
- D This symbol definition has been directly bound to.
+ The following tokens are specific to userland executables and shared
+ objects:
- I This symbol definition provides for an interposer. An object
- that explicitly identifies itself as an interposer defines
- all global symbols as interposers. See the -z interpose
- option of ld(1), and the LD_PRELOAD variable of ld.so.1(1).
- Individual symbols within a dynamic executable can be
- defined as interposers by using the INTERPOSE mapfile
- directive.
+ A This symbol definition is the address of a procedure link-
+ age table entry within a dynamic executable.
- C This symbol definition is the reference data of a copy-relo-
- cation.
+ C This symbol definition is the reference data of a copy-
+ relocation.
- F This symbol definition resides in a filtee.
-
-
- P This symbol is defined as protected. This symbol might have
- an internal binding from the object in which the symbol is
- declared. Any internal bindings with this attribute can not
- be interposed upon by another symbol definition.
+ D This symbol definition has been directly bound to.
- A This symbol definition is the address of a procedure linkage
- table entry within a dynamic executable.
+ F This symbol definition resides in a filtee.
- U This symbol lookup originated from a user request, for exam-
- ple, dlsym(3C).
+ I This symbol definition provides for an interposer. An
+ object that explicitly identifies itself as an interposer
+ defines all global symbols as interposers. See the -z
+ interpose option of ld(1), and the LD_PRELOAD variable of
+ ld.so.1(1). Individual symbols within a dynamic executable
+ can be defined as interposers by using the INTERPOSE map-
+ file directive.
+
+
+ N This symbol definition explicitly prohibits directly bind-
+ ing to the definition.
+
+
+ P This symbol is defined as protected. This symbol might
+ have an internal binding from the object in which the sym-
+ bol is declared. Any internal bindings with this attribute
+ can not be interposed upon by another symbol definition.
R This symbol definition is acting as a filter, and provides
for redirection to a filtee.
- r A binding to this symbol was rejected at some point during a
- symbol search. A rejection can occur when a direct binding
- request finds a symbol that has been tagged to prevent
+ r A binding to this symbol was rejected at some point during
+ a symbol search. A rejection can occur when a direct bind-
+ ing request finds a symbol that has been tagged to prevent
direct binding. In this scenario, the symbol search is
- repeated using a default search model. The binding can still
- resolve to the original, rejected symbol. A rejection can
- also occur when a non-default symbol search finds a symbol
- identified as a singleton. Again, the symbol search is
- repeated using a default search model.
+ repeated using a default search model. The binding can
+ still resolve to the original, rejected symbol. A rejec-
+ tion can also occur when a non-default symbol search finds
+ a symbol identified as a singleton. Again, the symbol
+ search is repeated using a default search model.
+
+
+ U This symbol lookup originated from a user request, for
+ example, dlsym(3C).
+
- N This symbol definition explicitly prohibits directly binding
- to the definition.
+ The following token is specific to kernel modules:
+
+ M This symbol definition is a module stub (modstub) provided
+ by the unix kernel.
@@ -265,54 +276,57 @@
When an interesting symbol definition is discovered, all other defini-
- tions of the same symbol are output.
-
-
- The focus of interesting interface information is the existence of mul-
- tiple definitions of a symbol. In this case, one symbol typically
- interposes on one or more other symbol definitions. This interposition
- is seen when the binding count, bnd, of one definition is non-zero,
- while the binding count of all other definitions is zero. Interposition
- that results from the compilation environment, or the linking environ-
- ment, is not characterized as interesting. Examples of these interposi-
- tion occurrences include copy relocations ([C]) and the binding to pro-
- cedure linkage addresses ([A]).
-
+ tions of the same symbol are output. The focus of interesting interface
+ information is the existence of multiple definitions of a symbol. How-
+ ever, the userland and kernel runtime linking environments differ sub-
+ stantially in the details of their operations, and so, the ways in
+ which multiple definitions become interesting differ.
+
+ Userland
+
+ The userland runtime linking environment provides the concept of
+ interposition, in which one symbol typically interposes on one or
+ more other symbol definitions. This interposition is seen when the
+ binding count, bnd, of one definition is non-zero, while the bind-
+ ing count of all other definitions is zero. Interposition that
+ results from the compilation environment, or the linking environ-
+ ment, is not characterized as interesting. Examples of these inter-
+ position occurrences include copy relocations ([C]) and the binding
+ to procedure linkage addresses ([A]).
Interposition is often desirable. The intent is to overload, or
- replace, the symbolic definition from a shared object. Interpositioning
- objects can be explicitly tagged ([I]), using the -z interpose option
- of ld(1). These objects can safely interpose on symbols, no matter what
- order the objects are loaded in a process. However, be cautious when
- non-explicit interposition is employed, as this interposition is a con-
- sequence of the load-order of the objects that make up the process.
-
+ replace, the symbolic definition from a shared object. Interposi-
+ tioning objects can be explicitly tagged ([I]), using the -z inter-
+ pose option of ld(1). These objects can safely interpose on sym-
+ bols, no matter what order the objects are loaded in a process.
+ However, be cautious when non-explicit interposition is employed,
+ as this interposition is a consequence of the load-order of the
+ objects that make up the process.
+
+ User-created, multiply-defined symbols are output from lari as
+ interesting. In this example, two definitions of interpose1()
+ exist, but only the definition in main is referenced:
- User-created, multiply-defined symbols are output from lari as inter-
- esting. In this example, two definitions of interpose1() exist, but
- only the definition in main is referenced:
[2:1E]: interpose1(): ./main
[2:0]: interpose1(): ./libA.so
+ Interposition can also be an undesirable and surprising event,
+ caused by an unexpected symbol name clash. A symptom of this inter-
+ position might be that a function is never called although you know
+ a reference to the function exists. This scenario can be identified
+ as a multiply defined symbol, as covered in the previous example.
+ However, a more surprising scenario is often encountered when an
+ object both defines and references a specific symbol.
+
+ An example of this scenario is if two dynamic objects define and
+ reference the same function, interpose2(). Any reference to this
+ symbol binds to the first dynamic object loaded with the process.
+ In this case, the definition of interpose2() in object libA.so
+ interposes on, and hides, the definition of interpose2() in object
+ libB.so. The output from lari might be:
- Interposition can also be an undesirable and surprising event, caused
- by an unexpected symbol name clash. A symptom of this interposition
- might be that a function is never called although you know a reference
- to the function exists. This scenario can be identified as a multiply
- defined symbol, as covered in the previous example. However, a more
- surprising scenario is often encountered when an object both defines
- and references a specific symbol.
-
-
- An example of this scenario is if two dynamic objects define and refer-
- ence the same function, interpose2(). Any reference to this symbol
- binds to the first dynamic object loaded with the process. In this
- case, the definition of interpose2() in object libA.so interposes on,
- and hides, the definition of interpose2() in object libB.so. The output
- from lari might be:
-
[2:2ES]: interpose2(): ./libA.so
[2:0]: interpose2(): ./libB.so
@@ -316,14 +330,49 @@
[2:2ES]: interpose2(): ./libA.so
[2:0]: interpose2(): ./libB.so
-
-
Multiply defined symbols can also be bound to separately. Separate
- bindings can be the case when direct bindings are in effect ([D]), or
- because a symbol has protected visibility ([P]). Although separate
- bindings can be explicitly established, instances can exist that are
- unexpected and surprising. Directly bound symbols, and symbols with
- protected visibility, are output as interesting information.
+ bindings can be the case when direct bindings are in effect ([D]),
+ or because a symbol has protected visibility ([P]). Although sepa-
+ rate bindings can be explicitly established, instances can exist
+ that are unexpected and surprising. Directly bound symbols, and
+ symbols with protected visibility, are output as interesting infor-
+ mation.
+
+
+ Kernel
+
+ The kernel runtime linking environment is more basic than the user-
+ land environment, and does not support the full userland interposi-
+ tion concept. However, multiple definitions can still cause a sim-
+ ple form of interposition in which one definition hides the other.
+ A typical scenario is a module that defines a function that is also
+ defined by one of its dependencies, or by the kernel runtime sys-
+ tem. This type of interposition is seen when there are multiple
+ definitions, each with a non-zero binding count.
+
+ This form of interposition might be useful. A module could provide
+ a variation of some other module, by redefining the functions that
+ differ, and allowing the older module to provide the remaining
+ functions that do not need to be changed. Such interface inheri-
+ tance must be managed carefully. The use of a mapfile to define
+ explicit interfaces for such use is recommended.
+
+ Multiply-defined symbols are output from lari as interesting. In
+ this example, module kmod provides its own implementation of the
+ strlen() function. The module binds to its own version, while the
+ rest of the system binds to the version found in the unix kernel:
+
+
+ [2:1E]: strlen(): /platform/i86pc/kernel/amd64/unix
+ [2:1S]: strlen(): kmod
+
+ A scenario such as this is usually an undesirable and surprising
+ event, caused by an unexpected symbol name clash. It is rarely
+ desirable for parts of the system to use one implementation of a
+ function like strlen(), while other parts use another. More typi-
+ cally, this output would suggest that a duplicate definition is
+ unnecessary, and could be removed.
+
Overhead Information
When using the -o option, lari displays symbol definitions that might
@@ -398,6 +447,33 @@
used when calling functions directly. Use of this address also requires
an indirection at runtime.
+ Analysis of User Controlled Object Loading
+ Without the -D option, lari uses ldd(1) to process userland executable
+ and shared object files. The following options are used:
+
+ -r and -e LD_DEBUG=files,bindings,detail
+
+
+
+ These options provide information on all bindings that are established
+ as part of loading the object. Due to the use of the ldd, the specified
+ object is not executed, and hence no user controlled loading of
+ objects, by dlopen(3C) occurs. To capture all binding information from
+ an executing process, the following environment variables can be passed
+ directly to the runtime linker, ld.so.1(1):
+
+ LD_DEBUG=files,bindings,detail LD_DEBUG_OUTPUT=lari.dbg \
+ LD_BIND_NOW=yes
+
+
+
+ The resulting debug output, lari.dbg.pid, can be processed by lari
+ using the -D option. Note: lari attempts to analyze each object that
+ has been processed using the path name defined in the debug output.
+ Each object must therefore be accessible to lari for a complete, accu-
+ rate analysis to be provided. The debug output file must be generated
+ in the C locale.
+
EXAMPLES
Example 1 Analyzing a case of multiple bindings
@@ -505,11 +581,12 @@
The human readable output is Uncommitted. The options are Committed.
SEE ALSO
- ld(1), ld.so.1(1), ldd(1), dlopen(3C), dlsym(3C), attributes(7)
+ kldd(1), ld(1), ld.so.1(1), ldd(1), dlopen(3C), dlsym(3C),
+ attributes(7)
Oracle Solaris 11.4 Linkers and Libraries Guide
-Oracle Solaris 11.4 27 Nov 2017 lari(1)
+Oracle Solaris 11.4 22 June 2021 lari(1)
diff -NurbBw 11.4.36/man1/ldd.1 11.4.39/man1/ldd.1
--- 11.4.36/man1/ldd.1 2021-11-16 13:14:12.011007622 +0000
+++ 11.4.39/man1/ldd.1 2021-11-16 13:14:46.787255667 +0000
@@ -361,7 +361,7 @@
Unused Material
ldd can validate dependency use. Only when a symbol reference is bound
to a dependency, is that dependency deemed used. With the -U option and
- the -U option, ldd prints warnings for any unreferenced, or unused
+ the -u option, ldd prints warnings for any unreferenced, or unused
dependencies that are loaded when file is loaded. These options are
useful when symbol references are being checked. If the -r option is
not in effect, the -d option is automatically enabled.
@@ -445,4 +445,4 @@
-Oracle Solaris 11.4 5 November 2018 ldd(1)
+Oracle Solaris 11.4 19 July 2021 ldd(1)
diff -NurbBw 11.4.36/man1/list_devices.1 11.4.39/man1/list_devices.1
--- 11.4.36/man1/list_devices.1 2021-11-16 13:14:12.040010948 +0000
+++ 11.4.39/man1/list_devices.1 2021-11-16 13:14:46.820415817 +0000
@@ -138,7 +138,7 @@
owner of the device as the key value pair owner=value.
value is the uid of the current owner of the device. If
the device is unallocated, value is /FREE. If the device
- is in error state, value is /ERROR. This option also
+ is in an error state, value is /ERROR. This option also
suppresses any diagnostic output.
@@ -272,4 +272,4 @@
-Oracle Solaris 11.4 11 Dec 2020 list_devices(1)
+Oracle Solaris 11.4 21 Jun 2021 list_devices(1)
diff -NurbBw 11.4.36/man1/mac.1 11.4.39/man1/mac.1
--- 11.4.36/man1/mac.1 2021-11-16 13:14:12.069714044 +0000
+++ 11.4.39/man1/mac.1 2021-11-16 13:14:46.851157272 +0000
@@ -9,16 +9,17 @@
/usr/bin/mac -l
- /usr/bin/mac [-v] -a algorithm
+ /usr/bin/mac [-v] -a algorithm [-t truncation]
[-k keyfile | -K key_label [-T token_spec]] [file]...
DESCRIPTION
The mac utility calculates the message authentication code (MAC) of the
- given file or files or stdin using the algorithm specified.
+ given file or files using the algorithm specified.
- If more than one file is given, each line of output is the MAC of a
- single file.
+ If no input file is specified, input is read from standard input. If
+ more than one file is given, each line of output is the MAC of a single
+ file.
OPTIONS
The following options are supported:
@@ -70,6 +71,11 @@
turer.
+ -t truncation Specifies the digest truncation length, where t is any
+ positive number less than 512. Valid only for algo-
+ rithm sha512_t_hmac.
+
+
-v Provides verbose information.
@@ -97,10 +103,8 @@
The following example lists available algorithms:
-
-
example$ mac -l
- Algorithm Keysize: Min Max
+ Algorithm Keysize: Min Max (bits)
-----------------------------------
sha1_hmac 8 512
md5_hmac 8 512
@@ -108,7 +112,7 @@
sha256_hmac 8 512
sha384_hmac 8 1024
sha512_hmac 8 1024
-
+ sha512_t_hmac 8 1024
Example 2 Getting the Message Authentication Code
@@ -171,12 +167,32 @@
attributes(7), pkcs11_softtoken(7), dd(8)
- https://tools.ietf.org/html/rfc2898
+ Kaliski, B., RFC 2898, PKCS #5: Password-Based Cryptography Specifica-
+ tion, Version 2.0, September 2000. https://tools.ietf.org/html/rfc2898
+
+
+ https://www.oasis-open.org/committees/pkcs11/
+
+HISTORY
+ Support for the des_mac algorithm was removed in Oracle Solaris 11.4.0.
+
+
+ The -t option and sha512_t_hmac algorithm were added in Solaris 11.4.0.
+
+
+ The sha224_hmac algorithm was added in Solaris 11.1.0.
+
+
+ The -K and -T options were added in Solaris 11.0.0.
+
+
+ The SHA-2 algorithms sha256_hmac, sha384_hmac, and sha512_hmac were
+ added in Solaris 10 6/06 (Update 2).
- https://www.emc.com/emc-plus/rsa-labs/standards-initia-
- tives/pkcs-11-cryptographic-token-interface-standard.htm
+ The mac command, and all other other algorithms & options, were added
+ in Solaris 10 3/05.
-Oracle Solaris 11.4 17 Jan 2017 mac(1)
+Oracle Solaris 11.4 21 Jun 2021 mac(1)
diff -NurbBw 11.4.36/man1/mdb.1 11.4.39/man1/mdb.1
--- 11.4.36/man1/mdb.1 2021-11-16 13:14:12.177369060 +0000
+++ 11.4.39/man1/mdb.1 2021-11-16 13:14:46.974816547 +0000
@@ -2895,7 +2895,7 @@
- address ::printf [ -t format ... ] format [type] ...
+ address ::printf [ -c lim ] [ -t format ... ] format [type] ...
Print the data structure using the printf format command. Arguments
to the format can be:
@@ -2912,6 +2912,10 @@
o <var: The value of the variable var.
+ The number of characters in a character array or pointer that is
+ read and displayed as a string can be limited with the -c option.
+ If the value given is none no limit is applied.
+
The optional -t argument is used to specify a title which is
printed once before any other output is produced. For possible
expansions in the format string, see the ::help printf command.
@@ -4212,4 +4216,4 @@
-Oracle Solaris 11.4 11 May 2021 mdb(1)
+Oracle Solaris 11.4 13 July 2021 mdb(1)
diff -NurbBw 11.4.36/man1/passwd.1 11.4.39/man1/passwd.1
--- 11.4.36/man1/passwd.1 2021-11-16 13:14:12.226174531 +0000
+++ 11.4.39/man1/passwd.1 2021-11-16 13:14:47.015126375 +0000
@@ -532,8 +532,8 @@
- Property in /etc/default/login Corresponding SMF Property
- ---------------------------------------------------------------------
+ Property in /etc/default/passwd Corresponding SMF Property
+ ----------------------------------------------------------------------
DICTIONDBDIR password/dictionary/db_dir
DICTIONLIST password/dictionary/word_list
DICTIONMINWORDLENGTH password/dictionary/min_word_length
@@ -760,15 +760,15 @@
is the parsable output of the -s option.
SEE ALSO
- at(1), batch(1), finger(1), login(1), pwhash(1), crypt(3C), getpw-
- nam(3C), getspnam(3C), getusershell(3C), pam(3PAM), loginlog(5), nss-
- witch.conf(5), pam.conf(5), passwd(5), policy.conf(5), shadow(5),
- shells(5), user_attr(5), attributes(7), crypt_unix(7), environ(7),
- pam_authtok_check(7), pam_authtok_get(7), pam_authtok_store(7),
- pam_dhkeys(7), pam_ldap(7), pam_unix_account(7), pam_unix_auth(7),
- pam_unix_session(7), rbac(7), cron(8), eeprom(8), id(8), ldapclient(8),
- mkpwdict(8), pwconv(8), su(8), useradd(8), userdel(8), usermod(8),
- account-policy(8S)
+ at(1), batch(1), finger(1), login(1), pwhash(1), crypt(3C),
+ getpwnam(3C), getspnam(3C), getusershell(3C), pam(3PAM), crypt.conf(5),
+ loginlog(5), nsswitch.conf(5), pam.conf(5), passwd(5), policy.conf(5),
+ shadow(5), shells(5), user_attr(5), attributes(7), crypt_unix(7),
+ environ(7), pam_authtok_check(7), pam_authtok_get(7),
+ pam_authtok_store(7), pam_dhkeys(7), pam_ldap(7), pam_unix_account(7),
+ pam_unix_auth(7), pam_unix_session(7), rbac(7), cron(8), eeprom(8),
+ id(8), ldapclient(8), mkpwdict(8), pwconv(8), su(8), useradd(8),
+ userdel(8), usermod(8), account-policy(8S)
Managing User Accounts and User Environments in Oracle Solaris 11.4
@@ -795,12 +795,62 @@
All password hash algorithms provided with Oracle Solaris 11.4, except
- for crypt_unix(7), have a maximum password length of 255.
+ for crypt_unix(7), have a maximum password length of 255. See
+ crypt.conf(5) and account-policy(8S) for information on configuring the
+ algorithm to use.
The unlock_after user attribute only applies to accounts locked due to
exceeding a failed login count.
+HISTORY
+ The AL status code; the properties MAXDAYS, MINDAYS, and WARNDAYS; and
+ the use of the account-policy(8S) SMF service to store the property
+ values were added to Oracle Solaris in Solaris 11.4.0.
+
+
+ The -p option was added to Oracle Solaris in Solaris 11.3.4.
+
+
+ The DICTIONMINWORDLENGTH property was added to Oracle Solaris in
+ Solaris 11.1.17 and a Solaris 10 patch.
+
+
+ Support for NIS+, including the -D option, and the nisplus repository
+ argument for the -r option, was removed in Solaris 11.0.0.
+
+
+ The -N and -u options; and the properties DICTIONDBDIR, DICTIONLIST,
+ HISTORY, MAXREPEATS, MINALPHA, MINDIFF, MINDIGIT, MINLOWER, MINNONAL-
+ PHA, MINSPECIAL, MINUPPER, NAMECHECK, and WHITESPACE; were added to
+ Oracle Solaris in Solaris 10 3/05.
+
+
+ Support for password encryption algorithms beyond the traditional UNIX
+ crypt(3C), via the crypt.conf(5) configuration, was added to Solaris in
+ Solaris 9 12/02 (Update 2).
+
+
+ Support for LDAP, including the ldap repository argument for the -r
+ option, was added in Solaris 8.
+
+
+ The options -r (with the files, nis, and nisplus repositories), -e, -g,
+ -h, and -D were added to Solaris in Solaris 2.5.
+
+
+ The options -d, -f, -l, -s, and -w, and support for the
+ /etc/default/passwd file, with the properties MAXWEEKS, MINWEEKS,
+ PASSLENGTH, and WARNWEEKS, were added to Solaris in Solaris 2.0.
+
+
+ The options -a, -n, and -x were added in SunOS 4.1 and have been
+ present in all releases of Solaris.
+
+
+ The passwd command has been included in all releases of SunOS and
+ Solaris.
+
-Oracle Solaris 11.4 11 May 2021 passwd(1)
+Oracle Solaris 11.4 2 Sep 2021 passwd(1)
diff -NurbBw 11.4.36/man1/pfexec.1 11.4.39/man1/pfexec.1
--- 11.4.36/man1/pfexec.1 2021-11-16 13:14:12.333933047 +0000
+++ 11.4.39/man1/pfexec.1 2021-11-16 13:14:47.119352176 +0000
@@ -69,9 +69,9 @@
Processes that have been successfully reauthenticated, including those
that were implicitly authenticated within the timeout value of the
cache, are marked with an additional process flag, PRIV_PFEXEC_AUTH,
- which exempts child process from subsequent reauthentication. Both the
- PRIV_PFEXEC and PRIV_PFEXEC_AUTH flags are inherited by child processes
- unless the real uid is changed.
+ which exempts child processes from subsequent reauthentication. Both
+ the PRIV_PFEXEC and PRIV_PFEXEC_AUTH flags are inherited by child pro-
+ cesses unless the real uid is changed.
Commands that match the set of unauthenticated profiles do not require
@@ -82,7 +82,7 @@
The second form, pfexec -P privspec, allows a user to obtain the
additional privileges awarded to the user's profiles in prof_attr(5).
- The privileges specification on the commands line is parsed using
+ The privileges specification on the command line is parsed using
priv_str_to_set(3C). The resulting privileges are intersected with the
union of the privileges specified using the privs keyword in
prof_attr(5) for all the user's profiles and added to the inheritable
@@ -95,8 +95,8 @@
such as specific user or group IDs.
- Refer to the sh(1), csh(1), and ksh(1) man pages for complete usage
- descriptions of the profile shells.
+ Refer to the man pages for each shell for complete usage descriptions
+ of the profile shells.
EXAMPLES
Example 1 Obtaining additional user privileges
@@ -133,6 +133,12 @@
bash(1), csh(1), ksh(1), ksh88(1), profiles(1), sh(1), tcsh(1), zsh(1),
exec_attr(5), prof_attr(5), user_attr(5), attributes(7)
+HISTORY
+ Support for authenticated profiles was added in Oracle Solaris 11.2.0.
-Oracle Solaris 11.4 20 Jan 2016 pfexec(1)
+ The pfexec command was added in Solaris 8.
+
+
+
+Oracle Solaris 11.4 21 Jun 2021 pfexec(1)
diff -NurbBw 11.4.36/man1/pktool.1 11.4.39/man1/pktool.1
--- 11.4.36/man1/pktool.1 2021-11-16 13:14:12.551473842 +0000
+++ 11.4.39/man1/pktool.1 2021-11-16 13:14:47.307246642 +0000
@@ -55,26 +51,26 @@
An example of using the -i option follows:
-
-
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Menlo Park
- Organization Name (eg, company):Sun Microsystems Inc.
- Organizational Unit Name (eg, section):OPG
+ Organization Name (eg, company): Example Corp.
+ Organizational Unit Name (eg, section): DevOps
Common Name (eg, YOUR name):John Smith
- Email Address []: [email protected]
-
-
+ Email Address []: [email protected]
The resulting subject-DN is:
+ "C=US, ST=CA, L=Menlo Park, O=Example Corp.,\
+ OU=DevOps, [email protected], \
+ CN=John Smith"
- "C=US, ST=CA, L=Menlo Park, O=Sun Microsystems Inc.,\
- OU=OPG, [email protected], \
- CN=John Smith"
+ -?, --help
+
+ The -? option displays usage and help information. --help is a syn-
+ onym for -?.
SUBCOMMANDS
@@ -216,7 +200,8 @@
[altname=[critical:]subjectAltName,subjectAltName...]
[keyusage=[critical:]usage,usage...]
[format=der|pem]
- [ keytype=rsa [hash=md5 | sha1 | sha224 | sha256 | sha384 | sha512]]
+ [ keytype=rsa
+ [hash=md5|sha1|sha224|sha256|sha384|sha512]]
[ keytype=dsa [hash=sha1 | sha224 | sha256 ]]
[keylen=key-size]
[eku=[critical:]EKU_name,...]
@@ -260,7 +244,8 @@
[altname=[critical:]subjectAltName,subjectAltName...]
[keyusage=[critical:]usage,usage...]
[dir=directory-path]
- [ keytype=rsa [hash=md5 | sha1 | sha224 | sha256 | sha384 | sha512]]
+ [ keytype=rsa
+ [hash=md5|sha1|sha224|sha256|sha384|sha512]]
[ keytype=dsa [hash=sha1 | sha224 | sha256 ]]
[keylen=key-size]
[format=pem|der]
@@ -340,9 +315,7 @@
The format for the import subcommand is as follows:
-
-
- pktool import [token=token>[:manuf>[:serial>]]]
+ pktool import [token=token[:manuf[:serial]]]
infile=input-fn
pktool import [keystore=pkcs11]
@@ -533,31 +493,6 @@
virtual token in the list.
- rfc2986attr=y | n
-
- Specifies whether to encode 'attributes' as an empty ASN.1 con-
- struct 'SET OF' or not. The valid values are: y and n. The default
- value is y indicating that pktool adheres to PKCS#10 standard (RFC
- 2986). Some old broken certificate authorities may require specify-
- ing n.
-
-
- -?
-
- The format for the rfc2986attr=y | n subcommand is as follows:
-
-
-
-
- pktool -?
- pktool --help
-
-
-
- The -? option displays usage and help information. --help is a syn-
- onym for -?.
-
-
USAGE
The pktool subcommands support the following options:
@@ -807,9 +738,8 @@
objtype=cert | key | crl
- Specifies the class of the object: cert, key, or crl. For the
- download subcommand, if this option is not specified, default to
- crl.
+ Specifies the class of the object: cert, key, or crl. For the down-
+ load subcommand, if this option is not specified, default to crl.
objtype=public | private | both
@@ -888,6 +818,15 @@
issued.
+ rfc2986attr=y | n
+
+ Specifies whether to encode 'attributes' as an empty ASN.1 con-
+ struct 'SET OF' or not. The valid values are: y and n. The default
+ value is y indicating that pktool adheres to PKCS#10 standard (RFC
+ 2986). Some old broken certificate authorities may require specify-
+ ing n.
+
+
sensitive=y | n
Specifies the resulting symmetric key in the PKCS#11 token is sen-
@@ -911,8 +850,7 @@
For that reason, it is preferable to use label= instead of slotid=
to identify a token provider. The token label is shown under the
- "Token Name" column in the pktool
- tokens output.
+ "Token Name" column in the pktool tokens output.
subject=subject-DN
@@ -972,10 +908,8 @@
store indicated in the command:
-
-
$ pktool gencert keystore=pkcs11 label=WebServerCert \
- subject="O=Oracle Inc., OU=Solaris Security Technologies Group, \
+ subject="O=Example Company Inc., OU=Security Technologies Group, \
L=Ashburn, ST=VA, C=US, CN=John Smith" serial=0x01 \
keytype=rsa keylen=2048 hash=sha512
@@ -1014,19 +941,13 @@
label=mycert
-
-
EXIT STATUS
The following exit values are returned:
- 0
-
- Successful completion.
-
+ 0 Successful completion.
- >0
- An error occurred.
+ > 0 An error occurred.
ATTRIBUTES
@@ -1066,4 +987,4 @@
-Oracle Solaris 11.4 8 Jan 2020 pktool(1)
+Oracle Solaris 11.4 21 Jun 2021 pktool(1)
diff -NurbBw 11.4.36/man1/plabel.1 11.4.39/man1/plabel.1
--- 11.4.36/man1/plabel.1 2021-11-16 13:14:12.609552888 +0000
+++ 11.4.39/man1/plabel.1 2021-11-16 13:14:47.347792589 +0000
@@ -7,13 +7,15 @@
SYNOPSIS
/usr/bin/plabel [-sS] [pid...]
- /usr/bin/plabel [-sS] [-l clearance pid...]
+
+
+ /usr/bin/plabel [-sS] -l clearance pid...
DESCRIPTION
- plabel, a proc tools command, gets or sets the label of a process. If
- the pid is not specified, the label displayed is that of the plabel
- command. When options are not specified, the output format of the label
- is displayed in default format.
+ The plabel command gets or sets the label of a process. If the pid is
+ not specified, the label displayed is that of the plabel command. When
+ options are not specified, the output format of the label is displayed
+ in default format.
When Trusted Extensions is enabled, the label corresponds to the label
@@ -30,8 +32,7 @@
clearance of any process that is not owned by the current
process.
- This option is not supported, when Trusted Extensions are
- enabled.
+ This option is not supported when Trusted Extensions are enabled.
-s Display the label that is associated with pid in short form.
@@ -72,8 +73,18 @@
The plabel utility is Committed. The output is Not-an-Interface.
SEE ALSO
- proc(1), getplabel(3TSOL), getclearance(3TSOL), attributes(7)
+ proc(1), getplabel(3TSOL), getclearance(3TSOL), attributes(7),
+ labels(7)
+
+HISTORY
+ The -l option, and support for process clearances on systems not run-
+ ning Trusted Extensions, was added in Oracle Solaris 11.4.0.
+
+
+ The plabel command was added to Solaris in Solaris 10 4/08 (Update 5).
+ Prior to that it was included in the Trusted Extensions add-on for
+ Solaris.
-Oracle Solaris 11.4 24 Mar 2016 plabel(1)
+Oracle Solaris 11.4 21 Jun 2021 plabel(1)
diff -NurbBw 11.4.36/man1/ppriv.1 11.4.39/man1/ppriv.1
--- 11.4.36/man1/ppriv.1 2021-11-16 13:14:12.645746997 +0000
+++ 11.4.39/man1/ppriv.1 2021-11-16 13:14:47.391860993 +0000
@@ -6,7 +6,8 @@
ppriv - inspect or modify process privilege sets and attributes
SYNOPSIS
- /usr/bin/ppriv -e [-f {+-}{ADKMPRSTUX}] [-s spec] [-r rule] command [arg]...
+ /usr/bin/ppriv -e [-f {+-}{ADKMPRSTUX}] [-s spec] [-r rule]
+ command [arg]...
/usr/bin/ppriv [-vn] [ -f {+-}{ADKMPRSTUX}] [-S] [-s spec]
@@ -16,8 +17,7 @@
/usr/bin/ppriv -l [-vn] [privilege-specification | extended-policy]...
- /usr/bin/ppriv -q [-f
- {+-}{ADKMPRSTUX}[privilege-specification]
+ /usr/bin/ppriv -q [-f {+-}{ADKMPRSTUX} [privilege-specification]
DESCRIPTION
The first invocation of the ppriv command runs the command specified
@@ -108,6 +108,11 @@
Obsolete. Same as -f -D.
+ -P
+
+ Obsolete. Same as -f +P.
+
+
-s spec
Modifies a process's privilege sets according to spec, a specifica-
@@ -219,9 +224,7 @@
L: all
-
- Example 2 Removing a Privilege From Your Shell's Inheritable and Effec-
- tive Set
+ Example 2 Removing a Privilege from the Inheritable and Effective Sets
@@ -260,8 +262,8 @@
example$ ppriv -e -f +D cat /etc/shadow
- cat[418]: missing privilege "file_dac_read" (euid = 21782),
- needed at ufs_access+0x3c
+ cat[418]: missing privilege "file_dac_read" (euid = 21782,
+ syscall = "openat") for "/etc/shadow" at zfs_zaccess+0x284
cat: cannot open /etc/shadow
@@ -356,9 +355,10 @@
The following example tests for flags and privileges:
- example$ if ppriv -q -f +D file_read; then
+ if ppriv -q -f +D file_read; then
echo Privilege debugging is enabled
echo and file_read privilege detected
+ fi
EXIT STATUS
@@ -396,6 +396,32 @@
gcore(1), truss(1), setpflags(2), priv_str_to_set(3C), proc(5),
attributes(7), privileges(7), tpd(7), zones(7)
+HISTORY
+ The K and R flags for the -f option were added in Oracle Solaris
+ 11.4.0.
+
+
+ The S flag for the -f option was added in Oracle Solaris 11.3.20.
+
+
+ The -f and -q options, and the A, D, M, P, T, U, and X flags for the -f
+ option, were added in Oracle Solaris 11.2.0. The -D, -M, -N, -P, and -X
+ options were declared obsolete at the same time.
+
+
+ The -n, -r, and -X options, and support for Extended Policies, were
+ added in Oracle Solaris 11.1.0.
+
+
+ The -P option was added in Oracle Solaris 11.0.0.
+
+
+ The -M option was added in Solaris 10 11/06 (Update 3).
+
+
+ The ppriv command, with support for the -D, -e, -l, -N, -S, -s, and -v
+ options, was added in Solaris 10 3/05.
+
-Oracle Solaris 11.4 28 May 2018 ppriv(1)
+Oracle Solaris 11.4 21 Jun 2021 ppriv(1)
diff -NurbBw 11.4.36/man1/profiles.1 11.4.39/man1/profiles.1
--- 11.4.36/man1/profiles.1 2021-11-16 13:14:12.798359088 +0000
+++ 11.4.39/man1/profiles.1 2021-11-16 13:14:47.431827868 +0000
@@ -12,13 +12,10 @@
profiles [-la] [-S repository]
- profiles -p profiles [-S repository]
-
-
- profiles -p profiles [-S repository] subcommand
+ profiles -p profile [-S repository] [subcommand]
- profiles -p profiles [-S repository] -f command_file
+ profiles -p profile [-S repository] -f command_file
profiles help
@@ -287,10 +274,9 @@
help
The help file name for the new profile. The help file is copied to
- the /usr/lib/help/profiles/locale/<locale> directory. Where
- <locale> is the value of the user's language locale, or C if none
- is specified. Specifying this property is only applicable in the
- files repository.
+ the /usr/lib/help/profiles/locale/locale directory, where locale is
+ the value of the user's locale, or C if none is specified. Specify-
+ ing this property is only applicable in the files repository.
limitpriv
@@ -354,11 +340,11 @@
file of profiles subcommands, one per line.
- -l [ <user> ]
+ -l [user]
Provides information about all rights profiles that are assigned to
- <user> and lists the commands and their special process attributes
- such as user and group IDs. Without the <user> argument, provides
+ user and lists the commands and their special process attributes
+ such as user and group IDs. Without the user argument, provides
this information about the user who is running the command.
@@ -443,7 +427,7 @@
in the command context.
- clear property name
+ clear property-name
Clear the value for the property.
@@ -494,7 +478,7 @@
form suitable for use in a command file option.
- help [usage] [subcommands] [properties] [<subcommand.] [<properties>]
+ help [usage | subcommands | properties | subcommand | property]
Print general help or help about specific topic.
@@ -567,13 +551,9 @@
The output of the profiles command has the following form:
-
-
example% profiles tester01 tester02
tester01 : Audit Management, All Commands
tester02 : Device Management, All Commands
- example%
-
Example 2 Using the list Option
@@ -594,20 +572,16 @@
/usr/bin/deallocate: euid=root
All Commands
*
- example%
-
Example 3 Creating a New Profile
- The following creates a new User Manager profile in LDAP. new profile
- description is Manage users and groups, and the authorization assigned
- is solaris.user.manage. The supplementary profile assigned is Mail Man-
- agement.
-
-
+ The following creates a new "User Manager" profile in LDAP. The new
+ profile description is "Manage users and groups", and the authorization
+ assigned is solaris.user.manage. The supplementary profile assigned is
+ "Mail Management".
example% profiles -p "User Manager" -S ldap
@@ -617,15 +591,11 @@
profiles:User Manager> exit
+ Example 4 Displaying Information Regarding a Profile
-
- Example 4 Displaying Information Regarding the Current Configuration
-
-
-
- The following command displays information regarding the User Manager
+ The following command displays information regarding the "User Manager"
profile:
@@ -638,15 +606,11 @@
profiles=Mail Management
-
-
Example 5 Deleting a Profile
- The following command deletes the User Manager profile from LDAP:
-
-
+ The following command deletes the "User Manager" profile from LDAP:
example% profiles -p "User Manager" -S ldap delete -F
@@ -652,15 +616,12 @@
example% profiles -p "User Manager" -S ldap delete -F
-
-
-
Example 6 Modifying a Profile
- The following modifies the User Manager profile in LDAP. The new pro-
- file description is Manage world, the new authorization assignment is
+ The following modifies the "User Manager" profile in LDAP. The new pro-
+ file description is "Manage world", the new authorization assignment is
solaris.user.* authorizations, and the new supplementary profile
assignment is All.
@@ -674,15 +633,12 @@
profiles:User Manager> exit
-
-
-
Example 7 Creating an exec_attr Database Entry
- The following command creates a new exec_attr entry for the User Man-
- ager profile in LDAP. The /usr/bin/cp entry is added. The command has
+ The following command creates a new exec_attr entry for the "User Man-
+ ager" profile in LDAP. The /usr/bin/cp entry is added. The command has
an effective user ID of 0 and an effective group ID of 0.
@@ -686,26 +642,20 @@
an effective user ID of 0 and an effective group ID of 0.
-
-
example% profiles -p "User Manager" -S ldap
profiles:User Manager> add cmd=/usr/bin/cp
profiles:User Manager:cp> set euid=0
profiles:User Manager:cp> set egid=0
profiles:User Manager:cp> end
profiles:User Manager> exit
- example%
-
-
-
Example 8 Deleting an exec_attr Database Entry
- The following example deletes an exec_attr database entry for the User
- Manager profile from LDAP. The entry designated for the command
+ The following example deletes an exec_attr database entry for the "User
+ Manager" profile from LDAP. The entry designated for the command
/usr/bin/cp is deleted.
@@ -709,15 +659,9 @@
/usr/bin/cp is deleted.
-
-
example% profiles -p "User Manager" -S ldap
profiles:User Manager> remove cmd=/usr/bin/cp
profiles:User Manager> exit
- example%
-
-
-
Example 9 Modifying an exec_attr Database Entry
@@ -739,10 +681,6 @@
profiles:User Manager:cp> set gid=0
profiles:User Manager:cp> end
profiles:User Manager> exit
- example%
-
-
-
Example 10 Showing the Attributes Associated With a Command
@@ -765,8 +701,6 @@
mary:
name=All
id=*
- example%
-
EXIT STATUS
@@ -809,11 +743,11 @@
auths(1), pfexec(1), pkg(1), roles(1), getprofattr(3C), auth_attr(5),
exec_attr(5), nsswitch.conf(5), pam.conf(5), policy.conf(5),
prof_attr(5), user_attr(5), attributes(7), audit_flags(7),
- pam_user_policy(7), privileges(7)
+ pam_user_policy(7), privileges(7), rbac(7)
Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP
-Oracle Solaris 11.4 25 Mar 2020 profiles(1)
+Oracle Solaris 11.4 21 Jun 2021 profiles(1)
diff -NurbBw 11.4.36/man1/pwhash.1 11.4.39/man1/pwhash.1
--- 11.4.36/man1/pwhash.1 2021-11-16 13:14:12.830916624 +0000
+++ 11.4.39/man1/pwhash.1 2021-11-16 13:14:47.461746559 +0000
@@ -6,12 +6,12 @@
pwhash - generate password hashes
SYNOPSIS
- pwhash [ -a <hashalgorithm> | -s <salt>] [ -u <user> ]
+ pwhash [-a algorithm | -s salt] [-u user]
DESCRIPTION
- With no arguments pwhash prompts for input (and reconfirms) and gener-
- ates a password hash by using crypt_gensalt(3C) followed by crypt(3C),
- and then displays the generated hash on stdout.
+ With no arguments, pwhash prompts for input (and confirms it) and gen-
+ erates a password hash by using crypt_gensalt(3C) followed by
+ crypt(3C), and then displays the generated hash on stdout.
If input is redirected from stdin then that is used instead. The pass-
@@ -21,20 +21,19 @@
OPTIONS
The following options are supported:
-
- -a
- --algorithm=<algorithm>
+ -a algorithm
+ --algorithm=algorithm
Specifies a preference for the algorithm. If the algorithm is not
allowed or does not exist, an error is shown.
The values are as per the key in crypt.conf(5). For example,
- __unix__, 1, md5, 2a, 5, and 6.
+ __unix__, 1, md5, 2a, 5, or 6.
- -s
- --salt=<salt>
+ -s salt
+ --salt=salt
Full specification of the algorithm and salt. This option bypasses
the crypt_gensalt(3C) call and instead passes the supplied salt
@@ -42,8 +41,8 @@
- -u
- --user=<user>
+ -u user
+ --user=user
Specifies the username to be used with crypt_gensalt(3C). Note that
while the API allows for it, no current plugins delivered with Ora-
@@ -78,9 +76,7 @@
$5$DA/w/BgH$cB394/iYqj6pk/J6W0smfmKsGrYSGeWUvHsIMnUaZh.
-
- Example 2 Generating a Hash Using the System Default Algorithm Using
- stdin
+ Example 2 Generating a Hash Using stdin
@@ -134,12 +127,15 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |Interface Stability | |
+ |Interface Stability |Committed |
+-----------------------------+-----------------------------+
SEE ALSO
- crypt(3C), crypt_gensalt(3C), policy.conf(5), crypt.conf(5)
+ crypt(3C), crypt_gensalt(3C), crypt.conf(5), policy.conf(5)
+
+HISTORY
+ The pwhash command was added to Oracle Solaris in Solaris 11.3.3.
-Oracle Solaris 11.4 27 Nov 2017 pwhash(1)
+Oracle Solaris 11.4 21 Jun 2021 pwhash(1)
diff -NurbBw 11.4.36/man1/roles.1 11.4.39/man1/roles.1
--- 11.4.36/man1/roles.1 2021-11-16 13:14:12.859909928 +0000
+++ 11.4.39/man1/roles.1 2021-11-16 13:14:47.492025177 +0000
@@ -88,9 +87,12 @@
+-----------------------------+-----------------------------+
SEE ALSO
- auths(1), pfexec(1), profiles(1), rlogin(1), ssh(1), auth_attr(5),
- passwd(5), prof_attr(5), shadow(5), user_attr(5), attributes(7), su(8)
+ auths(1), pfexec(1), profiles(1), ssh(1), auth_attr(5), passwd(5),
+ prof_attr(5), shadow(5), user_attr(5), attributes(7), rbac(7), su(8)
+
+HISTORY
+ The roles command was added in Solaris 8.
-Oracle Solaris 11.4 11 May 2021 roles(1)
+Oracle Solaris 11.4 21 Jun 2021 roles(1)
diff -NurbBw 11.4.36/man1/sandbox.1 11.4.39/man1/sandbox.1
--- 11.4.36/man1/sandbox.1 2021-11-16 13:14:12.888662298 +0000
+++ 11.4.39/man1/sandbox.1 2021-11-16 13:14:47.519868084 +0000
@@ -92,9 +90,11 @@
+-----------------------------+-----------------------------+
SEE ALSO
- plabel(1), setlabel(1), privileges(7), sandboxing(7), sandboxadm(8),
- setlabel(1)
+ plabel(1), setlabel(1), privileges(7), sandboxing(7), sandboxadm(8)
+
+HISTORY
+ The sandbox command was added in Solaris 11.4.0.
-Oracle Solaris 11.4 27 Nov 2017 sandbox(1)
+Oracle Solaris 11.4 21 Jun 2021 sandbox(1)
diff -NurbBw 11.4.36/man1/setlabel.1 11.4.39/man1/setlabel.1
--- 11.4.36/man1/setlabel.1 2021-11-16 13:14:12.916818374 +0000
+++ 11.4.39/man1/setlabel.1 2021-11-16 13:14:47.548003573 +0000
@@ -66,7 +66,7 @@
EXAMPLES
- Example 1 Set a Label.
+ Example 1 Set a Label
@@ -76,8 +76,7 @@
example% setlabel "Secret a" somefile
-
- Example 2 Turn On a Compartment.
+ Example 2 Turn On a Compartment
@@ -88,8 +87,7 @@
example% setlabel +b somefile
-
- Example 3 Turn Off a Compartment.
+ Example 3 Turn Off a Compartment
@@ -128,11 +125,16 @@
+-----------------------------+-----------------------------+
SEE ALSO
- setflabel(3TSOL), label_encodings(5), attributes(7), zfs(8)
+ setflabel(3TSOL), label_encodings(5), attributes(7), labels(7), zfs(8)
NOTES
For more information, see the label_encodings(5) man page.
+HISTORY
+ The setlabel command was added to Solaris in Solaris 10 4/08 (Update
+ 5). Prior to that it was included in the Trusted Extensions add-on for
+ Solaris.
+
-Oracle Solaris 11.4 23 Jan 2017 setlabel(1)
+Oracle Solaris 11.4 21 Jun 2021 setlabel(1)
diff -NurbBw 11.4.36/man1/ssh-http-proxy-connect.1 11.4.39/man1/ssh-http-proxy-connect.1
--- 11.4.36/man1/ssh-http-proxy-connect.1 2021-11-16 13:14:12.984860859 +0000
+++ 11.4.39/man1/ssh-http-proxy-connect.1 2021-11-16 13:14:47.623133997 +0000
@@ -61,9 +61,9 @@
the proxy is set from the environment:
- Host playtime.foo.com
+ Host playtime.example.com
ProxyCommand /usr/lib/ssh/ssh-http-proxy-connect \
- playtime.foo.com 22
+ playtime.example.com 22
Example 2 Overriding proxy environment variables
@@ -74,9 +74,9 @@
override (or if not set) proxy environment variables:
- Host playtime.foo.com
+ Host playtime.example.com
ProxyCommand /usr/lib/ssh/ssh-http-proxy-connect -h webcache \
- -p 8080 playtime.foo.com 22
+ -p 8080 playtime.example.com 22
Example 3 Using the command line
@@ -88,7 +88,7 @@
example$ ssh -o ProxyCommand="/usr/lib/ssh/ssh-http-proxy-connect \
- -h webcache -p 8080 playtime.foo.com 22" playtime.foo.com
+ -h webcache -p 8080 playtime.example.com 22" playtime.example.com
ENVIRONMENT VARIABLES
@@ -120,7 +120,7 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |Availability |network/ssh |
+ |Availability |network/ssh/ssh-utilities |
+-----------------------------+-----------------------------+
|Interface Stability |Committed |
+-----------------------------+-----------------------------+
@@ -130,4 +130,4 @@
-Oracle Solaris 11.4 21 Dec 2010 ssh-http-proxy-connect(1)
+Oracle Solaris 11.4 12 Jul 2021 ssh-http-proxy-connect(1)
diff -NurbBw 11.4.36/man1/ssh-socks5-proxy-connect.1 11.4.39/man1/ssh-socks5-proxy-connect.1
--- 11.4.36/man1/ssh-socks5-proxy-connect.1 2021-11-16 13:14:13.014135992 +0000
+++ 11.4.39/man1/ssh-socks5-proxy-connect.1 2021-11-16 13:14:47.656252559 +0000
@@ -67,9 +67,9 @@
the proxy is set from the environment:
- Host playtime.foo.com
+ Host playtime.example.com
ProxyCommand /usr/lib/ssh/ssh-socks5-proxy-connect \
- playtime.foo.com 22
+ playtime.example.com 22
Example 2 Overriding proxy environment variables
@@ -80,9 +80,9 @@
override (or if not set) proxy environment variables:
- Host playtime.foo.com
+ Host playtime.example.com
ProxyCommand /usr/lib/ssh/ssh-socks5-proxy-connect -h socks-gw \
- -p 1080 playtime.foo.com 22
+ -p 1080 playtime.example.com 22
Example 3 Using the command line
@@ -94,7 +94,7 @@
example$ ssh -o'ProxyCommand=/usr/lib/ssh/ssh-socks5-proxy-connect \
- -h socks-gw -p 1080 playtime.foo.com 22' playtime.foo.com
+ -h socks-gw -p 1080 playtime.example.com 22' playtime.example.com
ENVIRONMENT VARIABLES
@@ -122,7 +122,7 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |Availability |network/ssh |
+ |Availability |network/ssh/ssh-utilities |
+-----------------------------+-----------------------------+
|Interface Stability |Committed |
+-----------------------------+-----------------------------+
@@ -132,5 +132,5 @@
-Oracle Solaris 11.4 30 Oct 2002
+Oracle Solaris 11.4 12 Jul 2021
ssh-socks5-proxy-connect(1)
diff -NurbBw 11.4.36/man1/touch.1 11.4.39/man1/touch.1
--- 11.4.36/man1/touch.1 2021-11-16 13:14:13.045040740 +0000
+++ 11.4.39/man1/touch.1 2021-11-16 13:14:47.801927274 +0000
@@ -6,23 +6,31 @@
touch, settime - change file access and modification times
SYNOPSIS
- touch [-acm] [-r ref_file | -t time | -d date_time] file...
+ /usr/bin/touch [-acm] [-r ref_file | -t time | -d date_time] file...
- touch [-acm] [time_spec] file...
+ /usr/bin/touch [-acm] [time_spec] file...
- settime [-f ref_file] [time_spec] file...
+ /usr/xpg7/bin/touch [-acm] [-r ref_file | -t time | -d date_time] file...
+
+
+ /usr/bin/settime [-f ref_file] [time_spec] file...
DESCRIPTION
- The touch utility sets the access and modification times of each file.
- The file operand is created if it does not already exist.
+ The touch and settime utilities set the access and modification times
+ of each file. The touch utility creates the file operand if it does not
+ already exist. The settime utility does not create new files.
- The time used can be specified by -t time, by -d date_time, by the
- corresponding time fields of the file referenced by -r ref_file, or by
- the time_spec operand. If none of these are specified, touch uses the
- current time.
+ The time used by the touch utility can be specified by -t time, by -d
+ date_time, or by the corresponding time fields of the file referenced
+ by -r ref_file. The /usr/bin/touch utility also accepts a time_spec
+ operand, though this is deprecated in favor of the previously named
+ options. The time used by the settime utility can be specified by the
+ corresponding time fields of the file referenced by -f ref_file, or by
+ the time_spec operand. If none of these are specified, these utilities
+ use the current time.
If neither the -a nor -m options are specified, touch updates both the
@@ -30,16 +38,14 @@
A user with write access to a file, but who is not the owner of the
- file or a super-user, can change the modification and access times of
- that file only to the current time. Attempts to set a specific time
- with touch results in an error.
+ file and does not have the PRIV_FILE_OWNER privilege, can change the
+ modification and access times of that file only to the current time.
+ Attempts to set a specific time results in an error.
- The settime utility is equivalent to touch -c [time_spec] file.
+ The settime utility is equivalent to touch -c with a different syntax.
OPTIONS
- The following options are supported in the touch and settime utilities:
-
touch
The following options are supported for the touch utility:
@@ -73,7 +79,7 @@
o YYYY is at least four decimal digits giving the year
- o MM, DD, hh, mm, and SS are as with -t time
+ o MM, DD, hh, mm, and SS are as described with -t time
o T is either the letter T or a single SPACE character
@@ -144,12 +150,11 @@
|If YY is: |CC becomes: |
+-----------------------------+-----------------------------+
| 69-99 | 19 |
- | 00-38 | 20 |
- | 39-68 | ERROR |
+ | 00-68 | 20 |
+-----------------------------+-----------------------------+
The resulting time is affected by the value of the TZ environment
- variable. The range of valid times is the Epoch to January 18,
- 2038.
+ variable. Times before the Epoch (January 1, 1970) are considered
+ invalid.
The range for SS is [00-61] rather than [00-59] because of leap
seconds. If SS is 60 or 61, and the resulting time, as affected by
@@ -168,14 +173,18 @@
OPERANDS
- The following operands are supported for the touch and settime utili-
- ties:
+ The following operand is supported for all of the touch and settime
+ utilities:
file
A path name of a file whose times are to be modified.
+
+ The following operand is supported for the /usr/bin/touch and settime
+ utilities, but not /usr/xpg7/bin/touch:
+
time_spec
Uses the specified time_spec instead of the current time. This op-
@@ -210,8 +219,7 @@
| YY | Corresponding Year |
+-----------------------------+-----------------------------+
| 69-99 | 1969-1999 |
- | 00-38 | 2000-2038 |
- | 39-68 | ERROR |
+ | 00-68 | 2000-2068 |
+-----------------------------+-----------------------------+
If no -d, -r, or -t option is specified, at least two operands are
specified, and the first operand is an eight- or ten-digit decimal
@@ -252,24 +260,83 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |Availability |system/core-os |
+ |Availability |See below. |
+-----------------------------+-----------------------------+
|CSI |Enabled |
+-----------------------------+-----------------------------+
|Interface Stability |Committed |
+-----------------------------+-----------------------------+
- |Standard |See standards(7). |
+ |Standard |See below. |
+ +-----------------------------+-----------------------------+
+
+ Availability
+ +-----------------------------+-----------------------------+
+ | COMMAND | PACKAGE |
+-----------------------------+-----------------------------+
+ |/usr/bin/settime |system/core-os |
+ +-----------------------------+-----------------------------+
+ |/usr/bin/touch |system/core-os |
+ +-----------------------------+-----------------------------+
+ |/usr/xpg7/bin/touch |system/xopen/xcu7 |
+ +-----------------------------+-----------------------------+
+
+ Standards
+ The /usr/bin/touch command conforms to the requirements of the XPG2
+ through XPG5 standards. The /usr/xpg7/bin/touch command conforms to the
+ requirements of the XPG6 through XPG7 standards, which do not allow the
+ time_spec operand and require all operands to be treated as file names
+ instead.
+
+
+ The settime utility is not specified by any standard.
+
+
+ For more details on these standards, see the standards(7) manual page.
SEE ALSO
- futimens(2), stat(2), attributes(7), environ(7), standards(7)
+ stat(1), futimens(2), stat(2), attributes(7), environ(7), privi-
+ leges(7), standards(7)
NOTES
+ The range of valid times depends on the file system on which the file
+ resides. For instance, the ufs(4fs) filesystem does not support times
+ after 03:14:07 UTC, January 19, 2038, but the tmpfs(4fs) and zfs(4fs)
+ file systems do. The range for the pcfs(4fs) filesystem depends on
+ whether or not it is mounted with the clamptime option, as described in
+ the mount_pcfs(8) manual page. If the filesystem supports such time-
+ stamps, 32-bit programs will receive EOVERFLOW errors from the stat(2)
+ system call for files with any timestamp past 03:14:07 UTC, January 19,
+ 2038. New software should be compiled 64-bit to avoid this.
+
+
Users familiar with the BSD environment find that for the touch util-
ity, the -f option is accepted but ignored. The -f option is unneces-
sary because touch succeeds for all files owned by the user regardless
of the permissions on the files.
+HISTORY
+ Support for dates past the 32-bit time_t limit of 03:14:07 UTC, January
+ 19, 2038 was added in Oracle Solaris 11.4.0 when these commands were
+ converted to 64-bit programs.
+
+
+ The /usr/xpg7/bin/touch command was added in Oracle Solaris 11.4.0.
+
+
+ The -d option was added to the touch command in Solaris 10 9/10 (Update
+ 9).
+
+
+ The -r and -t options were added to the touch command in Solaris 2.5 to
+ support the XPG4 standard.
+
+
+ The settime command was added in Solaris 2.0.
+
+
+ The touch command, with support for the -a, -m, and -c options, has
+ been present in all Sun and Oracle releases of Solaris.
+
-Oracle Solaris 11.4 11 May 2021 touch(1)
+Oracle Solaris 11.4 19 Jul 2021 touch(1)
diff -NurbBw 11.4.36/man1/updatehome.1 11.4.39/man1/updatehome.1
--- 11.4.36/man1/updatehome.1 2021-11-16 13:14:13.072849043 +0000
+++ 11.4.39/man1/updatehome.1 2021-11-16 13:14:47.837003800 +0000
@@ -121,8 +118,8 @@
+-----------------------------+-----------------------------+
SEE ALSO
- label_encodings(5), user_attr(5), attributes(7), automount(8),
- share(8), txzonemgr(8)
+ label_encodings(5), user_attr(5), attributes(7), labels(7), auto-
+ mount(8), share(8), txzonemgr(8)
Trusted Extensions Configuration and Administration
@@ -131,6 +128,11 @@
The functionality described on this manual page is available only if
the system is configured with Trusted Extensions.
+HISTORY
+ The updatehome command was added to Solaris in Solaris 10 4/08 (Update
+ 5). Prior to that it was included in the Trusted Extensions add-on for
+ Solaris.
+
-Oracle Solaris 11.4 16 Nov 2016 updatehome(1)
+Oracle Solaris 11.4 21 Jun 2021 updatehome(1)
diff -NurbBw 11.4.36/man1/userattr.1 11.4.39/man1/userattr.1
--- 11.4.36/man1/userattr.1 2021-11-16 13:14:13.101623636 +0000
+++ 11.4.39/man1/userattr.1 2021-11-16 13:14:47.870476918 +0000
@@ -74,8 +69,11 @@
SEE ALSO
auths(1), profiles(1), policy.conf(5), prof_attr(5), user_attr(5),
- attributes(7)
+ attributes(7), rbac(7)
+
+HISTORY
+ The userattr command was added in Solaris 11.0.0.
-Oracle Solaris 11.4 12 Oct 2019 userattr(1)
+Oracle Solaris 11.4 21 Jun 2021 userattr(1)
diff -NurbBw 11.4.36/man3audit/check_autags.3audit 11.4.39/man3audit/check_autags.3audit
--- 11.4.36/man3audit/check_autags.3audit 2021-11-16 13:14:13.145927565 +0000
+++ 11.4.39/man3audit/check_autags.3audit 2021-11-16 13:14:47.901540691 +0000
@@ -7,10 +7,11 @@
SYNOPSIS
cc [ flag...] file ... -laudit [library ...]
+
#include <limits.h>
- #include <libaudit.h>
+ #include <security/libaudit.h>
- int check_autags(char *err_buf, size_t buf_len, char *tags_fname)
+ int check_autags(char *err_buf, size_t buf_len, char *tags_fname);
DESCRIPTION
The check_autags() function validates audit tag definitions and returns
@@ -21,13 +22,13 @@
specified, then default system audit tags definitions are used.
- For errors, detailed text about the error is returned in err_buf.
- buf_len specifies the size of err_buf. Error text is not returned if
- err_buf is null or if buf_len is 0. If buf_len is too small to hold the
- null-terminated error text, the text is truncated. If multiple errors
- are found, they are returned in err_buf separated by newline charac-
- ters. A buffer of size LINE_MAX or larger is recommended, in order to
- hold several lines if needed.
+ For errors, detailed text about the error is written to the buffer pro-
+ vided in err_buf. buf_len specifies the size of err_buf. Error text is
+ not returned if err_buf is NULL or if buf_len is 0. If buf_len is too
+ small to hold the null-terminated error text, the text is truncated. If
+ multiple errors are found, they are written to err_buf separated by
+ newline characters. A buffer of size LINE_MAX or larger is recommended,
+ in order to hold several lines if needed.
RETURN VALUES
Upon successful completion, 0 is returned. Otherwise an error code is
@@ -63,6 +62,9 @@
SEE ALSO
audit_tags(5), attributes(7)
+HISTORY
+ The check_autags() function was added in Oracle Solaris 11.4.0.
+
-Oracle Solaris 11.4 12 Jul 2016 check_autags(3AUDIT)
+Oracle Solaris 11.4 21 Jun 2021 check_autags(3AUDIT)
diff -NurbBw 11.4.36/man3audit/get_matching_autag_info.3audit 11.4.39/man3audit/get_matching_autag_info.3audit
--- 11.4.36/man3audit/get_matching_autag_info.3audit 2021-11-16 13:14:13.172361723 +0000
+++ 11.4.39/man3audit/get_matching_autag_info.3audit 2021-11-16 13:14:47.930747006 +0000
@@ -7,10 +7,11 @@
SYNOPSIS
cc [ flag...] file ... -laudit [library ...]
+
#include <security/libaudit.h>
nvlist_t *get_matching_autag_info(void *audit_record,
- char *tags_fname)
+ char *tags_fname);
DESCRIPTION
The get_matching_autag_info() function returns an nvlist containing
@@ -24,12 +25,12 @@
tags_fname specifies the tags file name to be used. If NULL is speci-
- fied, then the definition of default audit tags are used.
+ fied, then the default audit tags are used.
RETURN VALUES
Upon successful completion, an nvlist is allocated and the address is
returned. Otherwise, NULL is returned if no tags are found or if an
- error occurs errno is set to indicate the error.
+ error occurs. If an error occurs, errno is set to indicate the error.
The caller must call the nvlist_free() function to deallocate any
@@ -49,11 +49,8 @@
EINVAL An error occurred while parsing the audit record argument.
-
EXAMPLES
- Example 1 Example to get all tag names that a binary audit record
- ("record") matches.
-
+ Example 1 Get all tag names that a binary audit record matches
#include <security/libaudit.h>
@@ -99,7 +95,11 @@
SEE ALSO
libnvpair(3LIB), audit_tags(5), audit.log(5), attributes(7)
+HISTORY
+ The get_matching_autag_info() function was added in Oracle Solaris
+ 11.4.0.
+
-Oracle Solaris 11.4 12 Jul 2016
+Oracle Solaris 11.4 21 Jun 2021
get_matching_autag_info(3AUDIT)
diff -NurbBw 11.4.36/man3audit/list_autags.3audit 11.4.39/man3audit/list_autags.3audit
--- 11.4.36/man3audit/list_autags.3audit 2021-11-16 13:14:13.202171691 +0000
+++ 11.4.39/man3audit/list_autags.3audit 2021-11-16 13:14:47.960861544 +0000
@@ -7,9 +7,10 @@
SYNOPSIS
cc [ flag...] file ... -laudit [library ...]
- #include <libaudit.h>
- nvlist_t *list_autags(char *tags_fname)
+ #include <security/libaudit.h>
+
+ nvlist_t *list_autags(char *tags_fname);
DESCRIPTION
The list_autags() function returns an nvlist containing information
@@ -19,7 +20,7 @@
tags_fname specifies the tags file name to be used. If NULL is speci-
- fied then the definition of default system audit tags are used.
+ fied then the default system audit tags are used.
RETURN VALUES
Upon successful completion, an nvlist is allocated and the address is
@@ -45,14 +45,11 @@
EINVAL An error occurred while parsing the tags file(s).
-
EXAMPLES
- Example 1 Example to get all tag names defined in default system tag
- files.
+ Example 1 Get all tag names defined in default system tag files
-
- #include <libaudit.h>
+ #include <security/libaudit.h>
int error;
nvlist_t *list;
@@ -64,6 +61,7 @@
list = list_autags(NULL);
if (list == NULL) {
+ perror("list_autags");
exit(1);
}
while (pair = nvlist_next_nvpair(list, pair)) {
@@ -91,6 +88,9 @@
SEE ALSO
audit_tags(5), libnvpair(3LIB), attributes(7)
+HISTORY
+ The list_autags() function was added in Oracle Solaris 11.4.0.
+
-Oracle Solaris 11.4 27 Jan 2017 list_autags(3AUDIT)
+Oracle Solaris 11.4 21 Jun 2021 list_autags(3AUDIT)
diff -NurbBw 11.4.36/man3c/crypt.3c 11.4.39/man3c/crypt.3c
--- 11.4.36/man3c/crypt.3c 2021-11-16 13:14:13.353891950 +0000
+++ 11.4.39/man3c/crypt.3c 2021-11-16 13:14:48.121390532 +0000
@@ -3,7 +3,7 @@
NAME
- crypt - string encoding function
+ crypt - password hashing function
SYNOPSIS
#include <crypt.h>
@@ -84,9 +84,19 @@
SEE ALSO
passwd(1), pwhash(1), crypt_genhash_impl(3C), crypt_gensalt(3C),
- crypt_gensalt_impl(3C), getpassphrase(3C), pam(3PAM), passwd(5), pol-
- icy.conf(5), shadow(5), attributes(7), crypt_unix(7), standards(7)
+ crypt_gensalt_impl(3C), getpassphrase(3C), pam(3PAM), crypt.conf(5),
+ passwd(5), policy.conf(5), shadow(5), attributes(7), crypt_unix(7),
+ standards(7), account-policy(8S)
+HISTORY
+ The crypt() function has been included in all releases of SunOS and
+ Solaris.
-Oracle Solaris 11.4 9 Mar 2020 crypt(3C)
+ Support for password hashing algorithms beyond the traditional UNIX
+ crypt(), via the crypt.conf(5) configuration, was added to Solaris in
+ Solaris 9 12/02 (Update 2).
+
+
+
+Oracle Solaris 11.4 21 Jun 2021 crypt(3C)
diff -NurbBw 11.4.36/man3c/encrypt.3c 11.4.39/man3c/encrypt.3c
--- 11.4.36/man3c/encrypt.3c 2021-11-16 13:14:13.384109697 +0000
+++ 11.4.39/man3c/encrypt.3c 2021-11-16 13:14:48.228523164 +0000
@@ -60,12 +60,18 @@
+-----------------------------+-----------------------------+
|MT-Level |Safe |
+-----------------------------+-----------------------------+
- |Standard |See standards(7). |
+ |Standard |See below. |
+-----------------------------+-----------------------------+
+
+ The encrypt() function is defined in the XPG1 through XPG7 standards,
+ and POSIX.1-2001 through POSIX.1-2017 standards, but has been declared
+ Obsolete and may be removed from future POSIX and XPG standards. See
+ standards(7) for more information on these standards.
+
SEE ALSO
crypt(3C), setkey(3C), attributes(7), crypt_unix(7)
-Oracle Solaris 11.4 9 Mar 2020 encrypt(3C)
+Oracle Solaris 11.4 21 Jun 2021 encrypt(3C)
diff -NurbBw 11.4.36/man3c/fwprintf.3c 11.4.39/man3c/fwprintf.3c
--- 11.4.36/man3c/fwprintf.3c 2021-11-16 13:14:13.593531810 +0000
+++ 11.4.39/man3c/fwprintf.3c 2021-11-16 13:14:48.487164606 +0000
@@ -3,25 +3,45 @@
NAME
- fwprintf, wprintf, swprintf - print formatted wide-character output
+ fwprintf, wprintf, swprintf, fwprintf_s, wprintf_s, swprintf_s, snw-
+ printf_s - print formatted wide-character output
SYNOPSIS
#include <stdio.h>
#include <wchar.h>
+ int wprintf(const wchar_t *restrict format, ...);
+
+
int fwprintf(FILE *restrict stream, const wchar_t *restrict format,
...);
- int wprintf(const wchar_t *restrict format, ...);
+ int swprintf(wchar_t *restrict s, size_t n,
+ const wchar_t *restrict format, ...);
+
+
+ #define __STDC_WANT_LIB_EXT1__ 1
+ #include <stdio.h>
+ #include <wchar.h>
+
+ int wprintf_s(const wchar_t *restrict format, ...);
- int swprintf(wchar_t *restrict s, size_t n, const wchar_t *restrict format,
+ int fwprintf_s(FILE *restrict stream, const wchar_t *restrict format,
...);
+
+ int swprintf_s(wchar_t *restrict s, rsize_t n,
+ const wchar_t *restrict format, ...);
+
+
+ int snwprintf_s(wchar_t *restrict s, rsize_t n,
+ const wchar_t *restrict format, ...);
+
DESCRIPTION
- The fwprintf() function places output on the named output stream. The
- wprintf() function places output on the standard output stream stdout.
+ The wprintf() function places output on the standard output stream std-
+ out. The fwprintf() function places output on the named output stream.
The swprintf() function places output followed by the null wide-charac-
ter in consecutive wide-characters starting at *s; no more than n wide-
characters are written, including a terminating null wide-character,
@@ -453,22 +473,48 @@
and the next successful completion of a call to fflush(3C) or
fclose(3C) on the same stream or a call to exit(3C) or abort(3C).
+ C11 Bounds Checking Interfaces
+ The wprintf_s(), fwprintf_s(), swprintf_s(), and snwprintf_s() func-
+ tions are part of the C11 bounds checking interfaces specified in the
+ C11 standard, Annex K. They provide similar functionality to the
+ wprintf(), fwprintf(), and swprintf() functions, except for additional
+ checks on the parameters passed and explicit runtime-constraints as
+ defined in the C11 standard. swprintf_s() and snwprintf_s() operate
+ similarly, except in the case that output, including the trailing null
+ wide-character, would exceed the number of wide-characters specified by
+ the n argument. In such cases, swprintf_s() raises a runtime constraint
+ violation, while snwprintf_s() truncates the output and returns the
+ number of wide-characters (not counting the null terminator) that would
+ have been written if n was large enough. See runtime_constraint_han-
+ dler(3C) and INCITS/ISO/IEC 9899:2011.
+
RETURN VALUES
- Upon successful completion, these functions return the number of wide-
- characters transmitted excluding the terminating null wide-character in
- the case of swprintf() or a negative value if an output error was
- encountered.
+ Upon successful completion, these functions (except for snwprintf_s())
+ return the number of wide-characters transmitted, excluding the termi-
+ nating null wide-character in the case of swprintf(), or a negative
+ value if an output error was encountered.
If n or more wide characters were requested to be written, swprintf()
returns a negative value.
+
+ The wprintf_s(), fwprintf_s(), swprintf_s(), and snwprintf_s() func-
+ tions return a negative value if a runtime constraint violation was
+ encountered.
+
+
+ If no runtime constraint violation was encountered, the snwprintf_s()
+ returns the number of wide-characters (excluding the terminating null
+ wide-character) that would have been written to s if n had been suffi-
+ ciently large.
+
ERRORS
For the conditions under which fwprintf() and wprintf() will fail and
may fail, refer to fputwc(3C).
- In addition, all forms of fwprintf() may fail if:
+ In addition, all of these functions may fail if:
EILSEQ A wide-character code that does not correspond to a valid
character has been detected.
@@ -539,20 +585,60 @@
+-----------------------------+-----------------------------+
|Interface Stability |Committed |
+-----------------------------+-----------------------------+
- |MT-Level |MT-Safe |
+ |MT-Level |See below. |
+-----------------------------+-----------------------------+
- |Standard |See standards(7). |
+ |Standard |See below. |
+-----------------------------+-----------------------------+
+ MT-Level
+ The wprintf(), fwprintf(), and swprintf() functions can be used safely
+ in multithreaded applications, as long as setlocale(3C) is not being
+ called to change the locale.
+
+
+ The wprintf_s(), fwprintf_s(), swprintf_s(), and snwprintf_s() func-
+ tions cannot be used safely in a multithreaded application due to the
+ runtime constraint handler. For more information, see the runtime_con-
+ straint_handler(3C) man page.
+
+ Standard
+ See standards(7) for descriptions of the following standards:
+
+
+ +-----------------------+-----------------------------------+
+ | INTERFACES | APPLICABLE STANDARDS |
+ +-----------------------+-----------------------------------+
+ |wprintf(), fwprintf(), | |
+ |swprintf() | C95 through C11, |
+ | | POSIX.1-2001 through 2008, |
+ | | SUSv2 through SUSv4, |
+ | | XPG5 through XPG7 |
+ | | |
+ +-----------------------+-----------------------------------+
+ |wprintf_s(), | C11 Annex K |
+ |fwprintf_s(), | |
+ |swprintf_s(), | |
+ |snwprintf_s() | |
+ +-----------------------+-----------------------------------+
+
SEE ALSO
btowc(3C), fputwc(3C), fwscanf(3C), mbrtowc(3C), setlocale(3C),
- attributes(7), standards(7)
+ attributes(7), standards(7), runtime_constraint_handler(3C)
NOTES
If the j length modifier is used, 32-bit applications that were com-
piled using c89 on releases prior to Solaris 10 will experience unde-
fined behavior.
+HISTORY
+ The wprintf_s(), fwprintf_s(), swprintf_s(), and snwprintf_s() func-
+ tions were added to Oracle Solaris in the Oracle Solaris 11.4.0
+ release.
+
+
+ The wprintf(), fwprintf(), and swprintf() functions were added to
+ Solaris in the Solaris 7 release.
+
-Oracle Solaris 11.4 11 May 2021 fwprintf(3C)
+Oracle Solaris 11.4 30 Jul 2021 fwprintf(3C)
diff -NurbBw 11.4.36/man3c/malloc.3c 11.4.39/man3c/malloc.3c
--- 11.4.36/man3c/malloc.3c 2021-11-16 13:14:13.801249088 +0000
+++ 11.4.39/man3c/malloc.3c 2021-11-16 13:14:48.706572937 +0000
@@ -145,9 +145,11 @@
storage of any type of object.
- If size, nelem, or elsize is 0, the allocation functions return a
- unique non-null pointer that can be passed to free(). These pointers
- should not be dereferenced.
+ If size, nelem, or elsize is 0, the allocation functions, except for
+ memalign() and valloc(), return a unique non-null pointer that can be
+ passed to free(). These pointers should not be dereferenced. The mema-
+ lign() and valloc() functions return null pointers when the size param-
+ eter is 0.
If there is not enough memory available, the allocation functions
@@ -188,6 +190,21 @@
+ The memalign() function may also fail if:
+
+ EINVAL The value of the alignment parameter is not a power of two
+ multiple of sizeof(void *), or the size parameter is zero, or
+ the combination of the two would lead to an integer overflow.
+
+
+
+ The valloc() function may also fail if:
+
+ EINVAL The size parameter, when aligned to the pagesize, would lead
+ to an integer overflow.
+
+
+
The malloc_usable_size() function may fail if:
EINVAL The pointer provided is not a valid pointer returned by one
@@ -387,6 +404,10 @@
Additional functions may be required in the future as APIs evolve.
HISTORY
+ The malloc(), calloc(), memalign(), realloc(), valloc(), and free()
+ functions have been included in all releases of SunOS and Solaris.
+
+
The malloc_usable_size() function was defined in GNU libc 2.0, and was
added to Oracle Solaris in the Oracle Solaris 11.4.10 release.
@@ -400,4 +421,4 @@
-Oracle Solaris 11.4 23 Jun 2020 malloc(3C)
+Oracle Solaris 11.4 14 Aug 2021 malloc(3C)
diff -NurbBw 11.4.36/man3c/printf.3c 11.4.39/man3c/printf.3c
--- 11.4.36/man3c/printf.3c 2021-11-16 13:14:13.916836471 +0000
+++ 11.4.39/man3c/printf.3c 2021-11-16 13:14:48.827823720 +0000
@@ -3,9 +3,8 @@
NAME
- printf, fprintf, sprintf, snprintf, asprintf - print formatted output
- printf_s, fprintf_s, sprintf_s, snprintf_s - print formatted output
- with additional safety checks
+ printf, fprintf, dprintf, sprintf, snprintf, asprintf, printf_s,
+ fprintf_s, sprintf_s, snprintf_s - print formatted output
SYNOPSIS
#include <stdio.h>
@@ -16,6 +15,9 @@
int fprintf(FILE *restrict stream, const char *restrict format, ...);
+ int dprintf(int fildes, const char *restrict format, ...);
+
+
int sprintf(char *restrict s, const char *restrict format, ...);
@@ -47,8 +49,11 @@
out.
- The fprintf() function places output on on the named output stream
- stream.
+ The fprintf() function places output on the named output stream stream.
+
+
+ The dprintf() function places output on the file associated with the
+ file descriptor fildes rather than on a stream.
The sprintf() function places output, followed by the null byte (\0),
@@ -57,19 +62,19 @@
The snprintf() function is identical to sprintf() with the addition of
- the argument n, which specifies the size of the buffer referred to by
- s. If n is 0, nothing is written and s can be a null pointer. Other-
- wise, output bytes beyond the n-1st are discarded instead of being
- written to the array and a null byte is written at the end of the bytes
- actually written into the array.
+ the argument n, which specifies the maximum number of bytes to write to
+ the buffer referred to by s. If n is 0, nothing is written and s can be
+ a null pointer. Otherwise, output bytes beyond the n-1st are discarded
+ instead of being written to the array and a null byte is written at the
+ end of the bytes actually written into the array.
The asprintf() function is the same as the sprintf() function except
- that it returns, in the ret argument, a pointer to a buffer suffi-
- ciently large to hold the output string. This pointer should be passed
- to free(3C) to release the allocated storage when it is no longer
- needed. If sufficient space cannot be allocated, the asprintf() func-
- tion returns -1 and sets ret to be a NULL pointer.
+ that it returns, in the ret argument, a pointer to a newly allocated
+ buffer sufficiently large to hold the output string. This pointer
+ should be passed to free(3C) to release the allocated storage when it
+ is no longer needed. If sufficient space cannot be allocated, the
+ asprintf() function returns -1 and sets ret to be a NULL pointer.
Each of these functions converts, formats, and prints its arguments
@@ -228,7 +233,7 @@
space If the first character of a signed conversion is not a sign or
if a signed conversion results in no characters, a space will
be placed before the result. This means that if the space and
- flags both appear, the space flag will be ignored.
+ '+' flags both appear, the space flag will be ignored.
# The value is to be converted to an alternate form. For c, d,
@@ -568,7 +573,8 @@
The st_ctime and st_mtime fields of the file will be marked for update
between the call to a successful execution of printf() or fprintf() and
the next successful completion of a call to fflush(3C) or fclose(3C) on
- the same stream or a call to exit(3C) or abort(3C).
+ the same stream, or a call to exit(3C) or abort(3C), or upon successful
+ completion of a call to dprintf().
C11 Bounds Checking Interfaces
The printf_s(), fprintf_s(), sprintf_s(), and snprintf_s() functions
@@ -580,22 +586,23 @@
dler(3C) and INCITS/ISO/IEC 9899:2011.
RETURN VALUES
- The printf(), printf_s(), fprintf(), fprintf_s(), sprintf(),
- sprintf_s(), and asprintf() functions return the number of bytes trans-
- mitted (excluding the terminating null byte in the case of sprintf(),
- sprintf_s(), and asprintf()).
-
-
- The snprintf() and snprintf_s() functions return the number of bytes
- that would have been written to s if n had been sufficiently large
- (excluding the terminating null byte.) If the value of n is 0 on a call
- to snprintf(), s can be a null pointer and the number of bytes that
- would have been written if n had been sufficiently large (excluding the
- terminating null byte) is returned.
-
-
- The printf(), fprintf(), sprintf(), and asprintf() functions each
- return a negative value if an output error was encountered.
+ Upon successful completion, the printf(), printf_s(), fprintf(),
+ fprintf_s(), dprintf(), sprintf(), sprintf_s(), and asprintf() func-
+ tions return the number of bytes written (excluding the terminating
+ null byte in the case of sprintf(), sprintf_s(), and asprintf()).
+
+
+ Upon successful completion, the snprintf() and snprintf_s() functions
+ return the number of bytes that would have been written to s if n had
+ been sufficiently large (excluding the terminating null byte). If the
+ value of n is 0 on a call to snprintf(), s can be a null pointer and
+ the number of bytes that would have been written if n had been suffi-
+ ciently large (excluding the terminating null byte) is returned.
+
+
+ The printf(), fprintf(), dprintf(), sprintf(), snprintf(), and
+ asprintf() functions each return a negative value if an error was
+ encountered, and set errno to indicate the error.
The printf_s() and fprintf_s() functions each return a negative value
@@ -612,8 +619,8 @@
straint violation was encountered.
ERRORS
- For the conditions under which printf() and fprintf() will fail and may
- fail, refer to fputc(3C) or fputwc(3C).
+ For conditions under which printf(), fprintf(), and dprintf() will fail
+ and may fail, refer to fputc(3C) or fputwc(3C).
The snprintf() and snprintf_s() functions will fail if:
@@ -624,7 +631,7 @@
- The printf(), printf_s(), fprintf(), fprintf_s(), sprintf(),
+ The printf(), printf_s(), fprintf(), fprintf_s(), dprintf(), sprintf(),
sprintf_s(), snprintf() and snprintf_s() functions will fail if:
EILSEQ A wide-character code that does not correspond to a valid
@@ -634,6 +641,15 @@
EINVAL There are insufficient arguments.
+ EOVERFLOW The value to be returned is greater than INT_MAX.
+
+
+
+ The dprintf() function will fail if:
+
+ EBADF The fildes argument is not a valid file descriptor.
+
+
The printf_s(), fprintf_s(), sprintf_s(), and snprintf_s() functions
will fail if:
@@ -646,9 +661,9 @@
-
- The printf(), printf_s(), fprintf(), fprintf_s(), and asprintf() func-
- tions may fail due to an underlying malloc(3C) failure if:
+ The printf(), printf_s(), fprintf(), fprintf_s(), dprintf(), and
+ asprintf() functions may fail due to an underlying malloc(3C) failure
+ if:
EAGAIN Storage space is temporarily unavailable.
@@ -720,8 +735,12 @@
dards(7).
EXAMPLES
- Example 1 To print the language-independent date and time format, the
- following statement could be used:
+ Example 1
+
+
+
+ The following statement prints the language-independent date and time
+ format:
printf (format, weekday, month, day, hour, min);
@@ -759,31 +778,38 @@
Sonntag, 3. Juli, 10:02
+ Example 2
+
+
- Example 2 To print a date and time in the form Sunday, July 3, 10:02,
- where weekday and month are pointers to
- null-terminated strings:
+ Print a date and time in the form Sunday, July 3, 10:02, where weekday
+ and month are pointers to null-terminated strings:
printf("%s, %s %i, %d:%.2d", weekday, month, day, hour, min);
+ Example 3
- Example 3 To print pi to 5 decimal places:
+
+
+ Print pi to 5 decimal places:
printf("pi = %.5f", 4 * atan(1.0));
+ Example 4
- Example 4 The following example applies only to applications that are
- not standard-conforming. To print a list of names in columns which are
- 20 characters wide:
- printf("%20s%20s%20s", lastname, firstname, middlename);
+ The following example applies only to applications that are not stan-
+ dard-conforming. To print a list of names in columns which are 20 char-
+ acters wide:
+ printf("%20s%20s%20s", lastname, firstname, middlename);
+
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
@@ -801,38 +827,82 @@
|Standard |See below. |
+-----------------------------+-----------------------------+
+ MT-Level
+ The printf(), fprintf(), dprintf(), sprintf(), snprintf(), and
+ asprintf() functions can be used safely in multithreaded applications,
+ as long as setlocale(3C) is not being called to change the locale. The
+ sprintf() and snprintf() functions are Async-Signal-Safe.
- All of these functions can be used safely in multithreaded applica-
- tions, as long as setlocale(3C) is not being called to change the
- locale. The sprintf() and snprintf() functions are Async-Signal-Safe.
+ The printf_s(), fprintf_s(), sprintf_s(), and sprintf_s() functions
+ cannot be used safely in a multithreaded application due to the runtime
+ constraint handler. For more information, see the runtime_con-
+ straint_handler(3C) man page.
- See standards(7) for the standards conformance of printf(), fprintf(),
- sprintf(), and snprintf (). The asprintf() function is modeled on the
- one that appears in the FreeBSD, NetBSD, and GNU C libraries.
+ Standard
+ See standards(7) for descriptions of the following standards:
- The printf(), fprintf(), sprintf(), snprintf(), and asprintf() func-
- tions can be used safely in multithreaded applications.
+ +-----------------------+-----------------------------------+
+ | INTERFACES | APPLICABLE STANDARDS |
+ +-----------------------+-----------------------------------+
+ |printf(), fprintf(), | |
+ |sprintf() | C89 through C11, |
+ | | POSIX.1-1990 through 2008, |
+ | | SUS through SUSv4, |
+ | | XPG1 through XPG7 |
+ | | |
+ +-----------------------+-----------------------------------+
+ |snprintf() | C99 through C11 |
+ | | POSIX.1-2001 through 2008, |
+ | | SUSv2 through SUSv4, |
+ | | XPG5 through XPG7 |
+ | | |
+ +-----------------------+-----------------------------------+
+ |dprintf() | POSIX.1-2008, XPG7 |
+ +-----------------------+-----------------------------------+
+ |printf_s(), | C11 Annex K |
+ |fprintf_s(), | |
+ |sprintf_s(), | |
+ |snprintf_s() | |
+ +-----------------------+-----------------------------------+
- The printf_s(), fprintf_s(), sprintf_s(), and sprintf_s() functions
- cannot be used safely in a multithreaded application due to the runtime
- constraint handler. For more information, see the runtime_con-
- straint_handler(3C) man page.
+ The asprintf() function is modeled on the one that appears in the Free-
+ BSD, NetBSD, and GNU C libraries.
SEE ALSO
exit(2), lseek(2), write(2), abort(3C), ecvt(3C), exit(3C), fclose(3C),
fflush(3C), fputwc(3C), free(3C), malloc(3C), putc(3C), scanf(3C), set-
- locale(3C), stdio(3C), vprintf(3C), wcstombs(3C), wctomb(3C), int-
- types.h(3HEAD), attributes(7), environ(7), standards(7), runtime_con-
- straint_handler(3C)
+ locale(3C), stdio(3C), vprintf(3C), vwprintf(3C), wcstombs(3C),
+ wctomb(3C), wprintf(3C), wsprintf(3C), inttypes.h(3HEAD),
+ attributes(7), environ(7), standards(7), runtime_constraint_handler(3C)
NOTES
If the j length modifier is used, 32-bit applications that were com-
piled using c89 on releases prior to Solaris 10 will experience unde-
fined behavior.
+HISTORY
+ The dprintf(), printf_s(), fprintf_s(), sprintf_s(), and snprintf_s()
+ functions were added to Oracle Solaris in Oracle Solaris 11.4.0.
+
+
+ The %s conversion specifier was changed to print the string "(null)"
+ for NULL pointer arguments in Oracle Solaris 11.0.0 and a patch for
+ Solaris 10. Prior to this, use of a NULL pointer argument would lead to
+ a segmentation fault or bus error in the program. This behavior is not
+ a Committed interface, is not portable, and should not be relied on.
+
+
+ The asprintf() function was added to Oracle Solaris in Oracle Solaris
+ 10 8/11 (Update 10).
+
+
+ Support for the length modifiers hh, j, t, and z; and the conversion
+ specifiers %a, %A, and %F; was added to Solaris in the Solaris 10 3/05
+ release in support of the C99 and XPG6 standards.
+
The snprintf() return value when n = 0 was changed in the Solaris 10
release. The change was based on the SUSv3 specification. The previous
@@ -840,5 +910,27 @@
when n = 0 returns an unspecified value less than 1.
+ The snprintf() function was added to Solaris in Solaris 2.5, and back-
+ ported to patches for Solaris 2.3 & 2.4.
+
+
+ Support for the flag character ', and the conversion specifiers %C &
+ %S, was added to Solaris in the Solaris 2.4 release in support of the
+ XPG4 standard.
+
+
+ Support for the length modifier ll, and the conversion specifiers %wc
+ and %ws, was added to Solaris in the Solaris 2.0 release.
+
+
+ Support for the conversion specifier %p, the length modifier L, and the
+ use of $ to specify argument numbers was added in the SunOS 4.1
+ release.
+
+
+ The printf(), fprintf(), and sprintf() functions have been included in
+ all Sun and Oracle releases of Solaris.
+
+
-Oracle Solaris 11.4 11 May 2021 printf(3C)
+Oracle Solaris 11.4 29 Jul 2021 printf(3C)
diff -NurbBw 11.4.36/man3c/runtime_constraint_handler.3c 11.4.39/man3c/runtime_constraint_handler.3c
--- 11.4.36/man3c/runtime_constraint_handler.3c 2021-11-16 13:14:14.045904279 +0000
+++ 11.4.39/man3c/runtime_constraint_handler.3c 2021-11-16 13:14:48.962609049 +0000
@@ -5,7 +5,7 @@
NAME
runtime_constraint_handler, abort_handler_s, ignore_handler_s, set_con-
- straint_handler_s - Runtime-constraint handler functions for the bound
+ straint_handler_s - Runtime-constraint handler functions for the bounds
checking interfaces
SYNOPSIS
@@ -13,13 +13,14 @@
#include <stdlib.h>
- void abort_handler_s(const char *msg, void *ptr, errno_t error)
+ void abort_handler_s(const char *msg, void *ptr, errno_t error);
- void ignore_handler_s(const char *msg, void *ptr, errno_t error)
+ void ignore_handler_s(const char *msg, void *ptr, errno_t error);
- constraint_handler_t set_constraint_handler_s(constraint_handler_t handler)
+ constraint_handler_t set_constraint_handler_s(
+ constraint_handler_t handler);
DESCRIPTION
The runtime-constraint handler APIs are part of the C11 bounds checking
@@ -97,7 +93,8 @@
void
handler(const char *msg, void *ptr, errno_t err)
{
- printf("%s and the function exited with error number: %d\n", msg, err);
+ printf("%s and the function exited with error number: %d\n",
+ msg, err);
}
int
@@ -132,21 +128,28 @@
SEE ALSO
asctime_s(3C), bsearch_s(3C), ctime_s(3C), fopen_s(3C), fprintf_s(3C),
- freopen_s(3C), fscanf_s(3C), fwscanf_s(3C), fwprintf(3C), getenv_s(3C),
- gets_s(3C), gmtime_s(3C), localtime_s(3C), mbsrtowcs_s(3C),
- mbstowcs_s(3C), memcpy_s(3C), memmove_s(3C), memset_s(3C),
- printf_s(3C), qsort_s(3C), scanf_s(3C), snprintf_s(3C), sprintf_s(3C),
- sscanf_s(3C), strcat_s(3C), strcpy_s(3C), strerror_s(3C), str-
- errorlen_s(3C), strncat_s(3C)), strncpy_s(3C), strnlen_s(3C), str-
- tok_s(3C), swscanf_s(3C), tmpfile_s(3C), tmpnam_s(3C), vfprintf_s(3C),
+ freopen_s(3C), fscanf_s(3C), fwscanf_s(3C), fwprintf_s(3C),
+ getenv_s(3C), gets_s(3C), gmtime_s(3C), localtime_s(3C),
+ mbsrtowcs_s(3C), mbstowcs_s(3C), memcpy_s(3C), memmove_s(3C),
+ memset_s(3C), printf_s(3C), qsort_s(3C), scanf_s(3C), snprintf_s(3C),
+ snwprintf_s(3C), sprintf_s(3C), sscanf_s(3C), strcat_s(3C),
+ strcpy_s(3C), strerror_s(3C), strerrorlen_s(3C), strncat_s(3C)),
+ strncpy_s(3C), strnlen_s(3C), strtok_s(3C), swprintf_s(3C),
+ swscanf_s(3C), tmpfile_s(3C), tmpnam_s(3C), vfprintf_s(3C),
vfscanf_s(3C), vfwprintf_s(3C), vfwscanf_s(3C), vprintf_s(3C),
- vscanf_s(3C), vsnprintf_s(3C), vsscanf_s(3C), vswscanf_s(3C), vws-
- canf_s(3C), wcrtomb_s(3C), wcscat_s(3C), wcscpy_s(3C), wcsncat_s(3C),
+ vscanf_s(3C), vsnprintf_s(3C), vsnwprintf_s(3C), vsscanf_s(3C),
+ vswprintf_s(3C), vswscanf_s(3C), vwscanf_s(3C), vwprintf_s(3C),
+ wcrtomb_s(3C), wcscat_s(3C), wcscpy_s(3C), wcsncat_s(3C),
wcsncpy_s(3C), wcsnlen_s(3C), wcsrtombs_s(3C), wcstok_s(3C),
wcstombs_s(3C), wctomb_s(3C), wmemcpy_s(3C), wmemmove_s(3C),
- wprintf(3C), wscanf_s(3C), libc(3LIB)
+ wprintf_s(3C), wscanf_s(3C), libc(3LIB), standards(7)
+
+HISTORY
+ These functions, along with the rest of the interfaces specified by
+ Annex K of the C11 standard, were added to Oracle Solaris in the Oracle
+ Solaris 11.4.0 release.
-Oracle Solaris 11.4 10 Jun 2018
+Oracle Solaris 11.4 30 Jul 2021
runtime_constraint_handler(3C)
diff -NurbBw 11.4.36/man3c/vfwprintf.3c 11.4.39/man3c/vfwprintf.3c
--- 11.4.36/man3c/vfwprintf.3c 2021-11-16 13:14:14.514822405 +0000
+++ 11.4.39/man3c/vfwprintf.3c 2021-11-16 13:14:49.636359233 +0000
@@ -3,14 +3,18 @@
NAME
- vfwprintf, vswprintf, vwprintf - wide-character formatted output of a
- stdarg argument list
+ vfwprintf, vwprintf, vswprintf, vfwprintf_s, vwprintf_s, vswprintf_s,
+ vsnwprintf_s - wide-character formatted output of a stdarg argument
+ list
SYNOPSIS
#include <stdarg.h>
#include <stdio.h>
#include <wchar.h>
+ int vwprintf(const wchar_t *restrict format, va_list arg);
+
+
int vfwprintf(FILE *restrict stream, const wchar_t *restrict format,
va_list arg);
@@ -19,13 +23,31 @@
const wchar_t *restrict format, va_list arg);
- int vwprintf(const wchar_t *restrict format, va_list arg);
+ #define __STDC_WANT_LIB_EXT1__ 1
+ #include <stdio.h>
+ #include <wchar.h>
+
+ int vwprintf_s(const wchar_t *restrict format, va_list arg);
+
+
+ int vfwprintf_s(FILE *restrict stream, const wchar_t *restrict format,
+ va_list arg);
+
+
+ int vswprintf_s(wchar_t *restrict s, rsize_t n,
+ const wchar_t *restrict format, va_list arg);
+
+
+ int vsnwprintf_s(wchar_t *restrict s, rsize_t n,
+ const wchar_t *restrict format, va_list arg);
DESCRIPTION
- The vwprintf(), vfwprintf(), and vswprintf() functions are the same as
- wprintf(), fwprintf(), and swprintf() respectively, except that instead
- of being called with a variable number of arguments, they are called
- with an argument list as defined by <stdarg.h>.
+ The vwprintf(), vfwprintf(), vswprintf(), vwprintf_s(), vfwprintf_s(),
+ vswprintf_s(), and vsnwprintf_s() functions are the same as wprintf(),
+ fwprintf(), swprintf(), wprintf_s(), fwprintf_s(), swprintf_s(), and
+ snwprintf_s() respectively, except that instead of being called with a
+ variable number of arguments, they are called with an argument list as
+ defined by <stdarg.h>.
These functions do not invoke the va_end() macro. However, as these
@@ -51,14 +73,18 @@
+-----------------------------+-----------------------------+
|Interface Stability |Committed |
+-----------------------------+-----------------------------+
- |MT-Level |MT-Safe |
+ |MT-Level |See fwprintf(3C). |
+-----------------------------+-----------------------------+
- |Standard |See standards(7). |
+ |Standard |See fwprintf(3C). |
+-----------------------------+-----------------------------+
SEE ALSO
- fwprintf(3C), setlocale(3C), attributes(7), standards(7)
+ fwprintf(3C), setlocale(3C), attributes(7), standards(7), runtime_con-
+ straint_handler(3C)
+
+HISTORY
+ See fwprintf(3C).
-Oracle Solaris 11.4 11 May 2021 vfwprintf(3C)
+Oracle Solaris 11.4 30 Jul 2021 vfwprintf(3C)
diff -NurbBw 11.4.36/man3c/vprintf.3c 11.4.39/man3c/vprintf.3c
--- 11.4.36/man3c/vprintf.3c 2021-11-16 13:14:14.573230103 +0000
+++ 11.4.39/man3c/vprintf.3c 2021-11-16 13:14:49.711407071 +0000
@@ -3,10 +3,9 @@
NAME
- vprintf, vfprintf, vsprintf, vsnprintf, vasprintf - print formatted
- output of a variable argument
- vprintf_s, vfprintf_s, vsprintf_s, vsnprintf_s - print formatted output
- of a variable argument list with additional safety checks
+ vprintf, vfprintf, vsprintf, vdprintf, vsnprintf, vasprintf, vprintf_s,
+ vfprintf_s, vsprintf_s, vsnprintf_s - print formatted output of a vari-
+ able argument list
SYNOPSIS
#include <stdio.h>
@@ -18,6 +17,9 @@
int vfprintf(FILE *stream, const char *format, va_list ap);
+ int vdprintf(int fildes, const char *format, va_list ap);
+
+
int vsprintf(char *s, const char *format, va_list ap);
@@ -46,11 +48,12 @@
const char *restrict format, va_list ap);
DESCRIPTION
- The vprintf(), vfprintf(), vsprintf(), vsnprintf(), and vasprintf()
- functions are the same as printf(), fprintf(), sprintf(), snprintf(),
- and asprintf(), respectively, except that instead of being called with
- a variable number of arguments, they are called with an argument list
- as defined in the <stdarg.h> header. See printf(3C).
+ The vprintf(), vfprintf(), vdprintf(), vsprintf(), vsnprintf(), and
+ vasprintf() functions are the same as printf(), fprintf(), dprintf(),
+ sprintf(), snprintf(), and asprintf(), respectively, except that
+ instead of being called with a variable number of arguments, they are
+ called with an argument list as defined in the <stdarg.h> header. See
+ printf(3C).
The <stdarg.h> header defines the type va_list and a set of macros for
@@ -92,6 +95,12 @@
+ Likewise, the vdprintf() function will fail if:
+
+ EBADF The fildes argument is not a valid file descriptor.
+
+
+
The vprintf_s(), vfprintf_s(), vsprintf_s() and vsnprintf() functions
will fail if:
@@ -119,7 +126,7 @@
* error should be called like
* error(function_name, format, arg1, ...);
*/
- void error(char *function_name, char *format, ...)
+ void error(const char *function_name, const char *format, ...)
{
va_list ap;
va_start(ap, format);
@@ -147,10 +153,10 @@
|Standard |See below. |
+-----------------------------+-----------------------------+
-
- The vprintf(), vfprintf(), vsprintf(), vsnprintf(), and vasprintf()
- functions can be used safely in multithreaded applications, as long as
- setlocale(3C) is not being called to change the locale.
+ MT-Level
+ The vprintf(), vfprintf(), vdprintf(), vsprintf(), vsnprintf(), and
+ vasprintf() functions can be used safely in multithreaded applications,
+ as long as setlocale(3C) is not being called to change the locale.
The vprintf_s(), vfprintf_s(), vsprintf_s(), and vsnprintf_s() func-
@@ -158,22 +164,70 @@
runtime constraint handler. For more information, see the runtime_con-
straint_handler(3C) man page.
+ Standard
+ See standards(7) for descriptions of the following standards:
+
+
+ +-----------------------+-----------------------------------+
+ | INTERFACES | APPLICABLE STANDARDS |
+ +-----------------------+-----------------------------------+
+ |vprintf(), vfprintf(), | |
+ |vsprintf() | C89 through C11, |
+ | | POSIX.1-1990 through 2008, |
+ | | SUS through SUSv4, |
+ | | XPG1 through XPG7 |
+ | | |
+ +-----------------------+-----------------------------------+
+ |vsnprintf() | C99 through C11 |
+ | | POSIX.1-2001 through 2008, |
+ | | SUSv2 through SUSv4, |
+ | | XPG5 through XPG7 |
+ | | |
+ +-----------------------+-----------------------------------+
+ |vdprintf() | POSIX.1-2008, XPG7 |
+ +-----------------------+-----------------------------------+
+ |printf_s(), | C11 Annex K |
+ |fprintf_s(), | |
+ |sprintf_s(), | |
+ |snprintf_s() | |
+ +-----------------------+-----------------------------------+
- See standards(7) for the standards conformance of vprintf(),
- vfprintf(), vsprintf(), and vsnprintf(). The vasprintf() function is
- modeled on the one that appears in the FreeBSD, NetBSD, and GNU C
- libraries.
+
+ The vasprintf() function is modeled on the one that appears in the
+ FreeBSD, NetBSD, and GNU C libraries.
SEE ALSO
- printf(3C), printf_s(3C), stdarg(3EXT), attributes(7), standards(7),
- runtime_constraint_handler(3C)
+ printf(3C), printf_s(3C), vwprintf(3C), stdarg(3EXT), attributes(7),
+ standards(7), runtime_constraint_handler(3C)
+
+HISTORY
+ The support history for flag characters, length modifiers, and conver-
+ sion specifiers are the same as for the printf() function. See
+ printf(3C).
+
+
+ The vdprintf(), vprintf_s(), vfprintf_s(), vsprintf_s(), and
+ vsnprintf_s() functions were added to Oracle Solaris in Oracle Solaris
+ 11.4.0.
+
+
+ The vasprintf() function was added to Oracle Solaris in Oracle Solaris
+ 10 8/11 (Update 10).
+
-NOTES
The vsnprintf() return value when n = 0 was changed in the Solaris 10
release. The change was based on the SUSv3 specification. The previous
behavior was based on the initial SUSv2 specification, where
vsnprintf() when n = 0 returns an unspecified value less than 1.
+ The vsnprintf() function was added to Solaris in Solaris 2.5, and back-
+ ported to patches for Solaris 2.3 & 2.4.
+
+
+ The vprintf(), vfprintf(), and vsprintf() functions have been included
+ in all Sun and Oracle releases of Solaris.
+
+
-Oracle Solaris 11.4 13 Jun 2018 vprintf(3C)
+Oracle Solaris 11.4 29 Jul 2021 vprintf(3C)
diff -NurbBw 11.4.36/man3ext/sha1.3ext 11.4.39/man3ext/sha1.3ext
--- 11.4.36/man3ext/sha1.3ext 2021-11-16 13:14:14.831860239 +0000
+++ 11.4.39/man3ext/sha1.3ext 2021-11-16 13:14:50.129336244 +0000
@@ -3,7 +3,7 @@
NAME
- sha1, SHA1Init, SHA1Update, SHA1Final - SHA1 digest functions
+ sha1, SHA1Init, SHA1Update, SHA1Final - SHA-1 digest functions
SYNOPSIS
cc [ flag ... ] file ... -lmd [ library ... ]
@@ -19,9 +19,9 @@
void SHA1Final(void *output, SHA1_CTX *context);
DESCRIPTION
- The SHA1 functions implement the SHA1 message-digest algorithm. The
+ The SHA1 functions implement the SHA-1 message-digest algorithm. The
algorithm takes as input a message of arbitrary length and produces a
- 160-bit "fingerprint" or "message digest" as output. The SHA1 message-
+ 160-bit "fingerprint" or "message digest" as output. The SHA-1 message-
digest algorithm is intended for digital signature applications in
which large files are "compressed" in a secure manner before being
encrypted with a private (secret) key under a public-key cryptosystem
@@ -30,32 +30,32 @@
SHA1Init(), SHA1Update(), SHA1Final()
The SHA1Init(), SHA1Update(), and SHA1Final() functions allow a
- SHA1 digest to be computed over multiple message blocks. Between
- blocks, the state of the SHA1 computation is held in an SHA1 con-
- text structure allocated by the caller. A complete digest computa-
- tion consists of calls to SHA1 functions in the following order:
+ SHA-1 digest to be computed over multiple message blocks. Between
+ blocks, the state of the SHA-1 computation is held in an SHA1_CTX
+ context structure allocated by the caller. A complete digest compu-
+ tation consists of calls to SHA1 functions in the following order:
one call to SHA1Init(), one or more calls to SHA1Update(), and one
call to SHA1Final().
- The SHA1Init() function initializes the SHA1 context structure
+ The SHA1Init() function initializes the SHA1_CTX context structure
pointed to by context.
- The SHA1Update() function computes a partial SHA1 digest on the
- inlen-byte message block pointed to by input, and updates the SHA1
- context structure pointed to by context accordingly.
-
- The SHA1Final() function generates the final SHA1 digest, using the
- SHA1 context structure pointed to by context. The 160-bit SHA1
- digest is written to output. After a call to SHA1Final(), the state
- of the context structure is undefined. It must be reinitialized
- with SHA1Init() before it can be used again.
+ The SHA1Update() function computes a partial SHA-1 digest on the
+ inlen-byte message block pointed to by input, and updates the
+ SHA1_CTX context structure pointed to by context accordingly.
+
+ The SHA1Final() function generates the final SHA-1 digest, using
+ the SHA1_CTX context structure pointed to by context. The 160-bit
+ SHA-1 digest is written to output. After a call to SHA1Final(), the
+ state of the context structure is undefined. It must be reinitial-
+ ized with SHA1Init() before it can be used again.
SECURITY
- The SHA1 algorithm is also believed to have some weaknesses. Migration
- to one of the SHA2 algorithms-including SHA224, SHA256, SHA386 or
- SHA512-is highly recommended when compatibility with data formats and
- on wire protocols is permitted.
+ The SHA-1 algorithm is believed to have some weaknesses. Migration to
+ one of the SHA-2 or SHA-3 algorithms is highly recommended when compat-
+ ibility with data formats and network protocols permit doing so. See
+ sha2(3EXT) and sha2(3EXT) for functions which use those algorithms.
RETURN VALUES
These functions do not return a value.
@@ -109,11 +109,15 @@
+-----------------------------+-----------------------------+
SEE ALSO
- sha2(3EXT), libmd(3LIB)
+ sha2(3EXT), sha3(3EXT), libmd(3LIB)
- RFC 1374
+ Eastlake, D., RFC 3174, US Secure Hash Algorithm 1 (SHA1), September
+ 2001. https://tools.ietf.org/html/rfc3174
+HISTORY
+ These functions were added to Solaris in Solaris 10 8/07 (Update 4).
-Oracle Solaris 11.4 25 Feb 2014 sha1(3EXT)
+
+Oracle Solaris 11.4 21 Jun 2021 sha1(3EXT)
diff -NurbBw 11.4.36/man3ext/sha2.3ext 11.4.39/man3ext/sha2.3ext
--- 11.4.36/man3ext/sha2.3ext 2021-11-16 13:14:14.956617198 +0000
+++ 11.4.39/man3ext/sha2.3ext 2021-11-16 13:14:50.259491196 +0000
@@ -5,8 +5,8 @@
NAME
sha2, SHA2Init, SHA2Update, SHA2Final, SHA224Init, SHA224Update,
SHA224Final, SHA256Init, SHA256Update, SHA256Final, SHA384Init,
- SHA384Update, SHA384Final, SHA512Init, SHA512Update, SHA512Final - SHA2
- digest functions
+ SHA384Update, SHA384Final, SHA512Init, SHA512Update, SHA512Final -
+ SHA-2 digest functions
SYNOPSIS
cc [ flag ... ] file ... -lmd [ library ... ]
@@ -65,7 +65,7 @@
The SHA2Init(), SHA2Update(), SHA2Final() functions implement the
SHA224, SHA256, SHA384 and SHA512 message-digest algorithms. The algo-
rithms take as input a message of arbitrary length and produces a "fin-
- gerprint" or "message digest" as output. The SHA2 message-digest algo-
+ gerprint" or "message digest" as output. The SHA-2 message-digest algo-
rithms are intended for digital signature applications in which large
files are "compressed" in a secure manner before being encrypted with a
private (secret) key under a public-key cryptosystem such as RSA.
@@ -74,19 +74,19 @@
The SHA2Init(), SHA2Update(), and SHA2Final() functions allow an
SHA2 digest to be computed over multiple message blocks. Between
- blocks, the state of the SHA2 computation is held in an SHA2 con-
- text structure allocated by the caller. A complete digest computa-
- tion consists of calls to SHA2 functions in the following order:
+ blocks, the state of the SHA-2 computation is held in an SHA2_CTX
+ context structure allocated by the caller. A complete digest compu-
+ tation consists of calls to SHA2 functions in the following order:
one call to SHA2Init(), one or more calls to SHA2Update(), and one
call to SHA2Final().
- The SHA2Init() function initializes the SHA2 context structure
+ The SHA2Init() function initializes the SHA2_CTX context structure
pointed to by context. The mech argument is one of SHA224, SHA256,
- SHA512, and SHA384.
+ SHA384, or SHA512.
The SHA2Update() function computes a partial SHA2 digest on the
- inlen-byte message block pointed to by input, and updates the SHA2
- context structure pointed to by context accordingly.
+ inlen-byte message block pointed to by input, and updates the
+ SHA2_CTX context structure pointed to by context accordingly.
The SHA2Final() function generates the final SHA2Final digest,
using the SHA2 context structure pointed to by context. The SHA2
@@ -164,7 +164,7 @@
SHA384Init(&ctx);
- for(i=0, i<num_buffers; i++
+ for (i = 0; i < num_buffers; i++)
{
SHA384Update(&ctx, messageIov->iov_base,
messageIov->iov_len);
@@ -190,11 +190,16 @@
+-----------------------------+-----------------------------+
SEE ALSO
- libmd(3LIB)
+ sha3(3EXT), libmd(3LIB)
+
+ FIPS 180-4: Secure Hash Standard (SHS)
+
+ https://csrc.nist.gov/publications/detail/fips/180/4/final
- FIPS 180-2
+HISTORY
+ These functions were added to Solaris in Solaris 10 8/07 (Update 4).
-Oracle Solaris 11.4 18 May 2016 sha2(3EXT)
+Oracle Solaris 11.4 21 Jun 2021 sha2(3EXT)
diff -NurbBw 11.4.36/man3ext/sha3.3ext 11.4.39/man3ext/sha3.3ext
--- 11.4.36/man3ext/sha3.3ext 2021-11-16 13:14:15.264052099 +0000
+++ 11.4.39/man3ext/sha3.3ext 2021-11-16 13:14:50.591801326 +0000
@@ -3,8 +3,8 @@
NAME
- sha3, SHA3Init, SHA3Update, SHA3Final - the SHA3 family of digest func-
- tions
+ sha3, SHA3Init, SHA3Update, SHA3Final - the SHA-3 family of digest
+ functions
SYNOPSIS
cc [ flag ... ] file ... -lmd [ library ... ]
@@ -19,7 +19,7 @@
DESCRIPTION
The SHA3Init(), SHA3Update(), and SHA3Final() functions implement the
- SHA3 family of message-digest algorithms. The algorithms take as input
+ SHA-3 family of message-digest algorithms. The algorithms take as input
a message of arbitrary length and produce a fingerprint or message
digest as output. The SHA message-digest algorithms are intended for
digital signature applications in which large files are compressed in a
@@ -43,21 +43,21 @@
- The SHA3Init() function initializes the SHA3 context structure pointed
- to by context. The mech argument is one of SHA3_224, SHA3_256, SHA3_384
- and SHA3_512.
+ The SHA3Init() function initializes the SHA3_CTX context structure
+ pointed to by context. The mech argument is one of SHA3_224, SHA3_256,
+ SHA3_384, or SHA3_512.
- The SHA3Update() function computes a partial SHA3 digest on the inlen-
- byte message block pointed to by input, and updates the SHA3 context
- structure pointed to by context accordingly.
+ The SHA3Update() function computes a partial SHA-3 digest on the inlen-
+ byte message block pointed to by input, and updates the SHA3_CTX con-
+ text structure pointed to by context accordingly.
- The SHA3Final() function generates the final SHA3 digest, using the
- SHA3 context structure pointed to by context. The SHA3 digest is writ-
- ten to output. After a call to the SHA3Final() function, the state of
- the context structure is undefined. It must be reinitialized with the
- SHA3Init() function before it can be used again.
+ The SHA3Final() function generates the final SHA-3 digest, using the
+ SHA3_CTX context structure pointed to by context. The SHA3 digest is
+ written to output. After a call to the SHA3Final() function, the state
+ of the context structure is undefined. It must be reinitialized with
+ the SHA3Init() function before it can be used again.
RETURN VALUES
These functions do not return a value.
@@ -69,7 +69,7 @@
The following is a sample function that authenticates a message found
in multiple buffers. The calling function provides an authentication
- buffer to contain the result of the SHA3 digest.
+ buffer to contain the result of the SHA-3 digest.
@@ -115,6 +114,15 @@
SEE ALSO
libmd(3LIB)
+ FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output
+ Functions
+
+ https://csrc.nist.gov/publications/detail/fips/202/final
+
+
+HISTORY
+ These functions were added to Oracle Solaris in Solaris 11.4.0.
+
-Oracle Solaris 11.4 9 June 2016 sha3(3EXT)
+Oracle Solaris 11.4 21 Jun 2021 sha3(3EXT)
diff -NurbBw 11.4.36/man3gen/p2open.3gen 11.4.39/man3gen/p2open.3gen
--- 11.4.36/man3gen/p2open.3gen 2021-11-16 13:14:15.664902277 +0000
+++ 11.4.39/man3gen/p2open.3gen 2021-11-16 13:14:50.946184698 +0000
@@ -15,11 +15,12 @@
int p2close(FILE *fp[2]);
DESCRIPTION
- The p2open()gfunction forks and execs a shell running the command line
- pointed to by cmd. On return, fp[0] points to a FILE pointer to write
- the command's standard input and fp[1] points to a FILE pointer to read
- from the command's standard output. In this way the program has control
- over the input and output of the command.
+ The p2open() function creates two pipes between the calling program and
+ the command to be executed. The cmd argument consists of a shell com-
+ mand line. On return, fp[0] points to a FILE pointer to write the com-
+ mand's standard input and fp[1] points to a FILE pointer to read from
+ the command's standard output. In this way the program has control over
+ the input and output of the command.
The function returns 0 if successful; otherwise, it returns -1.
@@ -91,4 +92,4 @@
-Oracle Solaris 11.4 29 Dec 1996 p2open(3GEN)
+Oracle Solaris 11.4 1 Jul 2020 p2open(3GEN)
diff -NurbBw 11.4.36/man3lib/libc.3lib 11.4.39/man3lib/libc.3lib
--- 11.4.36/man3lib/libc.3lib 2021-11-16 13:14:15.789276376 +0000
+++ 11.4.39/man3lib/libc.3lib 2021-11-16 13:14:51.051433261 +0000
@@ -7,58 +7,37 @@
DESCRIPTION
Functions in this library provide various facilities defined by System
- V, ANSI C, POSIX, and so on. See standards(7). In addition, those
- facilities previously defined in the following libraries are now
- defined in this library:
-
- libaio asynchronous I/O library
+ V, ANSI C, and POSIX, as well as common functions used in Oracle
+ Solaris programs.
- libcmd command utility library
+ libc includes interfaces that were once provided by the following
+ libraries. These libraries are maintained to provide backward compati-
+ bility for both runtime and compilation environments. They are imple-
+ mented as a filter to libc, and contain no code. New application devel-
+ opment should not link to these libraries.
+ libaio asynchronous I/O library
+ libcmd command utility library
libdl dynamic linking library
-
-
libdoor doors library
-
-
libintl internationalization library
-
-
libnsl network services library
-
-
libpthread POSIX threads library
-
-
librt POSIX.1b Realtime Extensions library
-
-
libsched scheduling library
-
-
libsecdb security attributes database library
-
-
libsendfile sendfile library
-
-
libsocket sockets library
-
-
libthread Solaris threads library
-
-
libw wide character library
-
-
libxnet X/Open Networking library
INTERFACES
The shared object libc.so.1 provides the public interfaces defined
- below. See intro(3) for additional information on shared object inter-
+ below. See Intro(3) for additional information on shared object inter-
faces.
@@ -1046,14 +1025,13 @@
unlink unlinkat
unlockpt unordered
unsetenv updwtmp
- updwtmpx
- uselocale user2netname
- usleep ustat
- utime utimensat
- utimes utmpname
- utmpxname uucopy
- valloc vasprintf
-
+ updwtmpx uselocale
+ user2netname usleep
+ ustat utime
+ utimensat utimes
+ utmpname utmpxname
+ uucopy valloc
+ vasprintf vdprintf
verr verrx
vfork vforkx
vfprintf vfscanf
@@ -1264,8 +1242,9 @@
- The new bound checking APIs. These are extensions of existing standard
- (without _s suffix) interfaces, which do additional bound checks.
+ C11 Annex K bounds checking APIs. These are extensions of existing
+ (without _s suffix) standard interfaces, which do additional runtime
+ constraint checks.
asctime_s bsearch_s
@@ -1343,7 +1323,7 @@
+-----------------------------+-----------------------------+
SEE ALSO
- pvs(1), Intro(2), intro(3), attributes(7), lf64(7), standards(7)
+ pvs(1), Intro(2), Intro(3), attributes(7), lf64(7), standards(7)
NOTES
The synonyms compatibility library, c_synonyms.so.1, provides a mecha-
@@ -1397,4 +1377,4 @@
-Oracle Solaris 11.4 7 Aug 2019 libc(3LIB)
+Oracle Solaris 11.4 29 Jul 2021 libc(3LIB)
diff -NurbBw 11.4.36/man3lib/libtsol.3lib 11.4.39/man3lib/libtsol.3lib
--- 11.4.36/man3lib/libtsol.3lib 2021-11-16 13:14:15.823063219 +0000
+++ 11.4.39/man3lib/libtsol.3lib 2021-11-16 13:14:51.087220032 +0000
@@ -7,7 +7,7 @@
SYNOPSIS
cc [flag...] file... -ltsol [library...]
- #include <tsol.h>
+ #include <tsol/label.h>
DESCRIPTION
Functions in this library provide programmatic access to Solaris
@@ -40,6 +40,7 @@
Function Committed Replacement
+ -----------------------------------------------------------
bcleartoh label_to_str
bcleartoh_r label_to_str
bcleartos label_to_str
@@ -59,7 +60,7 @@
FILES
- /lib/libtsol.so.2 shared object
+ /lib/libtsol.so.2 32-bit shared object
/lib/64/libtsol.so.2 64-bit shared object
@@ -81,7 +82,10 @@
+-----------------------------+-----------------------------+
SEE ALSO
- intro(3), libtsnet(3LIB), attributes(7)
+ intro(3), libtsnet(3LIB), attributes(7), trusted_extensions(7)
+
+
+ Trusted Extensions Developer's Guide
NOTES
The functionality described on this manual page is available only if
@@ -89,4 +93,4 @@
-Oracle Solaris 11.4 20 Jul 2010 libtsol(3LIB)
+Oracle Solaris 11.4 21 Jun 2021 libtsol(3LIB)
diff -NurbBw 11.4.36/man4p/ipsec.4p 11.4.39/man4p/ipsec.4p
--- 11.4.36/man4p/ipsec.4p 2021-11-16 13:14:15.886648706 +0000
+++ 11.4.39/man4p/ipsec.4p 2021-11-16 13:14:51.154576619 +0000
@@ -85,13 +85,8 @@
packet translates into an inbound packet with those mechanisms applied.
- IPsec policy is enforced in the ip(4P) driver. Several ipadm tunables
- for IP affect policy enforcement, including:
-
-
- Notice that the property names that begin with an underbar (_). These
- properties are private to the protocol and are subject to change or
- removal. See ipadm(8) for details.
+ IPsec policy is enforced in the ip(4P) driver. Several ipadm(8) tun-
+ ables for IP affect policy enforcement, including:
icmp-accept-clear If equal to on (the default), allow certain clear-
text icmp messages to bypass policy. For ICMP echo
@@ -109,7 +104,7 @@
Transport Mode and Tunnel Mode
- If IPsec is used on a tunnel. Tunnel Mode IPsec can be used to protect
+ If IPsec is used on a tunnel, Tunnel Mode IPsec can be used to protect
distinct flows within a tunnel or to cause packets that do not match
per-tunnel policy to drop. System-wide policy is always Transport Mode.
A tunnel can use Transport Mode IPsec or Tunnel Mode IPsec.
@@ -434,39 +428,55 @@
ipsecesp(4P), pf_key(4P), udp(4P), attributes(7), in.iked(8), ipadm(8),
ipsecconf(8), ipseckey(8), ndd(8)
-
Kent, S., and Atkinson, R., RFC 2401, Security Architecture for the
Internet Protocol, The Internet Society, 1998.
+ https://tools.ietf.org/html/rfc2401
+
Kent, S. and Atkinson, R., RFC 2406, IP Encapsulating Security Payload
(ESP), The Internet Society, 1998.
+ https://tools.ietf.org/html/rfc2406
+
Madson, C., and Doraswamy, N., RFC 2405, The ESP DES-CBC Cipher Algo-
rithm with Explicit IV, The Internet Society, 1998.
+ https://tools.ietf.org/html/rfc2405
+
Madsen, C. and Glenn, R., RFC 2403, The Use of HMAC-MD5-96 within ESP
and AH, The Internet Society, 1998.
+ https://tools.ietf.org/html/rfc2403
+
Madsen, C. and Glenn, R., RFC 2404, The Use of HMAC-SHA-1-96 within ESP
and AH, The Internet Society, 1998.
+ https://tools.ietf.org/html/rfc2404
+
Pereira, R. and Adams, R., RFC 2451, The ESP CBC-Mode Cipher Algo-
rithms, The Internet Society, 1998.
+ https://tools.ietf.org/html/rfc2451
+
Kelly, S. and Frankel, S., RFC 4868, Using HMAC-SHA-256, HMAC-SHA-384,
- and HMAC-SHA-512 with IPsec, 2007.
+ and HMAC-SHA-512 with IPsec, The Internet Society, 2007.
+
+ https://tools.ietf.org/html/rfc4868
Huttunen, A., Swander, B., Volpe, V., DiBurro, L., Stenberg, M., RFC
3948, UDP Encapsulation of IPsec ESP Packets, The Internet Society,
2005.
+ https://tools.ietf.org/html/rfc3948
+
+
-Oracle Solaris 11.4 11 May 2021 ipsec(4P)
+Oracle Solaris 11.4 21 Jun 2021 ipsec(4P)
diff -NurbBw 11.4.36/man4p/ipsecesp.4p 11.4.39/man4p/ipsecesp.4p
--- 11.4.36/man4p/ipsecesp.4p 2021-11-16 13:14:15.914144965 +0000
+++ 11.4.39/man4p/ipsecesp.4p 2021-11-16 13:14:51.181074627 +0000
@@ -5,9 +5,6 @@
NAME
ipsecesp, ESP - IPsec Encapsulating Security Payload
-SYNOPSIS
- drv/ipsecesp
-
DESCRIPTION
The ipsecesp module provides confidentiality, integrity, authentica-
tion, and partial sequence integrity (replay protection) to IP data-
@@ -40,8 +37,7 @@
list of authentication and encryption algorithms and their properties
by using the ipsecalgs(8) command. You can also use the functions
described in the getipsecalgbyname(3C) man page to retrieve the proper-
- ties of algorithms. Because of export laws in the United States, not
- all encryption algorithms are available outside of the United States.
+ ties of algorithms.
Security Considerations
ESP without authentication exposes vulnerabilities to cut-and-paste
@@ -64,10 +60,12 @@
getipsecalgbyname(3C), ip(4P), ipsec(4P), ipsecah(4P), attributes(7),
ipsecalgs(8), ipsecconf(8), ndd(8)
-
- Kent, S. and Atkinson, R.RFC 2406, IP Encapsulating Security Payload
+ Kent, S. and Atkinson, R., RFC 2406, IP Encapsulating Security Payload
(ESP), The Internet Society, 1998.
+ https://tools.ietf.org/html/rfc2406
+
+
-Oracle Solaris 11.4 18 May 2003 ipsecesp(4P)
+Oracle Solaris 11.4 21 Jun 2021 ipsecesp(4P)
diff -NurbBw 11.4.36/man5/audit_class.5 11.4.39/man5/audit_class.5
--- 11.4.36/man5/audit_class.5 2021-11-16 13:14:15.953496583 +0000
+++ 11.4.39/man5/audit_class.5 2021-11-16 13:14:51.223681823 +0000
@@ -10,10 +10,10 @@
/etc/security/audit_class.system
DESCRIPTION
- The audit_class(5) file provides the class definitions used for config-
- uring the audit system. Audit events in audit_event(5) are mapped to
- one or more of the defined audit classes. audit_event(5) can be updated
- in conjunction with changes to audit_class(5). See auditconfig(8) and
+ The audit_class file provides the class definitions used for configur-
+ ing the audit system. Audit events in audit_event(5) are mapped to one
+ or more of the defined audit classes. audit_event(5) can be updated in
+ conjunction with changes to audit_class. See auditconfig(8) and
user_attr(5) for information about changing the preselection of audit
classes in the audit system.
@@ -39,7 +39,7 @@
entry is a bitmap and is separated from each other by a NEWLINE.
- Each entry in the audit_class(5) file has the form:
+ Each entry in the audit_class file has the form:
mask:name:description
@@ -91,14 +91,17 @@
The following is an example of an audit_class file:
-
0x0100000000000000:pf:profile command
- Refresh the audit service to update the runtime mappings
- # svcadm refresh svc:/system/auditset:default
+ To refresh the audit service to update the runtime mappings:
+
+
+ # svcadm refresh svc:/system/auditset:default
+
+
FILES
/etc/security/audit_class
@@ -124,5 +127,8 @@
fig(8), auditrecord(8)
+ Managing Auditing in Oracle Solaris 11.4
+
+
-Oracle Solaris 11.4 28 Jan 2021 audit_class(5)
+Oracle Solaris 11.4 21 Jun 2021 audit_class(5)
diff -NurbBw 11.4.36/man5/audit_tags.5 11.4.39/man5/audit_tags.5
--- 11.4.36/man5/audit_tags.5 2021-11-16 13:14:15.993207971 +0000
+++ 11.4.39/man5/audit_tags.5 2021-11-16 13:14:51.254576902 +0000
@@ -9,13 +9,13 @@
/etc/security/audit_tags
DESCRIPTION
- The /etc/security/audit_tags is a local source for tags used in the
- audit system. The audit_tags file can be used with other tag sources
- (see FILES). Audit tags can be used in audit trail output post-selec-
- tion to filter records at a high level, typically at a subsystem level
- such as selecting only network-related events, or filesystem only
- events. See auditreduce(8) command for more information. The auditre-
- duce(8) command also allows specifying an alternate audit tags file.
+ The /etc/security/audit_tags file is a local source for tags used in
+ the audit system. The audit_tags file can be used with other tag
+ sources (see FILES). Audit tags can be used in audit trail output post-
+ selection to filter records at a high level, typically at a subsystem
+ level such as selecting only network-related events, or filesystem only
+ events. See auditreduce(8) for more information. The auditreduce(8)
+ command also allows specifying an alternate audit tags file.
Each tag is composed of one or more tag entries. The fields for each
@@ -43,9 +42,8 @@
value name or other value to be matched in the record. This might
be in the form of a Perl-compatible regular expression (see
- PCRE(3)). A value delimited by double quotes is interpreted
- as a PCRE
-
+ pcresyntax(3)). A value delimited by double quotes is
+ interpreted as a PCRE.
@@ -95,12 +91,12 @@
nitions need not be minimal. There can be some redundancy.
- Tag and provider names may each come up to AU_TAGS_NAME_MAX characters.
+ Tag and provider names may each be up to AU_TAGS_NAME_MAX characters.
The value field may come up to AU_TAGS_VALUE_MAX characters. See <secu-
rity/libaudit.h> for more information.
EXAMPLES
- Example 1 Using event type:
+ Example 1 Using the event type:
solaris:net:event:AUE_netcfg_update
@@ -131,8 +125,7 @@
has a privilege string that includes the value file_* also matches the
file tag.
-
- Example 3 Using an expression:
+ Example 3 Using a regular expression:
solaris:dump:path:"[\S]*/coreadm$"
@@ -168,13 +159,16 @@
+-----------------------------+-----------------------------+
- The file format stability is Committed. Whereas, the file content is
- Uncommitted.
+ The file format stability is Committed. The file content is Uncommit-
+ ted.
SEE ALSO
audit_class(5), audit_event(5), auth_attr(5), attributes(7), privi-
leges(7), auditconfig(8)
+HISTORY
+ audit_tags were added in Oracle Solaris 11.4.0.
+
-Oracle Solaris 11.4 23 Mar 2016 audit_tags(5)
+Oracle Solaris 11.4 21 Jun 2021 audit_tags(5)
diff -NurbBw 11.4.36/man5/audit.log.5 11.4.39/man5/audit.log.5
--- 11.4.36/man5/audit.log.5 2021-11-16 13:14:16.025064185 +0000
+++ 11.4.39/man5/audit.log.5 2021-11-16 13:14:51.287162621 +0000
@@ -34,9 +34,13 @@
minute. All fields are of fixed width.
- Audit data is generated in the binary format described below; the
- default for Oracle Solaris audit is binary format. For more informa-
- tion, see the audit_syslog(7) man page for an alternate data format.
+ Audit data is generated in the binary format described below by the
+ audit_binfile(7) plugin, which is the default for Oracle Solaris audit-
+ ing. See the audit_syslog(7) man page for an alternate data format. The
+ praudit(8) utility prints the contents of the binary format in a read-
+ able text format. The auditreduce(8) utility filters the contents of
+ the binary format to select records for printing by praudit or other
+ processing.
The audit.log file begins with a standalone file token and typically
@@ -53,6 +57,14 @@
included.
+ The auditrecord(8) utility displays the event ID, audit class and
+ selection mask, and record format for audit record event types defined
+ in audit_event(5). The record format lists the tokens included in audit
+ records for that class of audit event. Additional tokens may be
+ included as described in the Notes section of the auditrecord(8) manual
+ page.
+
+
The tokens are defined as follows:
@@ -132,12 +138,11 @@
The clearance token consists of:
-
token ID 1 byte
clearance ID 1 byte
compartment length 1 byte
classification 2 bytes
- compartment words <compartment length> * 4 bytes
+ compartment words compartment length * 4 bytes
@@ -196,10 +196,9 @@
The fmri token consists of:
-
token ID 1 byte
fmri length 2 bytes
- fmri <fmri length>> including terminating NULL byte
+ fmri fmri length including terminating NULL byte
@@ -315,13 +305,11 @@
The label token consists of:
-
token ID 1 byte
label ID 1 byte
compartment length 1 byte
classification 2 bytes
- compartment words <compartment length> * 4 bytes
-
+ compartment words compartment length * 4 bytes
@@ -516,11 +488,10 @@
The user token consists of:
-
token ID 1 byte
user ID 4 bytes
user name length 2 bytes
- user name <user name len> including terminating NULL byte
+ user name user name len including terminating NULL byte
@@ -640,10 +599,9 @@
The zonename token consists of:
-
token ID 1 byte
name length 2 bytes
- name <name length> including terminating NULL byte
+ name name length including terminating NULL byte
@@ -662,8 +620,13 @@
mitted.
SEE ALSO
- audit_binfile(7), audit_syslog(7), audit(8), auditconfig(8), auditd(8)
+ audit_class(5), audit_event(5), audit_binfile(7), audit_syslog(7),
+ audit(8), auditconfig(8), auditd(8), auditrecord(8), auditreduce(8),
+ praudit(8)
+
+
+ Managing Auditing in Oracle Solaris 11.4
-Oracle Solaris 11.4 27 Apr 2017 audit.log(5)
+Oracle Solaris 11.4 21 Jun 2021 audit.log(5)
diff -NurbBw 11.4.36/man5/auth_attr.5 11.4.39/man5/auth_attr.5
--- 11.4.36/man5/auth_attr.5 2021-11-16 13:14:16.055070632 +0000
+++ 11.4.39/man5/auth_attr.5 2021-11-16 13:14:51.316947110 +0000
@@ -7,6 +7,7 @@
SYNOPSIS
/etc/security/auth_attr
+ /etc/security/auth_attr.d/package
DESCRIPTION
/etc/security/auth_attr is a local source for authorization names and
@@ -15,8 +16,16 @@
thattr(3C) routines to access this information.
+ /etc/security/auth_attr entries are locally managed by the system
+ administrator. The /etc/security/auth_attr.d directory contains addi-
+ tional entries installed by packages which should not be locally modi-
+ fied. If an entry appears in multiple files in these locations,
+ /etc/security/auth_attr takes precedence. The auths(1) command may be
+ used to verify the active definition for an authorization.
+
+
The search order for multiple authorization sources is specified in the
- /etc/nsswitch.conf file, as described in the nsswitch.conf(5) man page.
+ nsswitch.conf(5) man page.
An authorization is a right assigned to users that is checked by cer-
@@ -159,13 +162,10 @@
assign any authorization.
-
solaris.auth.assign:::Grant All Solaris Authorizations::
-
- Example 6 Consulting the Local Authorization File Ahead of the NIS Ta-
- ble
+ Example 6 Consulting the Local Authorization File Ahead of LDAP
@@ -177,30 +177,41 @@
FILES
- /etc/nsswitch.conf
-
+ /etc/security/auth_attr
+ Locally added entries.
- /etc/user_attr
+ /etc/security/auth_attr.d/*
+ Entries added by package installation.
+ATTRIBUTES
+ See attributes(7) for descriptions of the following attributes:
- /etc/security/auth_attr
- Locally added entries. Make sure that the shipped header remains
- intact.
+ +-----------------------------+-----------------------------+
+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+ +-----------------------------+-----------------------------+
+ |Availability |See below. |
+ +-----------------------------+-----------------------------+
+ |Interface Stability |See below. |
+ +-----------------------------+-----------------------------+
+ Availability
+ /etc/security/auth_attr is delivered in the system/core-os package.
- /etc/security/auth_attr.d/*
- Entries added by package installation.
+ /etc/security/auth_attr.d/ files are delivered in the packages that
+ provide the software they are associated with.
+ Interface Stability
+ The format is Committed. The contents have no stability attributes.
SEE ALSO
auths(1), getauthattr(3C), getexecattr(3C), getprofattr(3C), getuser-
- attr(3C), exec_attr(5), nsswitch.conf(5), user_attr(5)
+ attr(3C), exec_attr(5), nsswitch.conf(5), user_attr(5), rbac(7)
NOTES
Because the list of legal keys is likely to expand, any code that
@@ -221,6 +232,13 @@
solaris.auth.delegate allows an authorized user to grant only the
user's authorizations to another user.
+HISTORY
+ Support for /etc/security/auth_attr.d/ files was added in Oracle
+ Solaris 11.0.0.
+
+
+ /etc/security/auth_attr was added in Solaris 8.
+
-Oracle Solaris 11.4 5 Jan 2016 auth_attr(5)
+Oracle Solaris 11.4 21 Jun 2021 auth_attr(5)
diff -NurbBw 11.4.36/man5/bart_manifest.5 11.4.39/man5/bart_manifest.5
--- 11.4.36/man5/bart_manifest.5 2021-11-16 13:14:16.093115126 +0000
+++ 11.4.39/man5/bart_manifest.5 2021-11-16 13:14:51.346629202 +0000
@@ -16,8 +16,12 @@
Lines that begin with ! supply metadata about the manifest. The mani-
fest version line indicates the manifest specification version. The
- date line shows the date on which the manifest was created, in date(1)
- form.
+ date line shows the date on which the manifest was created.
+
+
+ Version 1.0 manifests always use MD5 digests for the file contents
+ checksum. Version 1.1 manifests specify the digest algorithm used in a
+ ! Hash line in the manifest header.
Some lines are ignored by the manifest comparison tool. Ignored lines
@@ -90,8 +94,8 @@
acl ACL attributes for the file. For a file with ACL
- attributes, this field contains the output from aclto-
- text().
+ attributes, this field contains the output from
+ acl_totext(3SEC).
uid Numerical user ID of the owner of this entry.
@@ -116,6 +120,12 @@
if checksums cannot be computed, the value of this field is
-.
+ In Version 1.0 manifests, this checksum is calculated as an
+ MD5 digest. In Version 1.1 manifests, this checksum is cal-
+ culated using one of the SHA algorithms, specified in the
+ manifest header, and controlled by the use of the -a option
+ to the bart command.
+
dest Destination of a symbolic link.
@@ -129,7 +139,7 @@
file names.
- When generating a manifest for file names that embedded TAB, SPACE, or
+ When generating a manifest for file names with embedded TAB, SPACE, or
NEWLINE characters, the special characters are encoded in their octal
forms.
@@ -137,17 +147,17 @@
+-----------------------------+-----------------------------+
|Input Character |Quoted Character |
+-----------------------------+-----------------------------+
- |SPACE |\SPACE |
+ |SPACE |\040 |
+-----------------------------+-----------------------------+
- |TAB |\TAB |
+ |TAB |\009 |
+-----------------------------+-----------------------------+
- |NEWLINE |\NEWLINE |
+ |NEWLINE |\012 |
+-----------------------------+-----------------------------+
- |? |\? |
+ |? |\077 |
+-----------------------------+-----------------------------+
- |[ |\[ |
+ |[ |\133 |
+-----------------------------+-----------------------------+
- |* |\* |
+ |* |\052 |
+-----------------------------+-----------------------------+
EXAMPLES
@@ -157,13 +167,14 @@
The following is a sample system manifest file. The file entries are
sorted by the encoded versions of the file names to correctly handle
- special characters.
-
+ special characters. In the actual output, all information for each file
+ is on a single line, without the line breaks and indentation shown
+ here.
-
- ! Version 1.0
- ! Mon Feb 11 10:55:30 2002
+ ! Version 1.1
+ ! Hash SHA256
+ ! Monday, June 14, 2021 (15:31:10)
# Format:
# fname D size mode acl dirmtime uid gid
# fname P size mode acl mtime uid gid
@@ -172,21 +183,57 @@
# fname L size mode acl lnmtime uid gid dest
# fname B size mode acl mtime uid gid devnode
# fname C size mode acl mtime uid gid devnode
- /etc D 3584 40755 user::rwx,group::r-x,mask::r-x,other::r-x,
- 3c6803d7 0 3
- /etc/.login F 524 100644 user::rw-,group::r--,mask::r--,other::r--,
- 3c165878 0 3 27b53d5c3e844af3306f1f12b330b318
- /etc/.pwd.lock F 0 100600 user::rw-,group::---,mask::---,other::---,
- 3c166121 0 0 d41d8cd98f00b204e9800998ecf8427e
- /etc/.syslog_door L 20 120777 user::rw-,group::r--,mask::
- rwx,other::r--,3c6803d5 0 0 /var/run/syslog_door
- /etc/cron.d/FIFO P 0 10600 user::rw-,group::---,mask::---,other::---,
- 3c6803d5 0 0
+ /etc D 210 40755 owner@:list_directory/read_data/add_file/write_data/
+ add_subdirectory/append_data/read_xattr/write_xattr/execute/
+ delete_child/read_attributes/write_attributes/read_acl/write_acl/
+ write_owner/synchronize:allow,group@:list_directory/read_data/
+ read_xattr/execute/read_attributes/read_acl/synchronize:allow,
+ everyone@:list_directory/read_data/read_xattr/execute/
+ read_attributes/read_acl/synchronize:allow 60a53d9e 0 3
+ /etc/.login F 932 100644 owner@:read_data/write_data/append_data/
+ read_xattr/write_xattr/read_attributes/write_attributes/read_acl/
+ write_acl/write_owner/synchronize:allow,group@:read_data/
+ read_xattr/read_attributes/read_acl/synchronize:allow,everyone@:
+ read_data/read_xattr/read_attributes/read_acl/synchronize:allow
+ 60a04ac2 0 0
+ 9d958c6748fb88091c90ba5995af891226971d65ef8b08f2f9020f004804a13e
+ /etc/.pwd.lock F 0 100755 owner@:read_data/write_data/append_data/
+ read_xattr/write_xattr/execute/read_attributes/write_attributes/
+ read_acl/write_acl/write_owner/synchronize:allow,group@:read_data/
+ read_xattr/execute/read_attributes/read_acl/synchronize:allow,
+ everyone@:read_data/read_xattr/execute/read_attributes/read_acl/
+ synchronize:allow 60a53d9e 0 0
+ e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+ /etc/hosts L 12 120777 - 5bc7c298 0 0 ./inet/hosts
+ /etc/rc2.d/S89PRESERVE F 230 100744 owner@:read_data/write_data/
+ append_data/read_xattr/write_xattr/execute/read_attributes/
+ write_attributes/read_acl/write_acl/write_owner/synchronize:allow,
+ group@:read_data/read_xattr/read_attributes/read_acl/synchronize:
+ allow,everyone@:read_data/read_xattr/read_attributes/read_acl/
+ synchronize:allow 5b762e3a 0 0
+ 78f67104d0a23eecc8d1cdfd1c196ccb84c948a0b37d6fb78cc3fb1f01359271
+
+
+
+ATTRIBUTES
+ See attributes(7) for descriptions of the following attributes:
+ +-----------------------------+-----------------------------+
+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+ +-----------------------------+-----------------------------+
+ |Interface Stability |Committed |
+ +-----------------------------+-----------------------------+
+
SEE ALSO
- date(1), bart_rules(5), attributes(7), bart(8)
+ acl_totext(3SEC), bart_rules(5), attributes(7), bart(8)
+
+HISTORY
+ Support for Version 1.1 manifests was added in Oracle Solaris 11.0.0.
+
+
+ Support for Version 1.0 manifests was added in Solaris 10 3/05.
-Oracle Solaris 11.4 7 Mar 2011 bart_manifest(5)
+Oracle Solaris 11.4 21 Jun 2021 bart_manifest(5)
diff -NurbBw 11.4.36/man5/bart_rules.5 11.4.39/man5/bart_rules.5
--- 11.4.36/man5/bart_rules.5 2021-11-16 13:14:16.134603779 +0000
+++ 11.4.39/man5/bart_rules.5 2021-11-16 13:14:51.379189029 +0000
@@ -176,8 +176,8 @@
The attribute keywords are as follows:
acl ACL attributes for the file. For a file with ACL
- attributes, this field contains the output from aclto-
- text().
+ attributes, this field contains the output from
+ acl_totext(3SEC).
all All attributes.
@@ -186,7 +186,8 @@
contents Checksum value of the file. This attribute is only speci-
fied for regular files. If you turn off context checking or
if checksums cannot be computed, the value of this field is
- -.
+ -. The algorithm used to compute this is controlled by the
+ -a option to the bart command.
dest Destination of a symbolic link.
@@ -308,4 +307,4 @@
-Oracle Solaris 11.4 9 Sep 2003 bart_rules(5)
+Oracle Solaris 11.4 21 Jun 2021 bart_rules(5)
diff -NurbBw 11.4.36/man5/crypt.conf.5 11.4.39/man5/crypt.conf.5
--- 11.4.36/man5/crypt.conf.5 2021-11-16 13:14:16.172804685 +0000
+++ 11.4.39/man5/crypt.conf.5 2021-11-16 13:14:51.413539867 +0000
@@ -107,6 +98,10 @@
crypt_bsdbf(7), crypt_bsdmd5(7), crypt_sha256(7), crypt_sha512(7),
crypt_sunmd5(7), crypt_unix(7), account-policy(8S)
+HISTORY
+ Support for crypt.conf was added to Solaris in Solaris 9 12/02 (Update
+ 2).
+
-Oracle Solaris 11.4 9 Mar 2020 crypt.conf(5)
+Oracle Solaris 11.4 21 Jun 2021 crypt.conf(5)
diff -NurbBw 11.4.36/man5/device_allocate.5 11.4.39/man5/device_allocate.5
--- 11.4.36/man5/device_allocate.5 2021-11-16 13:14:16.211047237 +0000
+++ 11.4.39/man5/device_allocate.5 2021-11-16 13:14:51.443838902 +0000
@@ -94,7 +94,7 @@
device-exec
The physical device's data clean program to be run any time the
- device is acted on by allocate. This ensures that unmanaged data
+ device is acted on by allocate(8). This ensures that unmanaged data
does not remain in the physical device between uses. This field
contains the filename of a program in /etc/security/lib or the full
pathname of a cleanup script provided by the system administrator.
@@ -129,10 +129,8 @@
Declare that physical device st0 is a type st. st is allocatable, and
- the script used to clean the device after running deallocate is named
- /etc/security/lib/st_clean.
-
-
+ the script used to clean the device after running deallocate(8) is
+ named /etc/security/lib/st_clean.
# scsi tape
@@ -146,9 +144,9 @@
Making a device allocatable means that you need to allocate and deallo-
- cate it to use it (with allocate and deallocate). If a device is not
- allocatable, there is an asterisk (*) in the auths field, and no one
- can use the device.
+ cate it to use it (with allocate(8) and deallocate(8)). If a device is
+ not allocatable, there is an asterisk (*) in the auths field, and no
+ one can use the device.
FILES
/etc/security/device_allocate
@@ -169,7 +167,8 @@
+-----------------------------+-----------------------------+
SEE ALSO
- auths(1), list_devices(1), auth_attr(5), attributes(7)
+ auths(1), list_devices(1), auth_attr(5), device_maps(5), attributes(7),
+ allocate(8), deallocate(8), device_allocate(8)
NOTES
On systems configured with Trusted Extensions, the functionality is
@@ -178,4 +177,4 @@
-Oracle Solaris 11.4 11 Aug 2014 device_allocate(5)
+Oracle Solaris 11.4 21 Jun 2021 device_allocate(5)
diff -NurbBw 11.4.36/man5/device_maps.5 11.4.39/man5/device_maps.5
--- 11.4.36/man5/device_maps.5 2021-11-16 13:14:16.238011711 +0000
+++ 11.4.39/man5/device_maps.5 2021-11-16 13:14:51.476446629 +0000
@@ -56,8 +56,8 @@
Leading and trailing blanks are allowed in any of the fields.
- The device_maps file must be created by the system administrator
- bef\ore device allocation is enabled.
+ The device_maps file must be created by the system administrator before
+ device allocation is enabled.
This file is owned by root, with a group of sys, and a mode of 0644.
@@ -107,4 +106,4 @@
-Oracle Solaris 11.4 11 Aug 2014 device_maps(5)
+Oracle Solaris 11.4 21 Jun 2021 device_maps(5)
diff -NurbBw 11.4.36/man5/exec_attr.5 11.4.39/man5/exec_attr.5
--- 11.4.36/man5/exec_attr.5 2021-11-16 13:14:16.268134234 +0000
+++ 11.4.39/man5/exec_attr.5 2021-11-16 13:14:51.506968296 +0000
@@ -7,6 +7,7 @@
SYNOPSIS
/etc/security/exec_attr
+ /etc/security/exec_attr.d/package
DESCRIPTION
/etc/security/exec_attr is a local database that specifies the execu-
@@ -16,16 +17,24 @@
information.
+ /etc/security/exec_attr entries are locally managed by the system
+ administrator. The /etc/security/exec_attr.d directory contains addi-
+ tional entries installed by packages which should not be locally modi-
+ fied. If an entry appears in multiple files in these locations,
+ /etc/security/exec_attr takes precedence. The getent(8) command may be
+ used to verify the active entries in this database.
+
+
The search order for multiple execution profile sources is specified in
- the /etc/nsswitch.conf file, as described in the nsswitch.conf(5) man
- page. The search order follows the entry for prof_attr(5).
+ the nsswitch.conf(5) man page. The search order follows the entry for
+ prof_attr(5).
A profile is a logical grouping of authorizations and commands that is
interpreted by a profile shell to form a secure execution environment.
- The shells that interpret profiles are pfcsh, pfksh, and pfsh. See the
- pfsh(1) man page. Each user's account is assigned zero or more profiles
- in the user_attr(5) database file.
+ The shells that interpret profiles are described in the pfsh(1) man
+ page. Each user's account is assigned zero or more profiles in the
+ user_attr(5) database.
Each entry in the exec_attr database consists of one line of text con-
@@ -73,7 +82,7 @@
being reset to real UIDs, you can start the script with the
-p option.
- #!/bin/sh -p
+ #!/usr/sunos/bin/sh -p
@@ -134,22 +143,15 @@
Audit Control:solaris:cmd:::/usr/sbin/audit:privs=proc_owner
-
-
-
FILES
- o /etc/nsswitch.conf
-
-
- o /etc/user_attr
+ /etc/security/exec_attr
+ Locally added entries.
- o /etc/security/exec_attr - Locally added entries. Make sure
- that the shipped header remains intact.
+ /etc/security/exec_attr.d/*
- o /etc/security/exec_attr.d/* - Entries added by package
- installation.
+ Entries added by package installation.
ATTRIBUTES
@@ -159,13 +161,20 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |Availability |system/core-os |
+ |Availability |See below. |
+-----------------------------+-----------------------------+
- |Interface Stability |See below |
+ |Interface Stability |See below. |
+-----------------------------+-----------------------------+
+ Availability
+ /etc/security/exec_attr is delivered in the system/core-os package.
+
- The command-line syntax is Committed. The output is Uncommitted.
+ /etc/security/exec_attr.d/ files are delivered in the packages that
+ provide the software they are associated with.
+
+ Interface Stability
+ The format is Committed. The contents have no stability attributes.
NOTES
Because the list of legal keys is likely to expand, any code that
@@ -180,8 +189,7 @@
(;), equals (=), and backslash (\).
-
- Authorizations required to set various fields are listed:
+ The authorizations required to set various fields are:
name profile name solaris.profile.cmd.manage
policy security policy solaris.profile.cmd.manage
@@ -191,10 +199,8 @@
-
-
-
- attr security attributes of the command
+ The authorizations required to set attr security attributes of the com-
+ mand are:
euid euid of the command solaris.profile.cmd.setuid
process
@@ -209,7 +215,7 @@
privileges for the
command. An Extended
Policy can be specified
- here. See privileges.7.
+ here. See privileges(7).
limitprivs privileges assigned to
the limit set of solaris.privilege.assign/delegate
privileges for the
@@ -232,8 +238,8 @@
The solaris.privilege.assign authorization allows the authorized user
to grant any privilege to a command. The solaris.privilege.delegate
allows the authorized user to grant privileges from the user's privi-
- lege sets. See group(5) for more information on
- solaris.group.assign/delegate.
+ lege sets. See group(5) for more information on solaris.group.assign
+ and solaris.group.delegate.
The solaris.label.delegate authorization allows the authorized user to
@@ -250,11 +256,18 @@
clearance.
SEE ALSO
- auths(1), profiles(1), roles(1), sh(1), kva_match(3C), getauthattr(3C),
- getexecattr(3C), getprofattr(3C), getuserattr(3C), auth_attr(5),
- group(5), prof_attr(5), user_attr(5), attributes(7), privileges(7),
- makedbm(8)
+ auths(1), profiles(1), roles(1), sh(1s), kva_match(3C), getau-
+ thattr(3C), getexecattr(3C), getprofattr(3C), getuserattr(3C),
+ auth_attr(5), group(5), prof_attr(5), user_attr(5), attributes(7),
+ privileges(7), rbac(7)
+
+HISTORY
+ Support for /etc/security/exec_attr.d/ files was added in Oracle
+ Solaris 11.0.0.
+
+
+ /etc/security/exec_attr was added in Solaris 8.
-Oracle Solaris 11.4 23 Jan 2017 exec_attr(5)
+Oracle Solaris 11.4 21 Jun 2021 exec_attr(5)
diff -NurbBw 11.4.36/man5/ike.config.5 11.4.39/man5/ike.config.5
--- 11.4.36/man5/ike.config.5 2021-11-16 13:14:16.335712862 +0000
+++ 11.4.39/man5/ike.config.5 2021-11-16 13:14:51.608285026 +0000
@@ -90,19 +90,15 @@
/etc/inet/ike/publickeys, or even the ISSUER. For example:
-
-
"SLOT=0"
- "[email protected]"
- "[email protected]" # Some just work w/o TYPE=
+ "[email protected]"
+ "[email protected]" # Some just work w/o TYPE=
"IP=10.0.0.1"
"10.21.11.11" # Some just work w/o TYPE=
- "DNS=www.domain.org"
- "mailhost.domain.org" # Some just work w/o TYPE=
+ "DNS=www.example.com"
+ "mailhost.example.com" # Some just work w/o TYPE=
"ISSUER=C=US, O=Sun Microsystems\\, Inc., CN=Sun CA"
-
-
Any cert-sel preceded by the character ! indicates a negative
match, that is, not matching this specifier. These are the same
kind of strings used in ikecert(8).
@@ -272,7 +268,9 @@
retrieve Certificate Revocation Lists (CRLs).
- wire_label inner wire_label label wire_label none label
+ wire_label inner
+ wire_label label
+ wire_label none label
This keyword can only be used if label_aware mode is selected and
defines how IKE communicates with label-aware peers. wire_label
@@ -386,7 +386,7 @@
- p1_xform '{' parameter-list '}
+ p1_xform '{' parameter-list '}'
A phase 1 transform specifies a method for protecting an IKE phase
1 exchange. An initiator offers up lists of phase 1 transforms, and
@@ -672,10 +671,10 @@
# Explicitly trusted certs that need no signatures, or perhaps
# self-signed ones. Like root certificates, use full DNs for them
# for now.
- cert_trust "[email protected]"
+ cert_trust "[email protected]"
# Where do I send LDAP requests?
- ldap_server "ldap1.domain.org,ldap2.domain.org:389"
+ ldap_server "ldap1.example.com,ldap2.example.com:389"
## phase 1 transform defaults...
@@ -783,7 +782,7 @@
label "punchin-point"
local_id_type mbox
- local_id "[email protected]"
+ local_id "[email protected]"
remote_id "10.5.5.128"
@@ -798,7 +797,7 @@
{
label "receiver side"
- remote_id "[email protected]"
+ remote_id "[email protected]"
local_id_type ip
local_id "10.5.5.128"
@@ -849,25 +848,46 @@
ikeadm(8), ikecert(8), in.iked(8), ipsecalgs(8), ipsecconf(8),
ipseckey(8), svccfg(8)
-
Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE).
Cisco Systems, November 1998.
+ https://tools.ietf.org/html/rfc2409
+
Maughan, Douglas et. al. RFC 2408, Internet Security Association and
Key Management Protocol (ISAKMP). National Security Agency, Ft. Meade,
MD. November 1998.
+ https://tools.ietf.org/html/rfc2408
+
Piper, Derrell. RFC 2407, The Internet IP Security Domain of Interpre-
tation for ISAKMP. Network Alchemy. Santa Cruz, California. November
1998.
+ https://tools.ietf.org/html/rfc2407
+
Kivinen, T. RFC 3526, More Modular Exponential (MODP) Diffie-Hellman
Groups for Internet Key Exchange (IKE). The Internet Society, Network
Working Group. May 2003.
+ https://tools.ietf.org/html/rfc3526
+
+
+ Fu, D. RFC 4753, ECP Groups for IKE and IKEv2. National Security
+ Agency, Ft. Meade, MD. January 2007.
+
+ https://tools.ietf.org/html/rfc4753
+
+
+ Lepinski, M. RFC 5114, Additional Diffie-Hellman Groups for Use with
+ IETF Standards. The Internet Society, Network Working Group. January
+ 2008.
+
+ https://tools.ietf.org/html/rfc5114
+
+
-Oracle Solaris 11.4 11 May 2021 ike.config(5)
+Oracle Solaris 11.4 21 Jun 2021 ike.config(5)
diff -NurbBw 11.4.36/man5/ike.preshared.5 11.4.39/man5/ike.preshared.5
--- 11.4.36/man5/ike.preshared.5 2021-11-16 13:14:16.372084081 +0000
+++ 11.4.39/man5/ike.preshared.5 2021-11-16 13:14:51.638314562 +0000
@@ -21,6 +21,7 @@
Name Value Example
+ ----------------------------------------------------------------------
localidtype IP localidtype IP
remoteidtype IP remoteidtype IP
localid IP-address localid 10.1.1.2
@@ -87,12 +88,12 @@
}
-
-
SECURITY
If this file is compromised, all IPsec security associations derived
from secrets in this file will be compromised as well. The default per-
- missions on ike.preshared are 0600. They should stay this way.
+ missions on ike.preshared are 0600. They should stay this way. The
+ pfedit(8) command should not be used to modify this file as it has the
+ potential to put sensitive keying material into the audit log.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
@@ -109,4 +110,4 @@
-Oracle Solaris 11.4 12 Aug 2014 ike.preshared(5)
+Oracle Solaris 11.4 21 Jun 2021 ike.preshared(5)
diff -NurbBw 11.4.36/man5/ikev2.config.5 11.4.39/man5/ikev2.config.5
--- 11.4.36/man5/ikev2.config.5 2021-11-16 13:14:16.413005667 +0000
+++ 11.4.39/man5/ikev2.config.5 2021-11-16 13:14:51.757553661 +0000
@@ -750,7 +748,7 @@
ikesa_xform { encr_alg aes(128..256) auth_alg sha1 dh_group 14 }
# Group 2 is 1024-bit MODP
ikesa_xform { encr_alg aes(128..256) auth_alg sha1 dh_group 2 }
- }
+
# Camellia is accepted as an alternative to AES. The key size has
# not been specified, so all supported key lengths are OK.
ikesa_xform { encr_alg camellia auth_alg sha1 dh_group 2 }
@@ -811,4 +808,4 @@
-Oracle Solaris 11.4 27 Nov 2017 ikev2.config(5)
+Oracle Solaris 11.4 21 Jun 2021 ikev2.config(5)
diff -NurbBw 11.4.36/man5/ikev2.preshared.5 11.4.39/man5/ikev2.preshared.5
--- 11.4.36/man5/ikev2.preshared.5 2021-11-16 13:14:16.442652683 +0000
+++ 11.4.39/man5/ikev2.preshared.5 2021-11-16 13:14:51.796133624 +0000
@@ -36,6 +36,7 @@
Name Value Example
+ ----------------------------------------------------------------------
label ASCII-string "My IKEv2 rule"
key hex-string 1234567890abcdef
local_key hex-string 0x1234567890abcdef
@@ -111,7 +109,8 @@
The default and recommended file permissions for ikev2.preshared are
0600. The pfedit(8) command should not be used to modify this file as
it has the potential to put sensitive keying material into the audit
- log.
+ log. The sensitive system attribute is set on this file by the packag-
+ ing system and should be kept.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
@@ -130,4 +129,4 @@
-Oracle Solaris 11.4 27 Nov 2017 ikev2.preshared(5)
+Oracle Solaris 11.4 21 Jun 2021 ikev2.preshared(5)
diff -NurbBw 11.4.36/man5/issue.5 11.4.39/man5/issue.5
--- 11.4.36/man5/issue.5 2021-11-16 13:14:16.478263517 +0000
+++ 11.4.39/man5/issue.5 2021-11-16 13:14:51.824814821 +0000
@@ -6,18 +6,21 @@
issue - issue identification file
DESCRIPTION
- The file /etc/issue contains the issue or project identification to be
- printed as a login prompt. issue is an ASCII file that is read by pro-
- gram ttymon and then written to any terminal spawned or respawned,
- prior to the normal prompt.
+ The file /etc/issue contains a message to be shown before users login
+ to the system. issue is an ASCII file that is read by the program tty-
+ mon and then written to any terminal spawned or respawned, prior to the
+ normal prompt. It may also be displayed before login by graphical login
+ programs such as gdm.
FILES
/etc/issue
+ Text file containing message to be displayed before login.
+
SEE ALSO
login(1), ttymon(8)
-Oracle Solaris 11.4 2 Jan 2002 issue(5)
+Oracle Solaris 11.4 21 Jun 2021 issue(5)
diff -NurbBw 11.4.36/man5/loginlog.5 11.4.39/man5/loginlog.5
--- 11.4.36/man5/loginlog.5 2021-11-16 13:14:16.506335637 +0000
+++ 11.4.39/man5/loginlog.5 2021-11-16 13:14:51.858824719 +0000
@@ -6,28 +6,39 @@
loginlog - log of failed login attempts
DESCRIPTION
- After five unsuccessful login attempts, all the attempts are logged in
- the file /var/adm/loginlog. This file contains one record for each
- failed attempt. Each record contains the login name, tty specification,
- and time.
-
-
- This is an ASCII file. Each field within each entry is separated from
- the next by a colon. Each entry is separated from the next by a new-
- line.
-
-
- By default, loginlog does not exist, so no logging is done. To enable
- logging, the log file must be created with read and write permission
- for owner only. Owner must be root and group must be sys.
+ After multiple unsuccessful login attempts in a row in the same invoca-
+ tion of login(1), all the attempts are logged in the file
+ /var/adm/loginlog. The number of attempts is controlled by the RETRIES
+ property in /etc/default/login and defaults to 5.
+
+
+ This plain text file contains one record for each failed attempt. Each
+ record contains the login name, tty specification, and time. Each field
+ within each entry is separated from the next by a colon. Each entry is
+ separated from the next by a newline.
+
+
+ By default, loginlog does not exist, so logging is only done via sys-
+ log. To enable loginlog, the log file must be created with read and
+ write permission for owner only, and the owner must be root and the
+ group must be sys.
FILES
/var/adm/loginlog
+USAGE
+ Use of the lo class audit records in Solaris Auditing is recommended
+ over the creation of loginlog as the audit records are captured from a
+ wider range of login methods and are more complete than the data
+ recorded in loginlog.
+
SEE ALSO
login(1), passwd(1)
+ Managing Auditing in Oracle Solaris 11.4
+
+
-Oracle Solaris 11.4 3 Jul 1990 loginlog(5)
+Oracle Solaris 11.4 21 Jun 2021 loginlog(5)
diff -NurbBw 11.4.36/man5/mech.5 11.4.39/man5/mech.5
--- 11.4.36/man5/mech.5 2021-11-16 13:14:16.533947070 +0000
+++ 11.4.39/man5/mech.5 2021-11-16 13:14:51.887515467 +0000
@@ -3,7 +3,7 @@
NAME
- mech, qop - mechanism and QOP files
+ mech, qop - RPCSEC_GSS mechanism and QOP files
SYNOPSIS
/etc/gss/mech
@@ -15,7 +15,7 @@
ciated with them, respectively. As security mechanisms are installed on
the system, entries are added to these two files. Contents of these
files may be accessed either manually or programmatically. For example,
- manually with cat(1) or more(1), or programmatically with either
+ manually with cat(1) or less(1), or programmatically with either
rpc_gss_get_mechanisms(3C) or rpc_gss_get_mech_info(3C).
@@ -92,6 +92,18 @@
GSS_KRB5_CONF_C_QOP_DES 0 kerberosv5
+ATTRIBUTES
+ See attributes(7) for descriptions of the following attributes:
+
+
+ +-----------------------------+-----------------------------+
+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+ +-----------------------------+-----------------------------+
+ |Availability |service/security/gss |
+ +-----------------------------+-----------------------------+
+ |Interface Stability |Committed |
+ +-----------------------------+-----------------------------+
+
SEE ALSO
rpc(3C), rpc_gss_get_mech_info(3C), rpc_gss_get_mechanisms(3C), rpc-
sec_gss(3C)
@@ -101,4 +113,4 @@
-Oracle Solaris 11.4 6 Sep 2006 mech(5)
+Oracle Solaris 11.4 21 Jun 2021 mech(5)
diff -NurbBw 11.4.36/man5/nfs.5 11.4.39/man5/nfs.5
--- 11.4.36/man5/nfs.5 2021-11-16 13:14:16.564516370 +0000
+++ 11.4.39/man5/nfs.5 2021-11-16 13:14:51.927994964 +0000
@@ -158,6 +158,25 @@
Maximum number of concurrent statd requests. The default is 1024.
+ explicit_netgroups=true|false
+
+ Controls whether to enforce new syntax for netgroups, where net-
+ groups in share access list entries must be marked with a leading
+ '%' to distinguish them from hostnames. Enabling this setting
+ requires the admin to make this change to all share access lists
+ manually, and can eliminate unnecessary DNS lookups. The default is
+ false.
+
+
+ client_nfs23_acl=true|false
+
+ Controls whether the client will try to use the NFS_ACL protocol
+ for NFSv2 and NFSv3 mounts. The default value is true. Individual
+ mounts can override this property using the acl or noacl options.
+ See the description of those options in the mount_nfs(8) man page
+ for additional details and cautions.
+
+
SETTING nfsmapid_domain
As described above, the setting for nfsmapid_domain overrides the
diff -NurbBw 11.4.36/man5/nologin.5 11.4.39/man5/nologin.5
--- 11.4.36/man5/nologin.5 2021-11-16 13:14:16.590780301 +0000
+++ 11.4.39/man5/nologin.5 2021-11-16 13:14:51.955744273 +0000
@@ -3,16 +3,14 @@
NAME
- nologin - message displayed to users attempting to log on in the
- process of a system shutdown
+ nologin - file to restrict logins to a system
SYNOPSIS
/etc/nologin
DESCRIPTION
- The /etc/nologin file contains the message displayed to users attempt-
- ing to log on to a machine in the process of being shutdown. After dis-
- playing the contents of the nologin file, the login procedure termi-
+ If the /etc/nologin file exists, it restricts logins to a system. After
+ displaying the contents of the nologin file, the login procedure termi-
nates, preventing the user from logging onto the machine.
@@ -25,23 +23,38 @@
o Super-user
- o Users assigned with the root role
+ o Users assigned the root role
- o Users assigned with the solaris.system.maintenance autho-
- rization
+ o Users assigned the solaris.system.maintenance authorization
- The message contained in the nologin file is editable by super-user. A
- typical nologin file contains a message similar to:
-
+ The message contained in the nologin file is editable by a super-user
+ or a user with the "Maintenance and Repair" rbac(7) profile. A typical
+ nologin file contains a message similar to:
NO LOGINS: System going down in 10 minutes.
+
+
+ The nologin file may be manually created by a system administrator when
+ doing maintenance, or it may be automatically created, such as by the
+ shutdown(8) command, by init(8) when transitioning to single user mode,
+ or by the system when recovering a deferred dump.
+
+
+ The svc:/system/rmtmpfiles service will remove any existing nologin
+ file during system boot.
+
SEE ALSO
- login(1), rlogin(1), telnet(1), shutdown(8)
+ login(1), pam_acct_mgmt(3PAM), pam_sm_acct_mgmt(3PAM),
+ pam_unix_account(7), init(8), shutdown(8)
+
+HISTORY
+ Support for /etc/nologin was present in SunOS 4.x releases, but not in
+ Solaris 2.x releases until it was added in Solaris 2.5.
-Oracle Solaris 11.4 21 Dec 1995 nologin(5)
+Oracle Solaris 11.4 21 Jun 2021 nologin(5)
diff -NurbBw 11.4.36/man5/pam.conf.5 11.4.39/man5/pam.conf.5
--- 11.4.36/man5/pam.conf.5 2021-11-16 13:14:16.637401816 +0000
+++ 11.4.39/man5/pam.conf.5 2021-11-16 13:14:51.992795354 +0000
@@ -518,11 +504,20 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |Interface Stability |See Below. |
+ |Availability |See below. |
+ +-----------------------------+-----------------------------+
+ |Interface Stability |See below. |
+-----------------------------+-----------------------------+
+ Availability
+ /etc/pam.conf is delivered in the system/core-os package.
- The format is Committed. The contents has no stability attributes.
+
+ /etc/pam.d/ files are delivered in the packages that provide the mod-
+ ules or software they are associated with.
+
+ Interface Stability
+ The format is Committed. The contents have no stability attributes.
SEE ALSO
login(1), passwd(1), syslog(3C), libpam(3LIB), pam(3PAM),
@@ -535,6 +530,12 @@
Chapter 1, Using Pluggable Authentication Modules in Managing Authenti-
cation in Oracle Solaris 11.4
+HISTORY
+ Support for pam.d was added in Oracle Solaris 11.1.0.
+
+
+ Support for pam.conf was added in Solaris 2.6.
+
-Oracle Solaris 11.4 11 May 2021 pam.conf(5)
+Oracle Solaris 11.4 21 Jun 2021 pam.conf(5)
diff -NurbBw 11.4.36/man5/priv_names.5 11.4.39/man5/priv_names.5
--- 11.4.36/man5/priv_names.5 2021-11-16 13:14:16.714994338 +0000
+++ 11.4.39/man5/priv_names.5 2021-11-16 13:14:52.055653443 +0000
@@ -37,6 +37,9 @@
SEE ALSO
ppriv(1), attributes(7), privileges(7)
+HISTORY
+ /etc/security/priv_names was added in Solaris 10 3/05.
-Oracle Solaris 11.4 24 Nov 2003 priv_names(5)
+
+Oracle Solaris 11.4 21 Jun 2021 priv_names(5)
diff -NurbBw 11.4.36/man5/prof_attr.5 11.4.39/man5/prof_attr.5
--- 11.4.36/man5/prof_attr.5 2021-11-16 13:14:16.744303120 +0000
+++ 11.4.39/man5/prof_attr.5 2021-11-16 13:14:52.086165917 +0000
@@ -7,6 +7,7 @@
SYNOPSIS
/etc/security/prof_attr
+ /etc/security/prof_attr.d/package
DESCRIPTION
/etc/security/prof_attr is a local source for execution profile names,
@@ -16,8 +17,16 @@
this information.
+ /etc/security/prof_attr entries are locally managed by the system
+ administrator. The /etc/security/prof_attr.d directory contains addi-
+ tional entries installed by packages which should not be locally modi-
+ fied. If an entry appears in multiple files in these locations,
+ /etc/security/prof_attr takes precedence. The profiles(1) command may
+ be used to verify the active definition for a profile.
+
+
The search order for multiple prof_attr sources is specified in the
- /etc/nsswitch.conf file, as described in the nsswitch.conf(5) man page.
+ nsswitch.conf(5) man page.
An execution profile is a mechanism used to bundle together the com-
@@ -120,17 +128,10 @@
prof_attr: files nis
-
FILES
- /etc/nsswitch.conf
-
- Configuration file for the name service switch
-
-
/etc/security/prof_attr
- Locally added entries. Make sure that the shipped header remains
- intact.
+ Locally added entries.
/etc/security/prof_attr.d/*
@@ -201,11 +198,40 @@
allows the authorized user to grant only the user's authorizations to
another user. The same principle applies to profiles and privileges.
+ATTRIBUTES
+ See attributes(7) for descriptions of the following attributes:
+
+
+ +-----------------------------+-----------------------------+
+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+ +-----------------------------+-----------------------------+
+ |Availability |See below. |
+ +-----------------------------+-----------------------------+
+ |Interface Stability |See below. |
+ +-----------------------------+-----------------------------+
+
+ Availability
+ /etc/security/prof_attr is delivered in the system/core-os package.
+
+
+ /etc/security/prof_attr.d/ files are delivered in the packages that
+ provide the software they are associated with.
+
+ Interface Stability
+ The format is Committed. The contents have no stability attributes.
+
SEE ALSO
auths(1), pfexec(1), profiles(1), getauthattr(3C), getprofattr(3C),
getuserattr(3C), auth_attr(5), exec_attr(5), priv_names(5),
- user_attr(5), audit_flags(7), pam_user_policy(7)
+ user_attr(5), audit_flags(7), pam_user_policy(7), rbac(7)
+
+HISTORY
+ Support for /etc/security/prof_attr.d/ files was added in Oracle
+ Solaris 11.0.0.
+
+
+ /etc/security/prof_attr was added in Solaris 8.
-Oracle Solaris 11.4 25 Jan 2017 prof_attr(5)
+Oracle Solaris 11.4 21 Jun 2021 prof_attr(5)
diff -NurbBw 11.4.36/man5/smb.5 11.4.39/man5/smb.5
--- 11.4.36/man5/smb.5 2021-11-16 13:14:16.805664659 +0000
+++ 11.4.39/man5/smb.5 2021-11-16 13:14:52.148461871 +0000
@@ -151,6 +151,16 @@
enforce_vczero to false. The default value is true.
+ explicit_netgroups
+
+ Controls whether to enforce new syntax for netgroups, where net-
+ groups in share access list entries must be marked with a leading
+ '%' to distinguish them from hostnames. Enabling this setting
+ requires the admin to make this change to all share access lists
+ manually, and can eliminate unnecessary DNS lookups. The default is
+ false.
+
+
ipv6_enabled
Enables IPv6 Internet protocol support within the Oracle Solaris
diff -NurbBw 11.4.36/man5/sulog.5 11.4.39/man5/sulog.5
--- 11.4.36/man5/sulog.5 2021-11-16 13:14:16.833736037 +0000
+++ 11.4.39/man5/sulog.5 2021-11-16 13:14:52.187135082 +0000
@@ -16,8 +16,7 @@
Each entry in the sulog file is a single line of the form:
- SU date time
- result port user-newuser
+ SU date time result port user-newuser
@@ -67,10 +66,10 @@
FILES
- /var/adm/sulog su log file
+ /var/adm/sulog Default location of su log file
- /etc/default/su contains the default location of sulog
+ /etc/default/su Sets the location of sulog
SEE ALSO
@@ -78,4 +77,4 @@
-Oracle Solaris 11.4 6 Jun 1994 sulog(5)
+Oracle Solaris 11.4 21 Jun 2021 sulog(5)
diff -NurbBw 11.4.36/man5/user_attr.5 11.4.39/man5/user_attr.5
--- 11.4.36/man5/user_attr.5 2021-11-16 13:14:16.870634336 +0000
+++ 11.4.39/man5/user_attr.5 2021-11-16 13:14:52.222040293 +0000
@@ -7,6 +7,7 @@
SYNOPSIS
/etc/user_attr
+ /etc/user_attr.d/package
DESCRIPTION
/etc/user_attr is a local source of extended attributes associated with
@@ -16,9 +17,17 @@
information.
+ /etc/user_attr entries are locally managed by the system administrator.
+ The /etc/user_attr.d directory contains additional entries installed by
+ packages which should not be locally modified. If a user entry appears
+ in multiple files in these locations, the attributes will be merged,
+ with /etc/user_attr taking precedence for any conflicting attributes.
+ The userattr(1) command may be used to verify the active value of an
+ attribute for a user.
+
+
The search order for multiple user_attr sources is specified in the
- /etc/nsswitch.conf file, as described in the nsswitch.conf(5) man page.
- The search order follows that for passwd(5).
+ nsswitch.conf(5) man page. The search order follows that for passwd(5).
Each entry in the user_attr databases consists of a single line with
@@ -78,7 +87,7 @@
exempt from time restrictions for that service. The syntax is:
- {<service>,...}:<days><start>-<end>[/<days><start>-<end>...
+ {<service>,...}:<days><start>-<end>[/<days><start>-<end>]...
[,{<service>,...}:<days><start>-<end>]...
Lists of one or more service names are enclosed in curly
@@ -152,34 +161,11 @@
profiles keyword.
- idlecmd
-
- Contains one of two keywords that the Trusted Extensions window
- manager interprets when a workstation is idle for too long. The
- keyword lock specifies that the workstation is to be locked
- (thus requiring the user to re-authenticate to resume the ses-
- sion). The keyword logout specifies that session is to be ter-
- minated (thus, killing the user's processes launched in the
- current session). If unspecified, the default value, lock, is
- in effect. idletime and idlecmd should be assigned together.
-
-
- idletime
-
- Contains a number representing the maximum number of minutes a
- workstation can remain idle before the Trusted Extensions win-
- dow manager attempts the task specified in idlecmd. A zero in
- this field specifies that the idlecmd command is never exe-
- cuted. If no value is specified, the default idletime of 30
- minutes is in effect. idletime and idlecmd should be assigned
- together.
-
-
defaultpriv
The default set of privileges assigned to a user's inheritable
set upon login. See Privileges Keywords. An Extended Policy can
- be specified. privileges(7).
+ be specified as described in privileges(7).
limitpriv
@@ -310,10 +296,10 @@
and profiles keywords are cumulative. To assign the values,
/etc/user_attr is searched first, followed by each of the profiles, in
order. The other keywords (audit_flags, project, access_tz, default-
- priv, limitpriv, lock_after_retries, idletime, idlecmd, pam_policy,
- clearance and min_label) are first matched, meaning that /etc/user_attr
- is searched first, followed by each of the profiles, in order. Once a
- match is found that search is over.
+ priv, limitpriv, lock_after_retries, pam_policy, clearance, and
+ min_label) are first matched, meaning that /etc/user_attr is searched
+ first, followed by each of the profiles, in order. Once a match is
+ found that search is over.
Each entry in the user_attr database is limited to a maximum of 1024
@@ -343,9 +329,8 @@
auths solaris.auth.delegate/assign
auth_profiles solaris.profile.delegate/assign
clearance solaris.label.delegate
+
defaultpriv solaris.privilege.delegate/assign
- idlecmd solaris.session.setpolicy
- idletime solaris.session.setpolicy
limitpriv solaris.privilege.delegate/assign
lock_after_retries solaris.account.setpolicy
min_label solaris.label.delegate
@@ -435,29 +407,16 @@
# usermod -K access_tz=US/Pacific jdoe
-
-
-
# usermod -K access_times='{*}:Wk0800-2200' jdoe
-
-
-
- # usermod -K access_times+='{pfexec,sudo}:MoWe0900-1730/Sa2200-0200' jdoe
-
-
-
+ # usermod -K access_times+='{pfexec,sudo}:MoWe0900-1730/Sa2200-0200' \
+ jdoe
# usermod -K auth_profiles='File System Management' jdoe
FILES
- /etc/nsswitch.conf
-
- See nsswitch.conf(5).
-
-
/etc/user_attr
- Locally added entries. The shipped header must remain intact.
+ Locally added entries.
/etc/user_attr.d/*
@@ -472,20 +431,27 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |Availability |system/core-os |
+ |Availability |See below. |
+-----------------------------+-----------------------------+
- |Interface Stability |See below |
+ |Interface Stability |See below. |
+-----------------------------+-----------------------------+
+ Availability
+ /etc/user_attr is delivered in the system/core-os package.
+
- The command-line syntax is Committed. The output is Uncommitted.
+ /etc/user_attr.d/ files are delivered in the packages that provide the
+ software they are associated with.
+
+ Interface Stability
+ The format is Committed. The contents have no stability attributes.
SEE ALSO
auths(1), pfexec(1), ppriv(1), profiles(1), roles(1), userattr(1),
getuserattr(3C), getdefaultproj(3PROJECT), auth_attr(5), exec_attr(5),
label_encodings(5), nsswitch.conf(5), pam.conf(5), passwd(5), pol-
icy.conf(5), prof_attr(5), project(5), attributes(7), audit_flags(7),
- pam_user_policy(7), privileges(7), getent(8), ldapclient(8),
+ pam_user_policy(7), privileges(7), rbac(7), getent(8), ldapclient(8),
roleadd(8), rolemod(8), useradd(8), usermod(8)
NOTES
@@ -511,6 +477,12 @@
A user without an entry in user_attr gets the default values as defined
in /etc/security/policy.conf.
+HISTORY
+ Support for /etc/user_attr.d/ files was added in Oracle Solaris 11.0.0.
+
+
+ /etc/user_attr was added in Solaris 8.
+
-Oracle Solaris 11.4 26 Mar 2020 user_attr(5)
+Oracle Solaris 11.4 21 Jun 2021 user_attr(5)
diff -NurbBw 11.4.36/man5/utmp.5 11.4.39/man5/utmp.5
--- 11.4.36/man5/utmp.5 2021-11-16 13:14:16.896870751 +0000
+++ 11.4.39/man5/utmp.5 2021-11-16 13:14:52.249135176 +0000
@@ -25,6 +25,9 @@
SEE ALSO
utmpx(5)
+HISTORY
+ The utmp and wtmp files were removed from Solaris in Solaris 8.
-Oracle Solaris 11.4 11 May 2021 utmp(5)
+
+Oracle Solaris 11.4 21 Jun 2021 utmp(5)
diff -NurbBw 11.4.36/man5/utmpx.5 11.4.39/man5/utmpx.5
--- 11.4.36/man5/utmpx.5 2021-11-16 13:14:16.924196397 +0000
+++ 11.4.39/man5/utmpx.5 2021-11-16 13:14:52.277879023 +0000
@@ -34,8 +34,11 @@
SEE ALSO
- getutxent(3C), wait(3C), wait.h(3HEAD)
+ last(1), who(1), getutxent(3C), wait(3C), utmpx.h(3HEAD), wait.h(3HEAD)
+HISTORY
+ The utmpx and wtmpx files were added to Solaris in Solaris 2.0.
-Oracle Solaris 11.4 27 Nov 2017 utmpx(5)
+
+Oracle Solaris 11.4 21 Jun 2021 utmpx(5)
diff -NurbBw 11.4.36/man5/warn.conf.5 11.4.39/man5/warn.conf.5
--- 11.4.36/man5/warn.conf.5 2021-11-16 13:14:16.956378383 +0000
+++ 11.4.39/man5/warn.conf.5 2021-11-16 13:14:52.309704189 +0000
@@ -136,7 +136,7 @@
is:
- [email protected]: your kerberos credentials expire in 5 minutes
+ [email protected]: your kerberos credentials expire in 5 minutes
Example 2 Specifying Renewal
@@ -156,7 +156,7 @@
The form of the message (on renew success) is:
- [email protected]: your kerberos credentials have been renewed
+ [email protected]: your kerberos credentials have been renewed
Example 3 Emailing Each User
@@ -196,4 +196,4 @@
-Oracle Solaris 11.4 11 May 2021 warn.conf(5)
+Oracle Solaris 11.4 1 Jul 2021 warn.conf(5)
diff -NurbBw 11.4.36/man7/armor.7 11.4.39/man7/armor.7
--- 11.4.36/man7/armor.7 2021-11-16 13:14:17.052187403 +0000
+++ 11.4.39/man7/armor.7 2021-11-16 13:14:52.406256761 +0000
@@ -90,7 +90,7 @@
To see the Rights Profiles of the useradm role:
- profiles useradm
+ % profiles useradm
@@ -99,7 +99,7 @@
attributes of the sysop role:
- profiles -l sysop
+ % profiles -l sysop
Example 2 Assigning ARMOR Roles to Users
@@ -109,7 +109,7 @@
To assign the secadm role to user alice:
- usermod -R+secadm alice
+ % usermod -R+secadm alice
Example 3 Displaying Assigned Roles
@@ -119,7 +119,7 @@
To display to roles assigned to user bob, including ARMOR roles:
- roles bob
+ % roles bob
Example 4 Assuming an ARMOR Role
@@ -129,7 +129,7 @@
If a active user has the svcadm role assigned:
- su - svcadm
+ % su - svcadm
FILES
@@ -147,11 +147,23 @@
+-----------------------------+-----------------------------+
|Interface Stability |Uncommitted |
+-----------------------------+-----------------------------+
+ |Standard |Authorization Roles Managed |
+ | |On RBAC (O-ARMOR) |
+ +-----------------------------+-----------------------------+
SEE ALSO
- profiles(1), roles(1), rbac_chkauth(3C), attributes(7), su(8), user-
- mod(8)
+ profiles(1), roles(1), rbac_chkauth(3C), attributes(7), rbac(7), su(8),
+ usermod(8)
+
+ Authorization Roles Managed On RBAC (O-ARMOR). The Open Group, August
+ 2012.
+
+ https://publications.opengroup.org/c125
+
+
+HISTORY
+ The ARMOR roles were added to Oracle Solaris in Solaris 11.2.0.
-Oracle Solaris 11.4 05 February 2013 armor(7)
+Oracle Solaris 11.4 21 Jun 2021 armor(7)
diff -NurbBw 11.4.36/man7/ars.7 11.4.39/man7/ars.7
--- 11.4.36/man7/ars.7 2021-11-16 13:14:17.091487131 +0000
+++ 11.4.39/man7/ars.7 2021-11-16 13:14:52.437634325 +0000
@@ -57,14 +57,14 @@
max_startups
The number of concurrent unauthenticated connections to the server
- at which the server starts refusing new connections. The value
- might be specified in begin:rate:full format to allow random early
- drop mode, for example 10:30:60, meaning that ARS would refuse con-
- nection attempts with a probability of rate/100 (30% in our exam-
- ple) if there are currently 10 (from the start field) unauthenti-
- cated connections. The probability increases linearly and all con-
- nection attempts are refused if the number of unauthenticated con-
- nections reaches full (60 in our example).
+ at which the server starts refusing new connections. The value may
+ be specified in begin:rate:full format to allow random early drop
+ mode, for example 10:30:60, meaning that ARS would refuse connec-
+ tion attempts with a probability of rate/100 (30% in our example)
+ if there are currently 10 (from the begin field) unauthenticated
+ connections. The probability increases linearly and all connection
+ attempts are refused if the number of unauthenticated connections
+ reaches full (60 in our example).
Group configuration attributes
@@ -80,15 +80,15 @@
binfile_fsize
- The maximum size of each of the stored audit trail files; 0
- defaults to no limit.
+ The maximum size of each of the stored audit trail files; 0 speci-
+ fies no limit.
binfile_minfree
- The minimum free space on file system with binfile_dir before the
- audit_binfile informs the administrator via audit_warn(8); 0
- defaults to no limit.
+ The minimum free space on the file system with binfile_dir before
+ the audit_binfile informs the administrator via audit_warn(8); 0
+ specifies no limit.
hosts
@@ -170,9 +170,12 @@
services(5), attributes(7), audit_binfile(7), smf(7), audit(8),
audit_warn(8), auditconfig(8), auditd(8)
+
+ Managing Auditing in Oracle Solaris 11.4
+
NOTES
The audit service FMRI is svc:/system/auditd:default.
-Oracle Solaris 11.4 29 Oct 2015 ars(7)
+Oracle Solaris 11.4 21 Jun 2021 ars(7)
diff -NurbBw 11.4.36/man7/audit_binfile.7 11.4.39/man7/audit_binfile.7
--- 11.4.36/man7/audit_binfile.7 2021-11-16 13:14:17.121166289 +0000
+++ 11.4.39/man7/audit_binfile.7 2021-11-16 13:14:52.467247605 +0000
@@ -17,8 +17,8 @@
The audit_binfile plugin is loaded by auditd if the plugin is config-
- ured as an active via auditconfig. Use the auditconfig -setplugin
- option to change all the plugin related configuration parameters.
+ ured as active via auditconfig. Use the auditconfig -setplugin option
+ to change all the plugin related configuration parameters.
OBJECT ATTRIBUTES
The following attributes specify the configuration of audit_binfile
@@ -97,7 +97,7 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |MT Level |MT-Safe |
+ |Availability |system/library |
+-----------------------------+-----------------------------+
|Interface Stability |Committed |
+-----------------------------+-----------------------------+
@@ -106,5 +106,8 @@
syslog.conf(5), attributes(7), audit_warn(8), auditconfig(8), auditd(8)
+ Managing Auditing in Oracle Solaris 11.4
-Oracle Solaris 11.4 16 Dec 2015 audit_binfile(7)
+
+
+Oracle Solaris 11.4 21 Jun 2021 audit_binfile(7)
diff -NurbBw 11.4.36/man7/audit_flags.7 11.4.39/man7/audit_flags.7
--- 11.4.36/man7/audit_flags.7 2021-11-16 13:14:17.153346327 +0000
+++ 11.4.39/man7/audit_flags.7 2021-11-16 13:14:52.506216625 +0000
@@ -60,4 +60,4 @@
-Oracle Solaris 11.4 5 Jan 2012 audit_flags(7)
+Oracle Solaris 11.4 21 Jun 2021 audit_flags(7)
diff -NurbBw 11.4.36/man7/audit_remote.7 11.4.39/man7/audit_remote.7
--- 11.4.36/man7/audit_remote.7 2021-11-16 13:14:17.185077458 +0000
+++ 11.4.39/man7/audit_remote.7 2021-11-16 13:14:52.539768626 +0000
@@ -16,12 +16,12 @@
The audit_remote plugin is loaded by auditd(8) if the plugin is config-
- ured as an active via auditconfig. Use the auditconfig -setplugin
- option to change all the plugin related configuration parameters.
+ ured as active via auditconfig. Use the auditconfig -setplugin option
+ to change all the plugin related configuration parameters.
The Solaris audit service daemon's audit remote service, ars(7), may be
- configured with auditconfig to receive the binary audit records send by
+ configured with auditconfig to receive the binary audit records sent by
audit_remote .
Object Attributes
@@ -28,12 +28,11 @@
The following attributes specify the configuration of audit_remote
plugin:
-
p_flags
The audit classes which are audited by the audit_remote plugin. The
syntax for specifying audit flags is defined in audit_flags(7). The
- default value for p_flags in the audit_remote is all.
+ default value for p_flags in audit_remote is all.
p_hosts
@@ -263,24 +256,22 @@
auditconfig -setplugin audit_remote active \
"p_timeout=90;p_retries=2;
- p_hosts=eggplant.eng.sun.com::kerberos_v5,
- purple.ebay.sun.com:4592:kerberos_v5"
-
+ p_hosts=eggplant.eng.example.com::kerberos_v5,
+ purple.ebay.example.com:4592:kerberos_v5"
- Example 2 Using the Configuration of Usage Default Security Mechanism
+ Example 2 Using the Default Security Mechanism
- The following example shows the configuration of usage of default secu-
- rity mechanism. It also shows use of default port on one of the config-
- ured servers:
+ The following example shows the configuration using the default secu-
+ rity mechanism. It also shows use of the default port on one of the
+ configured servers:
auditconfig -setplugin audit_remote active \
"p_timeout=10;p_retries=2;
- p_hosts=jedger.eng.sun.com, jbadams.ebay.sun.com:4592"
-
+ p_hosts=jedger.eng.example.com, jbadams.ebay.example.com:4592"
Example 3 Internal plugin queue size settings
@@ -305,7 +295,7 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |MT Level |MT-Safe |
+ |Availability |system/library |
+-----------------------------+-----------------------------+
|Interface Stability |See below. |
+-----------------------------+-----------------------------+
@@ -318,8 +308,11 @@
SEE ALSO
getipnodebyname(3C), getservbyname(3C), gss_accept_sec_context(3GSS),
gss_get_mic(3GSS), gss_init_sec_context(3GSS), gss_unwrap(3GSS),
- gss_wrap(3GSS), libsocket(3LIB), tcp(4P), audit.log(5), mech(5),
- ars(7), attributes(7), audit_warn(8), auditconfig(8), auditd(8)
+ gss_wrap(3GSS), libgss(3LIB), tcp(4P), audit.log(5), mech(5), ars(7),
+ attributes(7), audit_warn(8), auditconfig(8), auditd(8)
+
+
+ Managing Auditing in Oracle Solaris 11.4
NOTES
audit_remote authenticates itself to the remote audit service by way of
@@ -331,4 +324,4 @@
-Oracle Solaris 11.4 13 July 2015 audit_remote(7)
+Oracle Solaris 11.4 21 Jun 2021 audit_remote(7)
diff -NurbBw 11.4.36/man7/audit_syslog.7 11.4.39/man7/audit_syslog.7
--- 11.4.36/man7/audit_syslog.7 2021-11-16 13:14:17.219651553 +0000
+++ 11.4.39/man7/audit_syslog.7 2021-11-16 13:14:52.572368743 +0000
@@ -18,7 +18,7 @@
auditconfig(8) utility.
- Messages to syslog are written if the plugin is configured as an active
+ Messages to syslog are written if the plugin is configured as active
via auditconfig. Use the auditconfig -setplugin option to change all
the plugin related configuration parameters. Syslog messages are gener-
ated with the facility code of LOG_AUDIT (audit in rsyslog.conf) and
@@ -104,8 +104,8 @@
The following are example syslog messages:
- Nov 4 8:27:07 smothers auditd: [ID 175219 audit.notice]
- \system booted
+ Nov 4 8:27:07 smothers auditd: [ID 175219 audit.notice] \
+ system booted
Nov 4 9:28:17 smothers auditd: [ID 752191 audit.notice] \
login - rlogin ok session 401 by joeuser as joeuser:staff from myultra
@@ -178,7 +176,7 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |MT Level |MT-Safe |
+ |Availability |system/library |
+-----------------------------+-----------------------------+
|Interface Stability |See below |
+-----------------------------+-----------------------------+
@@ -215,9 +213,9 @@
The audit_syslog is not a substitute for audit_binfile(7) or
- audit_remote(7). The limited set of tokens are included in the syslog
- message. Use the audit trail files (audit.log(5)) to obtain full audit
- records.
+ audit_remote(7). Only a limited set of tokens are included in the sys-
+ log message. Use the audit trail files (audit.log(5)) to obtain full
+ audit records.
The time field in the syslog header is generated by syslog(3C) and only
@@ -226,4 +224,4 @@
-Oracle Solaris 11.4 20 Jul 2020 audit_syslog(7)
+Oracle Solaris 11.4 21 Jun 2021 audit_syslog(7)
diff -NurbBw 11.4.36/man7/clearance.7 11.4.39/man7/clearance.7
--- 11.4.36/man7/clearance.7 2021-11-16 13:14:17.252530972 +0000
+++ 11.4.39/man7/clearance.7 2021-11-16 13:14:52.601734940 +0000
@@ -150,22 +150,15 @@
process clearance, or range may be filtered using the -L option of
auditreduce(8).
-ATTRIBUTES
- See attributes(7) for descriptions of the following attributes:
-
-
- +-----------------------------+-----------------------------+
- | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
- +-----------------------------+-----------------------------+
- |Interface Stability |See below. |
- +-----------------------------+-----------------------------+
-
SEE ALSO
plabel(1), sandbox(1), setlabel(1), libtsol(3LIB), getclearance(3TSOL),
setclearance(3TSOL), policy.conf(5), user_attr(5), attributes(7),
labels(7), tpd(7), auditconfig(8), auditreduce(8), labelcfg(8), svc-
cfg(8), useradd(8), zfs(8), profiles(1), roleadd(8)
+
+ Securing Users and Processes in Oracle Solaris 11.4
+
NOTES
Although file labeling is also available when Trusted Extensions is
enabled, the process clearance is not. Instead, Trusted Extensions
@@ -173,4 +166,4 @@
-Oracle Solaris 11.4 27 Nov 2017 clearance(7)
+Oracle Solaris 11.4 21 Jun 2021 clearance(7)
diff -NurbBw 11.4.36/man7/crypt_bsdbf.7 11.4.39/man7/crypt_bsdbf.7
--- 11.4.36/man7/crypt_bsdbf.7 2021-11-16 13:14:17.295681007 +0000
+++ 11.4.39/man7/crypt_bsdbf.7 2021-11-16 13:14:52.631056317 +0000
@@ -32,7 +32,9 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |MT-Level |Safe |
+ |Availability |system/library |
+ +-----------------------------+-----------------------------+
+ |Interface Stability |Committed |
+-----------------------------+-----------------------------+
SEE ALSO
@@ -40,6 +42,10 @@
crypt_gensalt_impl(3C), getpassphrase(3C), crypt.conf(5), passwd(5),
policy.conf(5), attributes(7)
+HISTORY
+ The crypt_bsdbf module was added to Solaris in Solaris 9 12/02 (Update
+ 2).
+
-Oracle Solaris 11.4 5 Jul 2011 crypt_bsdbf(7)
+Oracle Solaris 11.4 21 Jun 2021 crypt_bsdbf(7)
diff -NurbBw 11.4.36/man7/crypt_bsdmd5.7 11.4.39/man7/crypt_bsdmd5.7
--- 11.4.36/man7/crypt_bsdmd5.7 2021-11-16 13:14:17.325802562 +0000
+++ 11.4.39/man7/crypt_bsdmd5.7 2021-11-16 13:14:52.667824447 +0000
@@ -18,6 +18,13 @@
The maximum password length for crypt_bsdmd5 is 255 characters.
+SECURITY
+ The MD5 algorithm is currently considered weak for cryptographic use.
+ This algorithm should be used only for compatibility with legacy sys-
+ tems and password entries. It is no longer included in the default
+ CRYPT_ALGORITHMS_ALLOW list of algorithms to use to hash new passwords
+ in policy.conf.
+
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
@@ -25,7 +32,9 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |MT-Level |Safe |
+ |Availability |system/library |
+ +-----------------------------+-----------------------------+
+ |Interface Stability |Committed |
+-----------------------------+-----------------------------+
SEE ALSO
@@ -33,6 +42,12 @@
hash_impl(3C), crypt_gensalt_impl(3C), crypt.conf(5), passwd(5), pol-
icy.conf(5), attributes(7)
+HISTORY
+ The crypt_bsdmd5 module was added to Solaris in Solaris 9 12/02 (Update
+ 2). It was removed from the CRYPT_ALGORITHMS_ALLOW list of algorithms
+ to use to hash new passwords in the default policy.conf in Oracle
+ Solaris 11.4.0.
+
-Oracle Solaris 11.4 6 Aug 2003 crypt_bsdmd5(7)
+Oracle Solaris 11.4 21 Jun 2021 crypt_bsdmd5(7)
diff -NurbBw 11.4.36/man7/crypt_sha256.7 11.4.39/man7/crypt_sha256.7
--- 11.4.36/man7/crypt_sha256.7 2021-11-16 13:14:17.354032199 +0000
+++ 11.4.39/man7/crypt_sha256.7 2021-11-16 13:14:52.760154741 +0000
@@ -16,9 +16,9 @@
rithm identifier for crypt.conf(5) and policy.conf(5) is 5.
- This module is designed to make it difficult to crack passwords that
- use brute force attacks based on high speed SHA-256 implementations
- that use code inlining, unrolled loops, and table lookup.
+ This module is designed to make it difficult to crack passwords using
+ brute force attacks based on high speed SHA-256 implementations that
+ use code inlining, unrolled loops, and table lookup.
The maximum password length for crypt_sha256 is 255 characters.
@@ -27,7 +27,7 @@
The following options can be passed to the module by means of
crypt.conf(5):
- rounds=<positive_number>
+ rounds=positive_number
Specifies the number of rounds of SHA-256 to use in generation of
the salt; the default number of rounds is 5000. Negative values
@@ -54,9 +54,9 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |Interface Stability |Committed |
+ |Availability |system/library |
+-----------------------------+-----------------------------+
- |MT-Level |Safe |
+ |Interface Stability |Committed |
+-----------------------------+-----------------------------+
SEE ALSO
@@ -64,6 +64,11 @@
crypt_gensalt_impl(3C), getpassphrase(3C), crypt.conf(5), passwd(5),
policy.conf(5), attributes(7)
+HISTORY
+ The crypt_sha256 module was added to Solaris in Solaris 10 8/08 (Update
+ 6). It became the CRYPT_DEFAULT setting in the default policy.conf file
+ in Oracle Solaris 11.0.0.
+
-Oracle Solaris 11.4 8 May 2008 crypt_sha256(7)
+Oracle Solaris 11.4 21 Jun 2021 crypt_sha256(7)
diff -NurbBw 11.4.36/man7/crypt_sha512.7 11.4.39/man7/crypt_sha512.7
--- 11.4.36/man7/crypt_sha512.7 2021-11-16 13:14:17.384064960 +0000
+++ 11.4.39/man7/crypt_sha512.7 2021-11-16 13:14:52.788831189 +0000
@@ -16,9 +16,9 @@
rithm identifier for crypt.conf(5) and policy.conf(5) is 6.
- This module is designed to make it difficult to crack passwords that
- use brute force attacks based on high speed SHA-512 implementations
- that use code inlining, unrolled loops, and table lookup.
+ This module is designed to make it difficult to crack passwords using
+ brute force attacks based on high speed SHA-512 implementations that
+ use code inlining, unrolled loops, and table lookup.
The maximum password length for crypt_sha512 is 255 characters.
@@ -27,7 +27,7 @@
The following options can be passed to the module by means of
crypt.conf(5):
- rounds=<positive_number>
+ rounds=positive_number
Specifies the number of rounds of SHA-512 to use in generation of
the salt; the default number of rounds is 5000. Negative values
@@ -54,9 +54,9 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |Interface Stability |Committed |
+ |Availability |system/library |
+-----------------------------+-----------------------------+
- |MT-Level |Safe |
+ |Interface Stability |Committed |
+-----------------------------+-----------------------------+
SEE ALSO
@@ -64,6 +64,10 @@
crypt_gensalt_impl(3C), getpassphrase(3C), crypt.conf(5), passwd(5),
policy.conf(5), attributes(7)
+HISTORY
+ The crypt_sha512 module was added to Solaris in Solaris 10 8/08 (Update
+ 6).
+
-Oracle Solaris 11.4 8 May 2008 crypt_sha512(7)
+Oracle Solaris 11.4 21 Jun 2021 crypt_sha512(7)
diff -NurbBw 11.4.36/man7/crypt_sunmd5.7 11.4.39/man7/crypt_sunmd5.7
--- 11.4.36/man7/crypt_sunmd5.7 2021-11-16 13:14:17.416035983 +0000
+++ 11.4.39/man7/crypt_sunmd5.7 2021-11-16 13:14:52.815627167 +0000
@@ -26,29 +26,32 @@
The following options can be passed to the module by means of
crypt.conf(5):
- rounds=<positive_number> Specifies the number of additional rounds
- of MD5 to use in generation of the salt;
- the default number of rounds is 4096. Nega-
- tive values have no effect and are ignored,
- that is, the number of rounds cannot be
- lowered below 4096.
-
- The number of additional rounds is stored
- in the salt string returned by crypt_gen-
- salt(3C). For example:
+ rounds=positive_number
+
+ Specifies the number of additional rounds of MD5 to use in genera-
+ tion of the salt; the default number of rounds is 4096. Negative
+ values have no effect and are ignored, that is, the number of
+ rounds cannot be lowered below 4096.
+
+ The number of additional rounds is stored in the salt string
+ returned by crypt_gensalt(3C). For example:
$md5,rounds=1000$nlxmTTpz$
- When crypt_gensalt(3C) is being used to
- generate a new salt, if the number of addi-
- tional rounds configured in crypt.conf(5)
- is greater than that in the old salt, the
- value from crypt.conf(5) is used instead.
- This allows for migration to stronger (but
- more time-consuming) salts on password
- change.
+ When crypt_gensalt(3C) is being used to generate a new salt, if the
+ number of additional rounds configured in crypt.conf(5) is greater
+ than that in the old salt, the value from crypt.conf(5) is used
+ instead. This allows for migration to stronger (but more time-con-
+ suming) salts on password change.
+
+SECURITY
+ The MD5 algorithm is currently considered weak for cryptographic use.
+ This algorithm should be used only for compatibility with legacy sys-
+ tems and password entries. It is no longer included in the default
+ CRYPT_ALGORITHMS_ALLOW list of algorithms to use to hash new passwords
+ in policy.conf.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
@@ -57,7 +60,9 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |MT-Level |Safe |
+ |Availability |system/library |
+ +-----------------------------+-----------------------------+
+ |Interface Stability |Committed |
+-----------------------------+-----------------------------+
SEE ALSO
@@ -65,6 +70,12 @@
hash_impl(3C), crypt_gensalt_impl(3C), crypt.conf(5), passwd(5), pol-
icy.conf(5), attributes(7)
+HISTORY
+ The crypt_sunmd5 module was added to Solaris in Solaris 9 12/02 (Update
+ 2). It was removed from the CRYPT_ALGORITHMS_ALLOW list of algorithms
+ to use to hash new passwords in the default policy.conf in Oracle
+ Solaris 11.4.0.
+
-Oracle Solaris 11.4 23 Dec 2003 crypt_sunmd5(7)
+Oracle Solaris 11.4 21 Jun 2021 crypt_sunmd5(7)
diff -NurbBw 11.4.36/man7/crypt_unix.7 11.4.39/man7/crypt_unix.7
--- 11.4.36/man7/crypt_unix.7 2021-11-16 13:14:17.443796936 +0000
+++ 11.4.39/man7/crypt_unix.7 2021-11-16 13:14:52.854921331 +0000
@@ -44,7 +44,9 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |MT-Level |Safe |
+ |Availability |system/library |
+ +-----------------------------+-----------------------------+
+ |Interface Stability |Committed |
+-----------------------------+-----------------------------+
SEE ALSO
@@ -53,6 +55,13 @@
icy.conf(5), attributes(7), crypt_bsdbf(7), crypt_sha256(7),
crypt_sha512(7), standards(7)
+HISTORY
+ This algorithm has been included in all releases of SunOS and Solaris.
+ It was the only algorithm supported by the crypt() function until sup-
+ port for pluggable crypt modules was added to Solaris in Solaris 9
+ 12/02 (Update 2). It was the CRYPT_DEFAULT setting in policy.conf
+ before Solaris 11.0.
+
-Oracle Solaris 11.4 11 May 2021 crypt_unix(7)
+Oracle Solaris 11.4 21 Jun 2021 crypt_unix(7)
diff -NurbBw 11.4.36/man7/device_clean.7 11.4.39/man7/device_clean.7
--- 11.4.36/man7/device_clean.7 2021-11-16 13:14:17.472863910 +0000
+++ 11.4.39/man7/device_clean.7 2021-11-16 13:14:52.883391286 +0000
@@ -44,14 +44,15 @@
of allocate, if required.
- audio_clean_wrapper wrapper to make audio_clean work with CDE
+ audio_clean.windowing wrapper to make audio_clean work with desktop
+ environments
wdwwrapper wrapper to make other cleaning programs work
- with CDE
+ with desktop environments
- wdwmsg CDE dialog boxes for cleaning programs
+ wdwmsg GUI dialog boxes for cleaning programs
@@ -106,34 +107,24 @@
EXIT STATUS
The following exit values are returned:
- 0
+ 0 Successful completion.
- Successful completion.
+ 1 An error. Caller can place device in error state.
- 1
- An error. Caller can place device in error state.
-
-
- 2
-
- A system error. Caller can place device in error state.
+ 2 A system error. Caller can place device in error state.
On a system configured with Trusted Extensions, the following addi-
tional exit values are returned:
- 3
-
- Mounting of device failed. Caller shall not place device in error
- state.
-
+ 3 Mounting of device failed. Caller shall not place device
+ in error state.
- 4
- Mounting of device succeeded.
+ 4 Mounting of device succeeded.
FILES
@@ -147,7 +138,9 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
- |Availability |system/device-allocation |
+ |Availability |system/device-allocation, |
+ | |system/trusted/trusted- |
+ | |global-zone |
+-----------------------------+-----------------------------+
|Interface Stability |See below. |
+-----------------------------+-----------------------------+
@@ -160,4 +153,4 @@
-Oracle Solaris 11.4 27 Nov 2017 device_clean(7)
+Oracle Solaris 11.4 21 Jun 2021 device_clean(7)
diff -NurbBw 11.4.36/man7/firewall.7 11.4.39/man7/firewall.7
--- 11.4.36/man7/firewall.7 2021-11-16 13:14:17.551535913 +0000
+++ 11.4.39/man7/firewall.7 2021-11-16 13:14:52.968310995 +0000
@@ -29,13 +29,13 @@
pkg:/network/firewall/firewall
Delivers the core firewall functionality such as PF kernel driver,
- the pfctl(8) control command, and the svc:/network/firewall
- smf(7) service.
+ the pfctl(8) control command, and the svc:/network/firewall smf(7)
+ service.
pkg:/network/firewall/firewall-ftp-proxy
- Delivers the FTP proxy daemon. See ftp-rpoxy(8) for more details.
+ Delivers the FTP proxy daemon. See ftp-proxy(8) for more details.
pkg:/network/firewall/firewall-pflog
@@ -128,7 +128,7 @@
set:
- # ignore traffic travelling within loopback
+ # ignore traffic traveling within loopback
set skip on lo0
# block everything unless told otherwise and send TCP-RST/ICMP
@@ -209,6 +209,10 @@
The service's status is queried using the svcs(1) command.
+HISTORY
+ The PF firewall was added to Oracle Solaris in Solaris 11.3.0. The PF
+ version is derived from the OpenBSD 5.5 release.
-Oracle Solaris 11.4 12 Apr 2019 firewall(7)
+
+Oracle Solaris 11.4 21 Jun 2021 firewall(7)
diff -NurbBw 11.4.36/man7/labels.7 11.4.39/man7/labels.7
--- 11.4.36/man7/labels.7 2021-11-16 13:14:17.580935906 +0000
+++ 11.4.39/man7/labels.7 2021-11-16 13:14:52.997957325 +0000
@@ -109,9 +109,9 @@
Trusted Extensions.
SEE ALSO
- blcompare(3TSOL), label_to_str(3TSOL), m_label_alloc(3TSOL),
+ plabel(1), blcompare(3TSOL), label_to_str(3TSOL), m_label_alloc(3TSOL),
m_label_dup(3TSOL), m_label_free(3TSOL), str_to_label(3TSOL),
- label_encodings(5), attributes(7), chk_encodings(8)
+ label_encodings(5), attributes(7), clearance(7), chk_encodings(8)
Bell, D. E., and LaPadula, L. J. Secure Computer Systems: Unified Expo-
@@ -134,10 +134,6 @@
Trusted Extensions Configuration and Administration
-NOTES
- The functionality described on this manual page is available only if
- the system is configured with Trusted Extensions.
-
-Oracle Solaris 11.4 28 May 2018 labels(7)
+Oracle Solaris 11.4 21 Jun 2021 labels(7)
diff -NurbBw 11.4.36/man7/pf.7 11.4.39/man7/pf.7
--- 11.4.36/man7/pf.7 2021-11-16 13:14:17.610319084 +0000
+++ 11.4.39/man7/pf.7 2021-11-16 13:14:53.027979159 +0000
@@ -29,13 +29,13 @@
pkg:/network/firewall/firewall
Delivers the core firewall functionality such as PF kernel driver,
- the pfctl(8) control command, and the svc:/network/firewall
- smf(7) service.
+ the pfctl(8) control command, and the svc:/network/firewall smf(7)
+ service.
pkg:/network/firewall/firewall-ftp-proxy
- Delivers the FTP proxy daemon. See ftp-rpoxy(8) for more details.
+ Delivers the FTP proxy daemon. See ftp-proxy(8) for more details.
pkg:/network/firewall/firewall-pflog
@@ -128,7 +128,7 @@
set:
- # ignore traffic travelling within loopback
+ # ignore traffic traveling within loopback
set skip on lo0
# block everything unless told otherwise and send TCP-RST/ICMP
@@ -209,6 +209,10 @@
The service's status is queried using the svcs(1) command.
+HISTORY
+ The PF firewall was added to Oracle Solaris in Solaris 11.3.0. The PF
+ version is derived from the OpenBSD 5.5 release.
-Oracle Solaris 11.4 12 Apr 2019 firewall(7)
+
+Oracle Solaris 11.4 21 Jun 2021 firewall(7)
diff -NurbBw 11.4.36/man7/pf.conf.7 11.4.39/man7/pf.conf.7
--- 11.4.36/man7/pf.conf.7 2021-11-16 13:14:17.693818567 +0000
+++ 11.4.39/man7/pf.conf.7 2021-11-16 13:14:53.082168933 +0000
@@ -2202,15 +2202,16 @@
pf.os(7), pfctl(8)
HISTORY
- The pf.conf file format first appeared in OpenBSD 3.0.
+ The pf.conf file format first appeared in OpenBSD 3.0. It was added to
+ Oracle Solaris in Solaris 11.3.0.
SOLARIS
- File has been introduced to Solaris as a part of firewall modernization
- project. The project brings slightly modified version of PF to Solaris.
- The manual page has been tailored to match a PF feature set found on
- Solaris Operating System. The PF version is derived from OpenBSD 5.5
- release.
+ The pf.conf file has been introduced to Solaris as a part of firewall
+ modernization project. The project brings slightly modified version of
+ PF to Solaris. The manual page has been tailored to match a PF feature
+ set found on Solaris Operating System. The PF version is derived from
+ OpenBSD 5.5 release.
-Oracle Solaris 11.4 11 May 2021 pf.conf(7)
+Oracle Solaris 11.4 21 Jun 2021 pf.conf(7)
diff -NurbBw 11.4.36/man7/pkcs11_kmip.7 11.4.39/man7/pkcs11_kmip.7
--- 11.4.36/man7/pkcs11_kmip.7 2021-11-16 13:14:17.793269719 +0000
+++ 11.4.39/man7/pkcs11_kmip.7 2021-11-16 13:14:53.125267651 +0000
@@ -117,18 +109,16 @@
svc:/system/pkcs11:kmip.
- +----------------------------------------------------+-------------+
+ +----------------------------------------+----------------------------------+
| PROFILE NAME | ACCESS TYPE |
- +----------------------------------------------------+-------------+
+ +----------------------------------------+----------------------------------+
| PKCS11 Default KMIP Token User | read-only |
- +----------------------------------------------------+-------------+
+ +----------------------------------------+----------------------------------+
| PKCS11 Default KMIP Token Administrator | read-write |
- +----------------------------------------------------+-------------+
- | PKCS11 Default KMIP Token Service Instance Control | read-write |
- | | + instance |
- | | management |
- +----------------------------------------------------+-------------+
-
+ +----------------------------------------+----------------------------------+
+ |PKCS11 Default KMIP Token Service | read-write + instance management |
+ |Instance Control | |
+ +----------------------------------------+----------------------------------+
CONFIGURATION
A user's private KMIP token is initialized using the kmipcfg command.
@@ -140,9 +130,8 @@
After a private KMIP token is initialized and configured by the kmipcfg
- create command, the name of the server group can be changed by
- the pktool
- inittoken command:
+ create command, the name of the server group can be changed by the
+ pktool inittoken command:
# pktool inittoken slotid=3 currlabel=KMIP_server\
newlabel=KMIP_newserver
@@ -221,6 +209,15 @@
SEE ALSO
pktool(1), libpkcs11(3LIB), attributes(7), cryptoadm(8), kmipcfg(8)
+ OASIS PKCS#11 specification
+
+ https://www.oasis-open.org/committees/pkcs11/
+
+
+HISTORY
+ The pkcs11_kmip provider was added to Oracle Solaris in Solaris
+ 11.3.17.
+
-Oracle Solaris 11.4 23 Aug 2017 pkcs11_kmip(7)
+Oracle Solaris 11.4 21 Jun 2021 pkcs11_kmip(7)
diff -NurbBw 11.4.36/man7/privileges.7 11.4.39/man7/privileges.7
--- 11.4.36/man7/privileges.7 2021-11-16 13:14:17.848446795 +0000
+++ 11.4.39/man7/privileges.7 2021-11-16 13:14:53.170842493 +0000
@@ -1066,6 +1066,82 @@
ures, and should only be performed with full knowledge of the potential
side effects.
+HISTORY
+ The process privilege model was added in Solaris 10 3/05.
-Oracle Solaris 11.4 2 Feb 2021 privileges(7)
+ Support for Extended Policies was added in Oracle Solaris 11.1.0.
+
+
+ Support for the following privileges was first added in the listed Ora-
+ cle Solaris release:
+
+
+ +-------------------------------------------------+--------------------+
+ | PRIVILEGE | RELEASE |
+ +-------------------------------------------------+--------------------+
+ |PRIV_PROC_SELF |11.4.5 |
+ +-------------------------------------------------+--------------------+
+ |PRIV_IPC_MRP_ACCESS |11.4.1 |
+ +-------------------------------------------------+--------------------+
+ |PRIV_FILE_AUDIT, PRIV_KSTAT_MANAGE, |11.4.0 |
+ |PRIV_KSTAT_RD_SENSITIVE | |
+ +-------------------------------------------------+--------------------+
+ |PRIV_CMI_ACCESS, | |
+ |PRIV_CMI_OWNER |11.3.11 |
+ +-------------------------------------------------+--------------------+
+ |PRIV_DAX_ACCESS |11.2.8 |
+ +-------------------------------------------------+--------------------+
+ |PRIV_SYS_IB_CONFIG, | |
+ |PRIV_SYS_IB_INFO |11.0.12 |
+ +-------------------------------------------------+--------------------+
+ |PRIV_CONTRACT_IDENTITY, PRIV_FILE_FLAG_SET, |11.0.0 |
+ |PRIV_FILE_READ, PRIV_FILE_WRITE, | |
+ |PRIV_NET_MAC_IMPLICIT, PRIV_NET_OBSERVABILITY, | |
+ |PRIV_SYS_DL_CONFIG PRIV_SYS_FLOW_CONFIG, | |
+ |PRIV_SYS_IPTUN_CONFIG, PRIV_SYS_PPP_CONFIG, | |
+ |PRIV_SYS_RES_BIND, PRIV_SYS_SHARE, PRIV_SYS_SMB | |
+ +-------------------------------------------------+--------------------+
+ |PRIV_NET_ACCESS |10 9/10 (Update 9) |
+ +-------------------------------------------------+--------------------+
+ |PRIV_SYS_IP_CONFIG |10 8/07 (Update 4) |
+ +-------------------------------------------------+--------------------+
+ |PRIV_FILE_DOWNGRADE_SL, PRIV_FILE_UPGRADE_SL, |10 11/06 (Update 3) |
+ |PRIV_GRAPHICS_ACCESS, PRIV_GRAPHICS_MAP, | |
+ |PRIV_NET_BINDMLP, PRIV_NET_MAC_AWARE, | |
+ |PRIV_SYS_TRANS_LABEL, PRIV_WIN_COLORMAP, | |
+ |PRIV_WIN_CONFIG, PRIV_WIN_DAC_READ, | |
+ |PRIV_WIN_DAC_WRITE, PRIV_WIN_DEVICES, | |
+ |PRIV_WIN_DGA, PRIV_WIN_DOWNGRADE_SL, | |
+ |PRIV_WIN_FONTPATH, PRIV_WIN_MAC_READ, | |
+ |PRIV_WIN_MAC_WRITE, PRIV_WIN_SELECTION, | |
+ |PRIV_WIN_UPGRADE_SL | |
+ +-------------------------------------------------+--------------------+
+ |PRIV_CONTRACT_EVENT, PRIV_CONTRACT_OBSERVER, |10 3/05 |
+ |PRIV_CPC_CPU, PRIV_DTRACE_KERNEL, | |
+ |PRIV_DTRACE_PROC, PRIV_DTRACE_USER, | |
+ |PRIV_FILE_CHOWN, PRIV_FILE_CHOWN_SELF, | |
+ |PRIV_FILE_DAC_EXECUTE, PRIV_FILE_DAC_READ, | |
+ |PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_WRITE, | |
+ |PRIV_FILE_LINK_ANY, PRIV_FILE_OWNER, | |
+ |PRIV_FILE_SETID, PRIV_IPC_DAC_READ, | |
+ |PRIV_IPC_DAC_WRITE, PRIV_IPC_OWNER, | |
+ |PRIV_NET_ICMPACCESS, PRIV_NET_PRIVADDR, | |
+ |PRIV_NET_RAWACCESS, PRIV_PROC_AUDIT, | |
+ |PRIV_PROC_CHROOT, PRIV_PROC_CLOCK_HIGHRES, | |
+ |PRIV_PROC_EXEC, PRIV_PROC_FORK, PRIV_PROC_INFO, | |
+ |PRIV_PROC_LOCK_MEMORY, PRIV_PROC_OWNER, | |
+ |PRIV_PROC_PRIOCNTL, PRIV_PROC_SESSION, | |
+ |PRIV_PROC_SETID, PRIV_PROC_TASKID, | |
+ |PRIV_PROC_ZONE, PRIV_SYS_ACCT, PRIV_SYS_ADMIN, | |
+ |PRIV_SYS_AUDIT, PRIV_SYS_CONFIG, | |
+ |PRIV_SYS_DEVICES, PRIV_SYS_IPC_CONFIG, | |
+ |PRIV_SYS_LINKDIR, PRIV_SYS_MOUNT, | |
+ |PRIV_SYS_NET_CONFIG, PRIV_SYS_NFS, | |
+ |PRIV_SYS_RESOURCE, PRIV_SYS_RES_CONFIG, | |
+ |PRIV_SYS_SUSER_COMPAT, PRIV_SYS_TIME | |
+ +-------------------------------------------------+--------------------+
+
+
+
+Oracle Solaris 11.4 21 Jun 2021 privileges(7)
diff -NurbBw 11.4.36/man7/rbac.7 11.4.39/man7/rbac.7
--- 11.4.36/man7/rbac.7 2021-11-16 13:14:17.893579384 +0000
+++ 11.4.39/man7/rbac.7 2021-11-16 13:14:53.213894083 +0000
@@ -26,7 +26,7 @@
Profiles are named collections of commands and authorizations that are
run with additional privilege and/or a specific real and effective UID
and GID. For example, most of the printer system can be managed by hav-
- ing the lp commands run with the UID or lp. Some commands need privi-
+ ing the lp commands run with the UID of lp. Some commands need privi-
leges as defined in privileges(7) to run. For example, the "Process
Management" profile allows a user to run the kill command with the
proc_owner privilege so that it can send signals to processes it does
@@ -43,6 +43,34 @@
control the privileges and UID/GID with which a service runs. See
smf_security(7) for more information.
+
+ Profiles are searched in the order specified in the user's entries in
+ the user_attr(5) database and policy.conf(5). For each user, there are
+ two sets of profiles, an authenticated set, and an unauthenticated set.
+ The user is required to reauthenticate prior to using pfexec(1) to exe-
+ cute commands which match an entry in the exec_attr(5) database corre-
+ sponding to the authenticated profiles set. If the command is executed
+ from a terminal, the authentication state is cached for the current
+ user and tty, subject to the timeout option set for pam_tty_tickets(7)
+ in the PAM stack /etc/pam.d/pfexec. If there is no current tty, but
+ there is an active X11 session, the user is prompted to authenticate
+ through a zenity(1) dialog. This authentication state is cached for the
+ current user and DISPLAY environment setting.
+
+
+ Processes that have been successfully reauthenticated, including those
+ that were implicitly authenticated within the timeout value of the
+ cache, are marked with an additional process flag, PRIV_PFEXEC_AUTH,
+ which exempts child processes from subsequent reauthentication. Both
+ the PRIV_PFEXEC and PRIV_PFEXEC_AUTH flags are inherited by child pro-
+ cesses unless the real uid is changed.
+
+
+ Commands that match the set of unauthenticated profiles do not require
+ reauthentication, but have lower precedence than commands in the set of
+ authenticated profiles. If the same command appears in more than one
+ profile, the profile shell uses the first matching entry.
+
Roles
A role is a special shared account that cannot directly login to the
system that can only be accessed by authorized users with the su(8)
@@ -55,8 +83,8 @@
user. Authentication to the role can be either with the user's own
password or with the per-role password (the roleauth keyword in
user_attr(5) controls that behavior on a per-role basis). Usually a
- role's login shell is one of the profile shells (pfsh(1), pfksh(1),
- pfcsh(1)) that are granted one or more Profiles, allowing the role to
+ role's login shell is one of the profile shells (see pfsh(1) for a
+ list) that are granted one or more Profiles, allowing the role to
always execute commands with privilege.
@@ -81,8 +109,8 @@
An authorization is a unique string that represents a user's right to
perform some operation or class of operations. Authorizations are nor-
mally only checked by programs that always run with some privilege, for
- example the setuid(2) programs such as cdrw(1) or the system cron(8)
- daemon.
+ example setuid(2) programs such as cdrw(1) or the system cron(8) dae-
+ mon.
Authorization definitions are stored in the auth_attr(5) database. For
@@ -119,13 +147,11 @@
Authorizations can be explicitly checked in shell scripts by checking
the output of the auths(1) utility. For example,
- for auth in `auths | tr , " "` NOTFOUND
- do
+ for auth in `auths | tr , " "` NOTFOUND ; do
["$auth" = "solaris.date" ] && break # authorization found
done
- if [ "$auth" != "solaris.date" ]
- then
+ if [ "$auth" != "solaris.date" ] ; then
echo >&2 "$PROG: ERROR: you are not authorized to set the date"
exit 1
fi
@@ -144,9 +170,11 @@
One of the most obvious differences between Solaris RBAC and sudo is
the authentication model. In sudo, users reauthenticate as themselves.
- In Solaris RBAC, either no additional authentication is needed (when
- profiles are assigned directly to the user) or the user authenticates
- to a shared account called a role.
+ In Solaris RBAC, no additional authentication is needed when unauthen-
+ ticated profiles are assigned directly to the user. Authentication may
+ be needed in Solaris RBAC when executing commands from an authenticated
+ profile, or when the user authenticates to a shared account called a
+ role.
Using the NOPASSWD functionality in sudo is similar to assigning the
@@ -180,7 +208,7 @@
required.
- Execution profiles exec_attr(5) entries) in RBAC are similar to the
+ Execution profiles (exec_attr(5) entries) in RBAC are similar to the
Cmnd_Alias in sudoers.
@@ -188,10 +216,16 @@
ity in Solaris RBAC.
SEE ALSO
- auths(1), ld.so.1(1), pfcsh(1), pfexec(1), pfksh(1), pfsh(1), roles(1),
- exec_attr(5), prof_attr(5), sudoers(5), user_attr(5), smf_security(7),
- sudo(8)
+ auths(1), ld.so.1(1), pfexec(1), pfsh(1), profiles(1), roles(1),
+ auth_attr(5), exec_attr(5), prof_attr(5), sudoers(5), user_attr(5),
+ pam_tty_tickets(7), smf_security(7), sudo(8)
+
+HISTORY
+ Support for authenticated profiles was added in Oracle Solaris 11.2.0.
+
+
+ RBAC was added to Solaris in Solaris 8.
-Oracle Solaris 11.4 1 Sep 2020 rbac(7)
+Oracle Solaris 11.4 21 Jun 2021 rbac(7)
diff -NurbBw 11.4.36/man7/sandboxing.7 11.4.39/man7/sandboxing.7
--- 11.4.36/man7/sandboxing.7 2021-11-16 13:14:17.953919346 +0000
+++ 11.4.39/man7/sandboxing.7 2021-11-16 13:14:53.283347893 +0000
@@ -141,12 +141,15 @@
+-----------------------------+-----------------------------+
SEE ALSO
- plabel(1), sandbox(1), getlabel(2), libtsol(3LIB), setpro-
- ject(3PROJECT), sandbox_create(3SANDBOX), label_to_str(3TSOL), set-
- clearance(3TSOL), setflabel(3TSOL), str_to_label(3TSOL), label_encod-
- ings(5), attributes(7), clearance(7), labels(7), resource-controls(7),
- projmod(8), sandboxadm(8)
+ plabel(1), sandbox(1), getlabel(2), libtsol(3LIB),
+ setproject(3PROJECT), sandbox_create(3SANDBOX), label_to_str(3TSOL),
+ setclearance(3TSOL), setflabel(3TSOL), str_to_label(3TSOL),
+ label_encodings(5), attributes(7), clearance(7), labels(7),
+ resource-controls(7), projmod(8), sandboxadm(8)
+HISTORY
+ Support for sandboxing was added in Oracle Solaris 11.4.0.
-Oracle Solaris 11.4 27 Nov 2017 sandboxing(7)
+
+Oracle Solaris 11.4 21 Jun 2021 sandboxing(7)
diff -NurbBw 11.4.36/man7/smf_method.7 11.4.39/man7/smf_method.7
--- 11.4.36/man7/smf_method.7 2021-11-16 13:14:17.987887742 +0000
+++ 11.4.39/man7/smf_method.7 2021-11-16 13:14:53.343426590 +0000
@@ -398,6 +398,16 @@
page.
+ priv_debug
+
+ An optional boolean that specifies whether this service runs with
+ the PPRIV_DEBUG process flag. Setting this true will result in
+ details of any file access errors or missing required privileges
+ being printed to the system messages file. These messages will
+ describe the missing privilege and for file access, name the file
+ to which access was denied.
+
+
The method context can be set for the entire service instance by speci-
fying a method_context property group for the service or instance. A
diff -NurbBw 11.4.36/man7/solaris-kz.7 11.4.39/man7/solaris-kz.7
--- 11.4.36/man7/solaris-kz.7 2021-11-16 13:14:18.027395414 +0000
+++ 11.4.39/man7/solaris-kz.7 2021-11-16 13:14:53.390908207 +0000
@@ -638,6 +638,22 @@
adx, prfchw.
+ migration-class7 kernel zone can perform cross-CPU type migration
+ between CPUs of Sky Lake or later micro architec-
+ tures. Features supported by this class are: all
+ features supported by migration-class6 along with
+ avc512f, avx512cd, avx512bw, avx512dq, avx512vl and
+ clwb.
+
+
+ migration-class8 kernel zone can perform cross-CPU type migration
+ between CPUs of Ice Lake or later micro architec-
+ tures. Features supported by this class are: all
+ features supported by migration-class7 and includes
+ rdpid, rep_mov, vpclmulqdq, vaes, gfni,
+ avx512vpopcntdq, avx512bitalg, and avx512vbmi2.
+
+
Note that performance counters are not available when cpu-arch is set
to a migration class. Only the strand or hyperthread specific CPU per-
@@ -976,4 +992,4 @@
-Oracle Solaris 11.4 23 Jun 2020 solaris-kz(7)
+Oracle Solaris 11.4 01 Aug 2021 solaris-kz(7)
diff -NurbBw 11.4.36/man7/tpd.7 11.4.39/man7/tpd.7
--- 11.4.36/man7/tpd.7 2021-11-16 13:14:18.053274084 +0000
+++ 11.4.39/man7/tpd.7 2021-11-16 13:14:53.423442107 +0000
@@ -9,14 +9,14 @@
DESCRIPTION
On immutable zones, certain processes are marked as part of the Trusted
Path Domain (TPD). These processes are allowed to perform all
- restricted options from that processes perspective. The zone looks like
- an ordinary read-write global or non-global zone.
+ restricted options from the perspective of that process. The zone looks
+ like an ordinary read-write global or non-global zone.
- In order to prevent non-TPD process from interfering with TPD pro-
- cesses, TPD processes cannot be trussed by non-TPD processes. TPD-pro-
- cesses terminals and fifos are marked specifically and they cannot be
- opened by non-TPD processes.
+ In order to prevent non-TPD processes interfering with TPD processes,
+ TPD processes cannot be trussed by non-TPD processes. TPD-processes
+ terminals and fifos are marked specifically and they cannot be opened
+ by non-TPD processes.
The protected TPD processes are not allowed to open to read files, ter-
@@ -27,7 +27,7 @@
setpflags(2).
- A number of the daemon on the system are running in the TPD. This
+ A number of the daemons on the system are running in the TPD. This
includes init, svc.configd, and svc.startd.
SEE ALSO
@@ -35,4 +35,4 @@
-Oracle Solaris 11.4 03 May 2016 tpd(7)
+Oracle Solaris 11.4 21 Jun 2021 tpd(7)
diff -NurbBw 11.4.36/man7/trusted_extensions.7 11.4.39/man7/trusted_extensions.7
--- 11.4.36/man7/trusted_extensions.7 2021-11-16 13:14:18.115834049 +0000
+++ 11.4.39/man7/trusted_extensions.7 2021-11-16 13:14:53.492444004 +0000
@@ -31,5 +31,25 @@
Trusted Extensions Configuration and Administration
+ Trusted Extensions Label Administration
-Oracle Solaris 11.4 16 Nov 2016 trusted_extensions(7)
+
+ Trusted Extensions Developer's Guide
+
+HISTORY
+ Trusted Extensions was made available as an add-on for Solaris 10 11/06
+ (Update 3), and then was integrated fully into Solaris in the Solaris
+ 10 4/08 (Update 5) release.
+
+
+ Prior to that, Multilevel Security for Solaris was provided by the sep-
+ arate Trusted Solaris product, and before that, the SunOS CMW and SunOS
+ MLS products.
+
+
+ Support for a multilevel, labeled desktop environment was removed from
+ Solaris in Oracle Solaris 11.4.0.
+
+
+
+Oracle Solaris 11.4 21 Jun 2021 trusted_extensions(7)
diff -NurbBw 11.4.36/man8/admhist.8 11.4.39/man8/admhist.8
--- 11.4.36/man8/admhist.8 2021-11-16 13:14:18.167962737 +0000
+++ 11.4.39/man8/admhist.8 2021-11-16 13:14:53.523108845 +0000
@@ -21,9 +21,9 @@
alternate audit directory can be specified by using the -R option, or
specific audit trail files can be specified on the command line. Only
users with the PRIV_FILE_DAC_READ privilege can use the admhist util-
- ity. If the Trusted Extensions have been enabled, users must have the
- PRIV_SYS_TRANS_LABEL privilege. Both these privileges are included in
- the Audit Review rights profile.
+ ity. If Trusted Extensions have been enabled, users must also have the
+ PRIV_SYS_TRANS_LABEL privilege. Both of these privileges are included
+ in the Audit Review rights profile.
OPTIONS
The following options are supported:
@@ -62,8 +61,8 @@
Selects administrative events from the specified zone name. This
option only applies to administrative events generated when the
- zonename audit policy has been enabled. for more information, refer
- auditconfig(8) man page.
+ zonename audit policy has been enabled. For more information, refer
+ to the auditconfig(8) man page.
-u username/uid
@@ -74,7 +73,7 @@
-v
- Verbose. Includes the hostname, and current working directory asso-
+ Verbose. Includes the hostname and current working directory asso-
ciated with each administrative event.
@@ -102,18 +100,22 @@
59). The default value is 00 for hh, mm, and ss.
- o Plain language descriptions of dates which has the following
- form:
-
+ o Plain language descriptions of dates which have the follow-
+ ing form:
today, yesterday
last week, last month, last year
- last N hours, last N days, last N weeks, last N months, last N
- years
+ last N hours, last N days, last N weeks, last N months,
+ last N years
where N is the number of units.
+ When entering commands at a shell prompt or in a shell
+ script, dates specified as multiple words will generally
+ need to be quoted in order for them to be treated as a sin-
+ gle argument, as shown in the Examples below.
+
FILES
/var/audit/* The default location of audit trail files, when stored
@@ -120,10 +122,8 @@
locally by using audit_binfile(7).
-
EXAMPLES
- Example 1 Displaying the System Administration Events Occurred in Zone
- myzone
+ Example 1 Displaying System Administration Events in a Zone
@@ -134,9 +134,7 @@
# admhist -z myzone
-
- Example 2 Displaying the System Administration Events Occurred on the
- System
+ Example 2 Displaying System Administration Events on the System
@@ -147,9 +145,7 @@
# admhist -a "last 8 hours"
-
- Example 3 Displaying the System Administration Events Occurred in the
- Past Week
+ Example 3 Displaying System Administration Events from Past Week
@@ -160,9 +156,7 @@
# admhist -a "last week" -b yesterday
-
- Example 4 Displaying the System Administration Events Present in a Spe-
- cific Audit Trail File
+ Example 4 Displaying Events in a Specific Audit Trail File
@@ -187,8 +180,8 @@
+-----------------------------+-----------------------------+
- The interface stability of admhist command is Committed. The interface
- stability of admhist command's output is Not-an-Interface.
+ The interface stability of the admhist command is Committed. The inter-
+ face stability of the output of admhist is Not-an-Interface.
SEE ALSO
audit.log(5), audit_tags(5), attributes(7), privileges(7), auditcon-
@@ -197,6 +190,9 @@
Managing Auditing in Oracle Solaris 11.4
+HISTORY
+ The admhist command was added in Oracle Solaris 11.4.0.
+
-Oracle Solaris 11.4 22 April 2021 admhist(8)
+Oracle Solaris 11.4 21 Jun 2021 admhist(8)
diff -NurbBw 11.4.36/man8/archiveadm.8 11.4.39/man8/archiveadm.8
--- 11.4.36/man8/archiveadm.8 2021-11-16 13:14:18.226779959 +0000
+++ 11.4.39/man8/archiveadm.8 2021-11-16 13:14:53.574487951 +0000
@@ -422,6 +422,13 @@
deployment is formed from this name with the
string -recovery appended to it.
+ On archive redeployment, the active BE is modi-
+ fied to match the target environment. In case of
+ recovery archives, in order to preserve the
+ original active BE for comparison and/or refer-
+ ence purposes the modifications are performed on
+ the clone of that BE which is then activated.
+
AI_MEDIA The name of the AI media associated with this
archived system.
@@ -889,4 +896,4 @@
-Oracle Solaris 11.4 20 Jan 2021 archiveadm(8)
+Oracle Solaris 11.4 10 Jun 2021 archiveadm(8)
diff -NurbBw 11.4.36/man8/audit.8 11.4.39/man8/audit.8
--- 11.4.36/man8/audit.8 2021-11-16 13:14:18.270799560 +0000
+++ 11.4.39/man8/audit.8 2021-11-16 13:14:53.603073274 +0000
@@ -88,6 +88,12 @@
only the -v option is valid. See auditconfig(8) for per-zone audit con-
figuration.
+HISTORY
+ The -v option was added in Solaris 10 3/05.
-Oracle Solaris 11.4 29 Dec 2016 audit(8)
+ The audit command was added in Solaris 2.3.
+
+
+
+Oracle Solaris 11.4 21 Jun 2021 audit(8)
diff -NurbBw 11.4.36/man8/auditconfig.8 11.4.39/man8/auditconfig.8
--- 11.4.36/man8/auditconfig.8 2021-11-16 13:14:18.329327513 +0000
+++ 11.4.39/man8/auditconfig.8 2021-11-16 13:14:53.640255758 +0000
@@ -718,13 +712,12 @@
#
# Map kernel audit event number 10 to the "fr" audit class.
- # auditconfig -setclass 10 fr
+ auditconfig -setclass 10 fr
#
# Turn on inclusion of exec arguments in exec audit records.
- # auditconfig -setpolicy +argv
-
+ auditconfig -setpolicy +argv
Example 2 Setting Only the Number of Unprocessed Audit Records
@@ -736,12 +729,11 @@
# See if audit_binfile is active.
- % auditconfig -getplugin audit_binfile
+ auditconfig -getplugin audit_binfile
# Set to queue 20 unprocessed audit records.
#
- % auditconfig -setplugin audit_binfile "" 20
-
+ auditconfig -setplugin audit_binfile "" 20
Example 3 Resetting Queue Control Parameters
@@ -767,8 +759,7 @@
# Set a connection group attribute, activate the connection group
auditconfig -setremote group active egg_farm \
- "hosts=www.oracle.com,binfile_dir=/var/audit/ARS"
-
+ "hosts=www.example.com,binfile_dir=/var/audit/ARS"
Example 4 Configuring an Audit Remote Server
@@ -793,8 +784,7 @@
# Set a connection group attribute, activate the connection group
auditconfig -setremote group active egg_farm \
- "hosts=www.oracle.com,binfile_dir=/var/audit/ARS"
-
+ "hosts=www.example.com,binfile_dir=/var/audit/ARS"
EXIT STATUS
@@ -863,6 +853,9 @@
changing the respective attributes) until the audit service is
refreshed. Use audit(8) to refresh the audit service.
+HISTORY
+ The auditconfig command was added in Solaris 2.3.
+
-Oracle Solaris 11.4 17 Apr 2020 auditconfig(8)
+Oracle Solaris 11.4 21 Jun 2021 auditconfig(8)
diff -NurbBw 11.4.36/man8/auditd.8 11.4.39/man8/auditd.8
--- 11.4.36/man8/auditd.8 2021-11-16 13:14:18.367659363 +0000
+++ 11.4.39/man8/auditd.8 2021-11-16 13:14:53.698875485 +0000
@@ -103,8 +103,8 @@
The Audit Remote Server functionality is enabled, if the server is not
configured as inactive (see the -setremote server option in auditcon-
- fig(8)) and at least one connection group is active. See Audit Remote
- Server section for more information.
+ fig(8)) and at least one connection group is active. See "Audit Remote
+ Server" section for more information.
Local auditing and the Audit Remote Server can be configured indepen-
@@ -114,7 +114,7 @@
The Audit Remote Server, ARS, is an integral part of auditd. It makes a
counterpart to the audit_remote(7) plugin. Data sent by the plugin can
be captured, processed, and stored by the server according to its con-
- figuration.
+ figuration, as described in the ars(7) manual page.
ARS is delivered as a disabled Solaris audit component. It is necessary
@@ -135,7 +135,7 @@
Server Configuration Attributes
listen_address
- Address the server listens on. Empty listen_address attribute
+ Address the server listens on. An empty listen_address attribute
defaults to listen on all local addresses.
@@ -206,7 +206,8 @@
For comprehensive configuration description and examples, see the
- appropriate chapter in the Managing Auditing in Oracle Solaris 11.4.
+ appropriate chapter in the Managing Auditing in Oracle Solaris 11.4
+ book.
Audit Record Queue
The maximum number of records to queue for audit data sent to the plug-
@@ -236,26 +237,26 @@
# Print the current audit remote server configuration.
# Both server and connection groups (if any) is displayed.
- # auditconfig -getremote
+ auditconfig -getremote
# Set address the audit remote server will listen on.
- # auditconfig -setremote server "listen_address=192.168.0.1"
+ auditconfig -setremote server "listen_address=192.168.0.1"
# Create two connection groups. Note that by default the
# connection group is created with no hosts specified
# (wild card connection group).
- # auditconfig -setremote group create clockhouse
- # auditconfig -setremote group create sink
+ auditconfig -setremote group create clockhouse
+ auditconfig -setremote group create sink
# Add hosts to the connection group (convert the wild card
# connection group no non-wild card one). Set the storage
# directory and activate the connection group.
- # auditconfig -setremote group active clockhouse \
- # "hosts=tic.cz.example.com,tac.us.example.com,\
- # binfile_dir=/var/audit/remote"
+ auditconfig -setremote group active clockhouse \
+ "hosts=tic.cz.example.com,tac.us.example.com,\
+ binfile_dir=/var/audit/remote"
# Activate the wild card connection group.
@@ -320,13 +320,16 @@
Configuration changes do not affect audit sessions that are currently
running, as the changes do not modify a process's preselection mask. To
change the preselection mask on a running process, use the -setpmask
- option of the auditconfig command (see auditconfig(8)). If the user
- logs out and logs back in, the new configuration changes will be
- reflected in the next audit session.
+ option of the auditconfig(8) command. If the user logs out and logs
+ back in, the new configuration changes will be reflected in the next
+ audit session.
The audit service FMRI is svc:/system/auditd:default.
+HISTORY
+ The auditd daemon was added in Solaris 2.3.
+
-Oracle Solaris 11.4 29 Dec 2016 auditd(8)
+Oracle Solaris 11.4 21 Jun 2021 auditd(8)
diff -NurbBw 11.4.36/man8/auditrecord.8 11.4.39/man8/auditrecord.8
--- 11.4.36/man8/auditrecord.8 2021-11-16 13:14:18.402537454 +0000
+++ 11.4.39/man8/auditrecord.8 2021-11-16 13:14:53.745378625 +0000
@@ -36,13 +36,13 @@
-c class
List all the audit records selected by the list of classes, class.
- Valid classes are found in audit_class file. For more information,
- see the audit_class(5) man page.
+ Valid classes are found in the audit_class files. For more informa-
+ tion, see the audit_class(5) man page.
-d
- Debug mode. Display number of audit records that are defined in
+ Debug mode. Display the number of audit records that are defined in
audit_event, the number of classes defined in audit_class, any mis-
matches between the two files, and report which defined events do
not have format information available to auditrecord.
@@ -66,14 +66,13 @@
-p programname
- List all audit records generated by the program programname, for
- example, audit records generated by a user-space program.
+ List all audit records generated by the user-space program program-
+ name.
-s systemcall
- List all audit records generated by the system call systemcall, for
- example, audit records generated by a system call.
+ List all audit records generated by the system call systemcall.
@@ -91,17 +90,15 @@
audit record.
-
-
% auditrecord -i 6152
+
terminal login
- program /usr/sbin/login see login(1)
- /usr/sbin/gdm See dtlogin
+ program /usr/sbin/login See login(1)
+ /usr/sbin/gdm See gdm(8)
event ID 6152 AUE_login
- class lo (0x00001000)
+ class lo (0x0000000000001000)
header
subject
- [text] error message
return
@@ -115,28 +112,35 @@
record with an event ID label that contains the string login.
+ % auditrecord -e login
-
- # auditrecord -e login
terminal login
- program /usr/sbin/login see login(1)
- /usr/sbin/gdm See dtlogin
+ program /usr/sbin/login See login(1)
+ /usr/sbin/gdm See gdm(8)
event ID 6152 AUE_login
- class lo (0x00001000)
+ class lo (0x0000000000001000)
header
subject
- [text] error message
return
- rlogin
- program /usr/sbin/login see login(1) - rlogin
- event ID 6155 AUE_rlogin
- class lo (0x00001000)
+ RBAC: role login
+ program /usr/bin/su See role login
+ event ID 6173 AUE_role_login
+ class lo (0x0000000000001000)
+ header
+ subject
+ return
+
+ zone login
+ program /usr/sbin/login See zlogin(1)
+ event ID 6227 AUE_zlogin
+ class lo (0x0000000000001000)
header
subject
[text] error message
return
+ [...]
EXIT STATUS
@@ -152,6 +156,7 @@
FILES
/etc/security/audit_class
+ /etc/security/audit_class.system
Provides the list of valid classes and the associated audit mask.
@@ -194,9 +200,6 @@
auditrecord displays a usage message then exits with a non-zero return.
NOTES
- This command was formerly known as bsmrecord.
-
-
If /etc/security/audit_event has been modified to add user-defined
audit events, auditrecord displays the record format as undefined.
@@ -245,6 +247,11 @@
record where a zone name is explicitly part of the record.
+HISTORY
+ This functionality was originally provided in the bsmrecord command,
+ which was added in Solaris 9. The command was renamed to auditrecord in
+ Oracle Solaris 11.0.0.
+
-Oracle Solaris 11.4 20 Jan 2017 auditrecord(8)
+Oracle Solaris 11.4 21 Jun 2021 auditrecord(8)
diff -NurbBw 11.4.36/man8/auditreduce.8 11.4.39/man8/auditreduce.8
--- 11.4.36/man8/auditreduce.8 2021-11-16 13:14:18.466571272 +0000
+++ 11.4.39/man8/auditreduce.8 2021-11-16 13:14:53.785084887 +0000
@@ -154,7 +154,7 @@
mally interpreted as the name of a subdirectory of the audit root,
therefore auditreduce will look in audit_root_dir/specific_direc-
tory for the audit trail files. But if specific_directory contains
- any backslash characters (/), it is the name of a directory not
+ any forward slash characters (/), it is the name of a directory not
necessarily contained in the audit root. In this case, spe-
cific_directory will be consulted. This option allows archived
files to be manipulated easily, without requiring that they be
@@ -194,8 +194,8 @@
to the audit classes specified by audit-classes are selected. Audit
class names are defined in audit_class(5). The audit-classes can be
a comma separated list of audit flags like those described in
- audit_flags(7). Using the audit flags, one can select records
- based upon success and failure criteria.
+ audit_flags(7). Using the audit flags, one can select records based
+ upon success and failure criteria.
-d date-time
@@ -721,6 +720,9 @@
The -z option should be used only if the audit policy zonename is set.
If there is no zonename token, then no records will be selected.
+HISTORY
+ The auditreduce command was added in Solaris 2.3.
+
-Oracle Solaris 11.4 27 Sep 2018 auditreduce(8)
+Oracle Solaris 11.4 21 Jun 2021 auditreduce(8)
diff -NurbBw 11.4.36/man8/auditstat.8 11.4.39/man8/auditstat.8
--- 11.4.36/man8/auditstat.8 2021-11-16 13:14:18.494291835 +0000
+++ 11.4.39/man8/auditstat.8 2021-11-16 13:14:53.821455718 +0000
@@ -118,11 +118,14 @@
The command is Committed. The output is Not-an-Interface.
SEE ALSO
- zoneadm(8), attributes(7)
+ attributes(7), auditconfig(8), zoneadm(8)
Managing Auditing in Oracle Solaris 11.4
+HISTORY
+ The auditstat command was added in Solaris 2.3.
-Oracle Solaris 11.4 29 Dec 2016 auditstat(8)
+
+Oracle Solaris 11.4 21 Jun 2021 auditstat(8)
diff -NurbBw 11.4.36/man8/bart.8 11.4.39/man8/bart.8
--- 11.4.36/man8/bart.8 2021-11-16 13:14:18.527645640 +0000
+++ 11.4.39/man8/bart.8 2021-11-16 13:14:53.855257252 +0000
@@ -25,54 +25,51 @@
The bart utility performs two basic functions:
- bart create The manifest generator tool takes a file-level snapshot
- of a system. The output is a catalog of file attributes
- referred to as a manifest. See bart_manifest(5).
-
- You can specify that the list of files be cataloged in
- three ways. Use bart create with no options, specify
- the files by name on the command line, or create a
- rules file with directives that specify which the files
- to monitor. See bart_rules(5).
-
- By default, the manifest generator catalogs all
- attributes of all files in the root (/) file system.
- File systems mounted on the root file system are cata-
- loged only if they are of the same type as the root
- file system.
-
- For example, /, /usr, and /opt are separate UFS file
- systems. /usr and /opt are mounted on /. Therefore, all
- three file systems are cataloged. However, /tmp, also
- mounted on /, is not cataloged because it is a TMPFS
- file system. Mounted CD-ROMs are not cataloged since
- they are HSFS file systems.
-
-
- bart compare The report tool compares two manifests. The output is a
- list of per-file attribute discrepancies. These dis-
- crepancies are the differences between two manifests: a
- control manifest and a test manifest.
-
- A discrepancy is a change to any attribute for a given
- file cataloged by both manifests. A new file or a
- deleted file in a manifest is reported as a discrep-
- ancy.
-
- The reporting mechanism provides two types of output:
- verbose and programmatic. Verbose output is localized
- and presented on multiple lines, while programmatic
- output is more easily parsable by other programs. See
- OUTPUT.
-
- By default, the report tool generates verbose output
- where all discrepancies are reported except for modi-
- fied directory timestamps (dirmtime attribute).
-
- To ensure consistent and accurate comparison results,
- control-manifest and test-manifest must be built with
- the same rules file and the rules file needs to be used
- during 'compare' operation.
+ bart create
+
+ The manifest generator tool takes a file-level snapshot of a sys-
+ tem. The output is a catalog of file attributes referred to as a
+ manifest. See bart_manifest(5).
+
+ You can specify that the list of files be cataloged in three ways.
+ Use bart create with no options, specify the files by name on the
+ command line, or create a rules file with directives that specify
+ which the files to monitor. See bart_rules(5).
+
+ By default, the manifest generator catalogs all attributes of all
+ files in the root (/) file system. Other file systems are cataloged
+ only if they are of the same type as the root file system, and the
+ path to them does not cross any other type of file system.
+
+ For example, if /, /var, and /var/share are separate ZFS file sys-
+ tems, with /var mounted on / and /var/share mounted on /var, then
+ all three file systems are cataloged. However, /tmp, also mounted
+ on /, would not be cataloged because it is a TMPFS file system.
+
+
+ bart compare
+
+ The report tool compares two manifests. The output is a list of
+ per-file attribute discrepancies. These discrepancies are the dif-
+ ferences between two manifests: a control manifest and a test mani-
+ fest.
+
+ A discrepancy is a change to any attribute for a given file cata-
+ loged by both manifests. A new file or a deleted file in a manifest
+ is reported as a discrepancy.
+
+ The reporting mechanism provides two types of output: verbose and
+ programmatic. Verbose output is localized and presented on multiple
+ lines, while programmatic output is more easily parsable by other
+ programs. See OUTPUT.
+
+ By default, the report tool generates verbose output where all dis-
+ crepancies are reported except for modified directory timestamps
+ (dirmtime attribute).
+
+ To ensure consistent and accurate comparison results, control-mani-
+ fest and test-manifest must be built with the same rules file and
+ the rules file needs to be used during 'compare' operation.
@@ -88,62 +85,67 @@
OPTIONS
The following options are supported:
- -i attribute ... Specify the file attributes to be ignored glob-
- ally. Specify attributes as a comma separated
- list.
+ -i attribute ...
+
+ Specify the file attributes to be ignored globally. Specify
+ attributes as a comma separated list.
+
+ This option produces the same behavior as supplying the file
+ attributes to a global IGNORE keyword in the rules file. See
+ bart_rules(5).
+
+
+ -I [file_name...]
+
+ Specify the input list of files. The file list can be specified at
+ the command line or read from standard input.
- This option produces the same behavior as supply-
- ing the file attributes to a global IGNORE keyword
- in the rules file. See bart_rules(5).
+ -n
- -I [file_name...] Specify the input list of files. The file list can
- be specified at the command line or read from
- standard input.
+ Prevent computation of content signatures for all regular files in
+ the file list.
- -n Prevent computation of content signatures for all
- regular files in the file list.
+ -p
+ Display manifest comparison output in "programmatic mode," which is
+ suitable for programmatic parsing. The output is not localized.
- -p Display manifest comparison output in "program-
- matic mode," which is suitable for programmatic
- parsing. The output is not localized.
+ -r rules_file
- -r rules_file Use rules_file to specify which files and directo-
- ries to catalog, and to define which file
- attribute discrepancies to flag. If rules_file is
- -, then the rules are read from standard input.
- See bart_rules(5) for the definition of the syn-
- tax.
+ Use rules_file to specify which files and directories to catalog,
+ and to define which file attribute discrepancies to flag. If
+ rules_file is -, then the rules are read from standard input. See
+ bart_rules(5) for the definition of the syntax.
- -R root_directory Specify the root directory for the manifest. All
- paths specified by the rules, and all paths
- reported in the manifest, are relative to
+ -R root_directory
+
+ Specify the root directory for the manifest. All paths specified by
+ the rules, and all paths reported in the manifest, are relative to
root_directory.
Note -
- The root file system of any non-global zones
- must not be referenced with the -R option. Doing
- so might damage the global zone's file system,
- might compromise the security of the global
- zone, and might damage the non-global zone's
- file system. See zones(7).
+ The root file system of any non-global zones must not be refer-
+ enced with the -R option. Doing so might damage the global zone's
+ file system, might compromise the security of the global zone,
+ and might damage the non-global zone's file system. See zones(7).
+
+ -a [ hash ]
- -a [ hash ] Specify the cryptographic digest algorithm to use
- for the hash of the file contents: md5, sha1,
- sha256, sha512 are the currently supported values.
- If -a is not specified, sha256 is used and a Ver-
- sion 1.1 manifest is created that indicates which
- hash algorithm is used. If md5 is specified then a
- Version 1.0 manifest is created.
+ Specify the cryptographic digest algorithm to use for the hash of
+ the file contents: md5, sha1, sha256, sha384, and sha512 are the
+ currently supported values. If -a is not specified, sha256 is used
+ and a Version 1.1 manifest is created that indicates which hash
+ algorithm is used. If md5 is specified then a Version 1.0 manifest
+ is created.
OPERANDS
@@ -180,44 +182,46 @@
attribute control:xxxx test:yyyy
- filename Name of the file that differs between control-manifest and
- test-manifest. For file names that contain embedded white-
- space or newline characters, see bart_manifest(5).
+ filename
+
+ Name of the file that differs between control-manifest and test-
+ manifest. For file names that contain embedded whitespace or new-
+ line characters, see bart_manifest(5).
- attribute The name of the file attribute that differs between the
- manifests that are compared. xxxx is the attribute value
- from control-manifest, and yyyy is the attribute value
- from test-manifest. When discrepancies for multiple
- attributes occur for the same file, each difference is
- noted on a separate line.
+ attribute
+
+ The name of the file attribute that differs between the manifests
+ that are compared. xxxx is the attribute value from control-mani-
+ fest, and yyyy is the attribute value from test-manifest. When dis-
+ crepancies for multiple attributes occur for the same file, each
+ difference is noted on a separate line.
The following attributes are supported:
- acl ACL attributes for the file. For a file with
- ACL attributes, this field contains the output
- from acltotext().
+ acl ACL attributes for the file. For a file with ACL
+ attributes, this field contains the output from aclto-
+ text().
all All attributes.
- contents Checksum value of the file. This attribute is
- only specified for regular files. If you turn
- off context checking or if checksums cannot be
- computed, the value of this field is -.
+ contents Checksum value of the file. This attribute is only
+ specified for regular files. If you turn off context
+ checking or if checksums cannot be computed, the value
+ of this field is -.
dest Destination of a symbolic link.
- devnode Value of the device node. This attribute is
- for character device files and block device
- files only.
+ devnode Value of the device node. This attribute is for charac-
+ ter device files and block device files only.
- dirmtime Modification time in seconds since 00:00:00
- UTC, January 1, 1970 for directories.
+ dirmtime Modification time in seconds since 00:00:00 UTC, Janu-
+ ary 1, 1970 for directories.
gid Numerical group ID of the owner of this entry.
@@ -226,12 +230,12 @@
lnmtime Creation time for links.
- mode Octal number that represents the permissions
- of the file.
+ mode Octal number that represents the permissions of the
+ file.
- mtime Modification time in seconds since 00:00:00
- UTC, January 1, 1970 for files.
+ mtime Modification time in seconds since 00:00:00 UTC, Janu-
+ ary 1, 1970 for files.
size File size in bytes.
@@ -421,12 +395,14 @@
manifests.
-
-
bart compare -r rules manifest1 manifest2
-
+SECURITY
+ The MD5 & SHA-1 algorithms are currently considered weak for crypto-
+ graphic use. These algorithms should be used only for compatibility
+ with legacy manifest data. Manifests should be updated to use a SHA-2
+ family checksum when possible (sha256, sha384, or sha512).
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
@@ -451,6 +427,13 @@
system in the same state; that is, if both were created in single-user
or both in multi-user.
+HISTORY
+ Support for Version 1.1 manifests, SHA checksums, and the -a option was
+ added in Oracle Solaris 11.0.0.
+
+
+ The bart command was added in Solaris 10 3/05.
+
-Oracle Solaris 11.4 15 Nov 2011 bart(8)
+Oracle Solaris 11.4 21 Jun 2021 bart(8)
diff -NurbBw 11.4.36/man8/chk_encodings.8 11.4.39/man8/chk_encodings.8
--- 11.4.36/man8/chk_encodings.8 2021-11-16 13:14:18.555829219 +0000
+++ 11.4.39/man8/chk_encodings.8 2021-11-16 13:14:53.883321656 +0000
@@ -47,19 +47,18 @@
See attributes(7) for descriptions of the following attributes:
- +-----------------------------+-----------------------------------------+
+ +-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
- +-----------------------------+-----------------------------------------+
+ +-----------------------------+-----------------------------+
|Availability |system/file_labeling |
- +-----------------------------+-----------------------------------------+
+ +-----------------------------+-----------------------------+
|Interface Stability |See below. |
- +-----------------------------+-----------------------------------------+
+ +-----------------------------+-----------------------------+
|Standard |DDS-2600-6216-93, Compart- |
| |mented Mode Workstation |
- | |Labeling: Encodings |
- | | For- |
- | |mat, September 1993 |
- +-----------------------------+-----------------------------------------+
+ | |Labeling: Encodings Format, |
+ | |September 1993 |
+ +-----------------------------+-----------------------------+
The command output is Not-an-Interface. The command invocation is Com-
@@ -79,4 +78,4 @@
-Oracle Solaris 11.4 27 Nov 2017 chk_encodings(8)
+Oracle Solaris 11.4 21 Jun 2021 chk_encodings(8)
diff -NurbBw 11.4.36/man8/chroot.8 11.4.39/man8/chroot.8
--- 11.4.36/man8/chroot.8 2021-11-16 13:14:18.584838628 +0000
+++ 11.4.39/man8/chroot.8 2021-11-16 13:14:53.911663387 +0000
@@ -35,26 +35,6 @@
RETURN VALUES
The exit status of chroot is the return value of command.
-EXAMPLES
- Example 1 Using the chroot Utility
-
-
-
- The chroot utility provides an easy way to extract tar files (see
- tar(1)) written with absolute filenames to a different location. It is
- necessary to copy the shared libraries used by tar (see ldd(1)) to the
- newroot filesystem.
-
-
-
-
- example# mkdir /tmp/lib; cd /lib
- example# cp ld.so.1 libc.so.1 libcmd.so.1 libdl.so.1 \
- libsec.so.1 /tmp/lib
- example# cp /usr/bin/tar /tmp
- example# dd if=/dev/rmt/0 | chroot /tmp tar xvf -
-
-
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
@@ -79,4 +59,4 @@
-Oracle Solaris 11.4 15 Dec 2003 chroot(8)
+Oracle Solaris 11.4 21 Jun 2021 chroot(8)
diff -NurbBw 11.4.36/man8/compliance-roster.8 11.4.39/man8/compliance-roster.8
--- 11.4.36/man8/compliance-roster.8 2021-11-16 13:14:18.617605290 +0000
+++ 11.4.39/man8/compliance-roster.8 2021-11-16 13:14:53.944406488 +0000
@@ -194,10 +187,9 @@
ter must be committed to be used by compliance assess. Until the
in-memory roster is committed, you can remove changes with the
revert subcommand. The commit operation is attempted automatically
- upon completion of a compliance
- roster session.
- Since a roster must be correct to be committed, this operation
- automatically does a verify.
+ upon completion of a compliance roster session. Since a roster must
+ be correct to be committed, this operation automatically does a
+ verify.
delete [-F]
@@ -336,12 +328,10 @@
exit [-F]
- Exit the compliance
- roster session. A
- verify and commit is automatically attempted if needed. The -F
- option can be used to bypass any commit. You can also use an EOF
- character to exit compliance roster.
-
+ Exit the compliance roster session. A verify and commit is automat-
+ ically attempted if needed. The -F option can be used to bypass any
+ commit. You can also use an EOF character to exit compliance ros-
+ ter.
EXIT STATUS
@@ -357,18 +346,15 @@
2 Invalid usage.
-
EXAMPLES
Example 1 Creating a New Roster
- In the following example, compliance
- roster creates a new
- roster. The new roster, myroster, contains two nodes, 10.20.30.40 and
- mynode1, to be assessed against the Solaris Baseline and Solaris Recom-
- mended profiles, respectively.
-
+ In the following example, compliance roster creates a new roster. The
+ new roster, myroster, contains two nodes, 10.20.30.40 and mynode1, to
+ be assessed against the Solaris Baseline and Solaris Recommended pro-
+ files, respectively.
example# compliance roster -r myroster
@@ -384,17 +370,14 @@
roster:myroster> exit
-
Example 2 Deriving a New Roster from an Existing Roster
- In the following example, compliance
- roster creates a new
- roster. The new roster, myroster2, is derived from the existing roster
- myroster. The benchmark for mynode1 is set to pci-dss, and a node
- test_lab is added to run with the default assessment parameters.
-
+ In the following example, compliance roster creates a new roster. The
+ new roster, myroster2, is derived from the existing roster myroster.
+ The benchmark for mynode1 is set to pci-dss, and a node test_lab is
+ added to run with the default assessment parameters.
example# compliance roster -r myroster
@@ -425,17 +406,13 @@
roster:myroster> delete
-
Example 4 Creating a New Roster with Functional Grouping
- In the following example, compliance
- roster creates a new
- roster. The new roster, functional, contains two groups, database and
- webserver, to be assessed against the pci-dss and solaris profiles,
- respectively.
-
+ In the following example, compliance roster creates a new roster. The
+ new roster, functional, contains two groups, database and webserver, to
+ be assessed against the pci-dss and solaris profiles, respectively.
example# compliance roster -r functional
@@ -444,21 +421,21 @@
roster:functional> add group
roster:functional/group> group database
roster:functional/group:database> policy -b pci-dss
- roster:functional/group:database> add node=employees.hr.widget.com; end
- roster:functional/group:database> add node=records.sales.widget.com; end
+ roster:functional/group:database> add node=employees.hr.example.com; end
+ roster:functional/group:database> add node=records.sales.example.com; end
roster:functional/group:database> match database
roster:functional/group> end
roster:functional> add group
roster:functional/group> group webserver
- roster:functional/group:webserver> add node=info.hr.widget.com; end
- roster:functional/group:webserver> add node=manuals.mkt.widget.com; end
+ roster:functional/group:webserver> add node=info.hr.example.com; end
+ roster:functional/group:webserver> add node=manuals.mkt.example.com; end
roster:functional/group:webserver> match webserver
roster:functional/group:webserver> end
roster:functional> expand
- node=employees.hr.widget.com -b pci-dss -m database
- node=records.sales.widget.com -b pci-dss -m database
- node=info.hr.widget.com -b solaris -p Recommended -m webserver
- node=manuals.mkt.widget.com -b solaris -p Recommended -m webserver
+ node=employees.hr.example.com -b pci-dss -m database
+ node=records.sales.example.com -b pci-dss -m database
+ node=info.hr.example.com -b solaris -p Recommended -m webserver
+ node=manuals.mkt.example.com -b solaris -p Recommended -m webserver
roster:functional> exit
@@ -482,6 +458,9 @@
All character data used by compliance roster must be in US-ASCII encod-
ing.
+HISTORY
+ The compliance roster utility was added in Oracle Solaris 11.4.0.
+
-Oracle Solaris 11.4 27 Nov 2017 compliance-roster(8)
+Oracle Solaris 11.4 21 Jun 2021 compliance-roster(8)
diff -NurbBw 11.4.36/man8/compliance.8 11.4.39/man8/compliance.8
--- 11.4.36/man8/compliance.8 2021-11-16 13:14:18.662563690 +0000
+++ 11.4.39/man8/compliance.8 2021-11-16 13:14:53.981719538 +0000
@@ -703,8 +671,8 @@
repository:
- % compliance assess -p Recommended -b solaris -a CHECK -m demo,example=3
- -N ssh://[email protected]
+ % compliance assess -p Recommended -b solaris -a CHECK \
+ -m demo,example=3 -N ssh://[email protected]
Example 4 Listing Assessments and Keys
@@ -844,4 +806,4 @@
-Oracle Solaris 11.4 11 May 2021 compliance(8)
+Oracle Solaris 11.4 12 Jul 2021 compliance(8)
diff -NurbBw 11.4.36/man8/cryptoadm.8 11.4.39/man8/cryptoadm.8
--- 11.4.36/man8/cryptoadm.8 2021-11-16 13:14:18.739118439 +0000
+++ 11.4.39/man8/cryptoadm.8 2021-11-16 13:14:54.025414656 +0000
@@ -71,9 +71,9 @@
logd(8) and logadm(8)) to maintain the cryptographic subsystem. Logging
can be especially useful under the following circumstances:
- o If kernel-level daemon is dead, all applications fail. You
- can learn this from syslog and use svcadm(8) to restart the
- svc:/system/cryptosvc service.
+ o If the kernel-level daemon is dead, all applications fail.
+ You can learn this from syslog and use svcadm(8) to restart
+ the svc:/system/cryptosvc service.
o If there are bad providers plugged into the framework, you
@@ -211,8 +211,7 @@
Guide to Oracle Solaris 11.4 Security.
- cryptoadm install provider=provider-name
- mechanism=mechanism-list
+ cryptoadm install provider=provider-name mechanism=mechanism-list
Install a kernel software provider into the system. The provider
should contain the base name only. The mechanism-list operand spec-
@@ -290,11 +288,11 @@
provider (a cryptographic hardware device).
A valid value of the provider operand is one entry from the output
- of a command of the form: cryptoadm list. A provider operand for a
- user-level provider is an absolute pathname of the corresponding
- shared library. A provider operand for a kernel software provider
- contains a base name only. A provider operand for a kernel hardware
- provider is in a "name/number" form.
+ of the command: cryptoadm list. A provider operand for a user-level
+ provider is an absolute pathname of the corresponding shared
+ library. A provider operand for a kernel software provider contains
+ a base name only. A provider operand for a kernel hardware provider
+ is in a "name/number" form.
mechanism=mechanism-list
@@ -565,4 +553,4 @@
-Oracle Solaris 11.4 09 Jan 2018 cryptoadm(8)
+Oracle Solaris 11.4 21 Jun 2021 cryptoadm(8)
diff -NurbBw 11.4.36/man8/dminfo.8 11.4.39/man8/dminfo.8
--- 11.4.36/man8/dminfo.8 2021-11-16 13:14:18.767774425 +0000
+++ 11.4.39/man8/dminfo.8 2021-11-16 13:14:54.054535878 +0000
@@ -96,4 +96,4 @@
-Oracle Solaris 11.4 11 Aug 2014 dminfo(8)
+Oracle Solaris 11.4 21 Jun 2021 dminfo(8)
diff -NurbBw 11.4.36/man8/embedded_su.8 11.4.39/man8/embedded_su.8
--- 11.4.36/man8/embedded_su.8 2021-11-16 13:14:18.799022928 +0000
+++ 11.4.39/man8/embedded_su.8 2021-11-16 13:14:54.083653472 +0000
@@ -4,7 +4,7 @@
NAME
embedded_su - allow an application to prompt for credentials and exe-
- cute commands as the super user or another user
+ cute commands as another user or role
SYNOPSIS
/usr/lib/embedded_su [-] [username [arg...]]
@@ -94,7 +94,7 @@
Upon failure, embedded_su emits a single line containing the word
- "ERROR", followed by a text block as described under "Text Bocks". The
+ "ERROR", followed by a text block as described under "Text Blocks". The
text block gives an error message. The word ERROR may be followed by
whitespace and additional data. This data, if present, must be ignored.
@@ -266,4 +264,4 @@
-Oracle Solaris 11.4 10 May 2012 embedded_su(8)
+Oracle Solaris 11.4 21 Jun 2021 embedded_su(8)
diff -NurbBw 11.4.36/man8/fdisk.8 11.4.39/man8/fdisk.8
--- 11.4.36/man8/fdisk.8 2021-11-16 13:14:18.839470667 +0000
+++ 11.4.39/man8/fdisk.8 2021-11-16 13:14:54.117460385 +0000
@@ -476,8 +476,7 @@
+-----------------------------+-----------------------------+
SEE ALSO
- uname(1), attributes(7), fmthard(8), format(8), newfs(8), parted(8),
- prtvtoc(8)
+ uname(1), attributes(7), fmthard(8), format(8), newfs(8), prtvtoc(8)
DIAGNOSTICS
Most messages will be self-explanatory. The following may appear imme-
@@ -511,4 +510,4 @@
-Oracle Solaris 11.4 21 Apr 2011 fdisk(8)
+Oracle Solaris 11.4 12 Jul 2021 fdisk(8)
diff -NurbBw 11.4.36/man8/gsscred.8 11.4.39/man8/gsscred.8
--- 11.4.36/man8/gsscred.8 2021-11-16 13:14:18.871326181 +0000
+++ 11.4.39/man8/gsscred.8 2021-11-16 13:14:54.156554645 +0000
@@ -87,9 +87,7 @@
passwd table to populate the table.
- example%
- gsscred -m kerberos_v5 -a
-
+ example% gsscred -m kerberos_v5 -a
Example 2 Adding an Entry for root/host1 for the Kerberos v5 Security
@@ -162,4 +157,4 @@
-Oracle Solaris 11.4 20 Oct 2016 gsscred(8)
+Oracle Solaris 11.4 21 Jun 2021 gsscred(8)
diff -NurbBw 11.4.36/man8/gssd.8 11.4.39/man8/gssd.8
--- 11.4.36/man8/gssd.8 2021-11-16 13:14:18.899381192 +0000
+++ 11.4.39/man8/gssd.8 2021-11-16 13:14:54.184323983 +0000
@@ -9,7 +9,7 @@
/usr/lib/gss/gssd
DESCRIPTION
- gssd is the user mode daemon that operates between the kernel rpc and
+ gssd is the user mode daemon that operates between the kernel RPC and
the Generic Security Service Application Program Interface (GSS-API) to
generate and validate GSS-API security tokens. In addition, gssd maps
the GSS-API principal names to the local user and group ids. By
@@ -20,9 +20,10 @@
The SMF service svc:/network/rcp/gss:default is enabled by default.
SMF PROPERTIES
- config/ccache_patterns List of additional credential cache patterns
- to search. See the paraameter expansion sec-
- tion of krb5.conf(5).
+ config/ccache_patterns
+
+ List of additional credential cache patterns to search. See the
+ PARAMETER EXPANSION section of krb5.conf(5).
EXIT STATUS
@@ -54,11 +55,8 @@
RFC 2078
NOTES
- The following signal has the specified effect when sent to the server
- process using the kill(1) command:
-
- SIGHUP gssd rereads the gsscred.conf(5) options.
-
+ When it receives a SIGHUP signal, gssd rereads the gsscred.conf(5)
+ options.
When one of the mechanisms being used is Kerberos, then the gssd
@@ -76,4 +74,4 @@
-Oracle Solaris 11.4 21 Jan 2021 gssd(8)
+Oracle Solaris 11.4 21 Jun 2021 gssd(8)
diff -NurbBw 11.4.36/man8/id.8 11.4.39/man8/id.8
--- 11.4.36/man8/id.8 2021-11-16 13:14:18.930217583 +0000
+++ 11.4.39/man8/id.8 2021-11-16 13:14:54.220081127 +0000
@@ -92,7 +92,7 @@
If the process has supplementary group affiliations or the selected
user is allowed to belong to multiple groups, the first is added
- directly before the NEWLINE character in the format string:
+ directly before the newline character in the format string:
" groups=%u(%s)"
@@ -157,7 +157,7 @@
-G Outputs all different group IDs (effective, real and supplemen-
tary) only, using the format "%u\n". If there is more than one
distinct group affiliation, output each such affiliation, using
- the format " %u", before the NEWLINE character is output.
+ the format " %u", before the newline character is output.
-g Outputs only the effective group ID, using the format "%u\n".
@@ -197,13 +197,13 @@
See attributes(7) for descriptions of the following attributes:
/usr/bin/id
- +-----------------------------+-----------------------------------------+
+ +-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
- +-----------------------------+-----------------------------------------+
- |Availability |system/core-os, system/library/processor |
- +-----------------------------+-----------------------------------------+
+ +-----------------------------+-----------------------------+
+ |Availability |system/core-os |
+ +-----------------------------+-----------------------------+
|Interface Stability |Committed |
- +-----------------------------+-----------------------------------------+
+ +-----------------------------+-----------------------------+
/usr/xpg4/bin/id
+-----------------------------+-----------------------------+
@@ -223,6 +223,25 @@
tially produce very long lines on systems that support large numbers of
supplementary groups.
+HISTORY
+ The -a flag was added to /usr/xpg4/bin/id and the -G, -g, -n, -r, and
+ -u options were added to /usr/bin/id in Oracle Solaris 11.0.0, using
+ work contributed to OpenSolaris.
+
+
+ The -p flag was added to /usr/bin/id and /usr/xpg4/bin/id in Solaris 9.
+
+
+ The /usr/xpg4/bin/id command, with the -G, -g, -n, -r, and -u options,
+ was added in Solaris 2.5.
+
+
+ The -a flag was added to /usr/bin/id in Solaris 2.0.
+
+
+ The /usr/bin/id command has been included in all Sun and Oracle
+ releases of Solaris.
+
-Oracle Solaris 11.4 28 Nov 2006 id(8)
+Oracle Solaris 11.4 21 Jun 2021 id(8)
diff -NurbBw 11.4.36/man8/ikeadm.8 11.4.39/man8/ikeadm.8
--- 11.4.36/man8/ikeadm.8 2021-11-16 13:14:18.978443472 +0000
+++ 11.4.39/man8/ikeadm.8 2021-11-16 13:14:54.256135076 +0000
@@ -24,11 +24,12 @@
ikeadm [-np] [-v {1|2}] token [login | logout] PKCS#11_Token_Object
- ikeadm [-np] [-v {1|2}] [read | write] [rule | preshared | certcache] file
+ ikeadm [-np] [-v {1|2}] [read | write] [rule | preshared | certcache]
+ file
- ikeadm [-np] [-v {1|2}] dump [p1 | ikesa | rule | preshared | certcache | groups
- | encralgs | authalgs]
+ ikeadm [-np] [-v {1|2}] dump [p1 | ikesa | rule | preshared | certcache
+ | groups | encralgs | authalgs]
ikeadm [-v {1|2}] [-np] flush [p1 | ikesa | certcache]
@@ -740,9 +738,9 @@
1996.
NOTES
- As in.iked and in.ikev2d can run only in the global zone and exclusive-
- IP zones, this command is not useful in shared-IP zones.
+ As in.iked and in.ikev2d can run only in the global zone, kernel zones,
+ and exclusive-IP zones, this command is not useful in shared-IP zones.
-Oracle Solaris 11.4 27 Nov 2017 ikeadm(8)
+Oracle Solaris 11.4 21 Jun 2021 ikeadm(8)
diff -NurbBw 11.4.36/man8/ikecert.8 11.4.39/man8/ikecert.8
--- 11.4.36/man8/ikecert.8 2021-11-16 13:14:19.024264834 +0000
+++ 11.4.39/man8/ikecert.8 2021-11-16 13:14:54.294007152 +0000
@@ -13,8 +13,8 @@
[option_specific_arguments]...
- ikecert certdb [-a | -e | -h |
- -l [-v [-H [sha1|sha224|sha256|sha384|sha512]]] | -r | -U | -C | -L]
+ ikecert certdb [-a | -e | -h | -r | -U | -C | -L |
+ -l [-v [-H [sha1|sha224|sha256|sha384|sha512]]]]
[[-p] -T PKCS#11 token identifier]
[option_specific_arguments]...
@@ -167,7 +167,7 @@
If -T is specified, the hardware token will generate the pair
of keys.
- If -p is specified with -T, the PKCS#11 token pin is stored in
+ If -p is specified with -T, the PKCS#11 token PIN is stored in
the clear on-disk, with root-protected file permissions. If not
specified, one must unlock the token with ikeadm(8) once
in.iked(8) is running.
@@ -236,10 +236,9 @@
When specified with the certrldb subcommand, this option lists
the CRLs in the IKE database along with any certificates that
reside in the database and match the Issuer Name. certspec can
- be used to specify to list a specific CRL. The -v option
- switches the output to a verbose mode where the entire certifi-
- cate is printed. See NOTES, below, for details oncertspec pat-
- terns.
+ be used to specify a specific CRL. The -v option switches the
+ output to a verbose mode where the entire certificate is
+ printed. See NOTES, below, for details on certspec patterns.
@@ -335,7 +334,7 @@
specified by its PKCS#11 token. The original public certificate
is still retained and must be deleted separately, if desired.
- If -p is specified, the PKCS#11 token pin is stored in the
+ If -p is specified, the PKCS#11 token PIN is stored in the
clear on-disk, with root-protected file permissions. If not
specified, one must unlock the token with ikeadm(8) once
in.iked(8) is running.
@@ -364,7 +363,7 @@
been originally created on-token with the Solaris IKE utili-
ties.
- If -p is specified, the PKCS#11 token pin is stored in the
+ If -p is specified, the PKCS#11 token PIN is stored in the
clear on-disk, with root-protected file permissions. If not
specified, one must unlock the token with ikeadm(8) once
in.iked(8) is running.
@@ -416,7 +413,7 @@
Subject Alternative Names the certificate. The argument that fol-
lows the -A option should be in the form of tag=value. Valid tags
- are IP, DNS, EMAIL, URI, DN, and RID (See example below).
+ are IP, DNS, EMAIL, URI, DN, and RID (see example below).
-D
@@ -639,9 +632,10 @@
Source Code in C. Second Edition. John Wiley & Sons. New York, NY.
1996.
+ OASIS PKCS#11 specification
+
+ https://www.oasis-open.org/committees/pkcs11/
- RSA Labs, PKCS#11 v2.11: Cryptographic Token Interface Standards, No-
- vember 2001.
NOTES
The following is the validity date and time syntax when the -F or -S
@@ -728,9 +722,9 @@
- As in.iked(8) can run only in the global zone, kernel zones and exclu-
+ As in.iked(8) can run only in the global zone, kernel zones, and exclu-
sive-IP zones, this command is not useful in shared-IP zones.
-Oracle Solaris 11.4 27 Nov 2017 ikecert(8)
+Oracle Solaris 11.4 21 Jun 2021 ikecert(8)
diff -NurbBw 11.4.36/man8/ikev2cert.8 11.4.39/man8/ikev2cert.8
--- 11.4.36/man8/ikev2cert.8 2021-11-16 13:14:19.054498066 +0000
+++ 11.4.39/man8/ikev2cert.8 2021-11-16 13:14:54.324266668 +0000
@@ -65,11 +64,10 @@
The following command generates a ECSDA certificate signing request.
-
# ikev2cert gencsr keytype=ec curve=secp256r1 hash=sha256 \
label='source code server' \
subject='C=US, ST=CA, O=Oracle, OU=Solaris, CN=tank' \
- altname='[email protected]' outcsr=/my/directory/tank.csr
+ altname='[email protected]' outcsr=/my/directory/tank.csr
@@ -111,12 +109,10 @@
# ikev2cert gencert keytype=rsa hash=sha256 keylen=4096 \
label='backup server' keystore=pkcs11 serial=0xade6781b \
subject='C=US, ST=CA, O=Oracle, OU=Solaris, CN=backup-server' \
- altname='[email protected]'
-
+ altname='[email protected]'
- Example 5 Deleting a Certificate as a User who has Been Assigned the
- Network IPsec Management Rights Profile
+ Example 5 Deleting a Certificate Using Rights Profile
@@ -173,4 +167,4 @@
-Oracle Solaris 11.4 27 Nov 2017 ikev2cert(8)
+Oracle Solaris 11.4 21 Jun 2021 ikev2cert(8)
diff -NurbBw 11.4.36/man8/in.ikev2d.8 11.4.39/man8/in.ikev2d.8
--- 11.4.36/man8/in.ikev2d.8 2021-11-16 13:14:19.127390906 +0000
+++ 11.4.39/man8/in.ikev2d.8 2021-11-16 13:14:54.358400566 +0000
@@ -360,20 +360,20 @@
This value defaults to Metaslot, which means that keys and certifi-
cates will be stored in the softtoken keystore for the user
- ikeuser, protected by a pin. Change this value to specify a PKCS#11
+ ikeuser, protected by a PIN. Change this value to specify a PKCS#11
hardware token. See pkcs11_softtoken(7) for details on the softto-
ken keystore.
pkcs11_token/pin
- The pin for the PKCS#11 softtoken keystore.
+ The PIN for the PKCS#11 softtoken keystore.
- This pin must be set for unattended startup of in.ikev2d. Without
- this pin, in.ikev2d will not be able to access any private keys in
- its keystore. By default, the pin is unconfigured and the keystore
+ This PIN must be set for unattended startup of in.ikev2d. Without
+ this PIN, in.ikev2d will not be able to access any private keys in
+ its keystore. By default, the PIN is unconfigured and the keystore
uninitialized. The administrator must run ikev2cert(8) to set the
- pin and initialize the keystore. For automated startup, the pin
+ PIN and initialize the keystore. For automated startup, the PIN
value must be stored in a special smf(7) property.
For softtoken (the default):
@@ -394,7 +394,7 @@
# pktool setpin token=token_name
- Then store the value of the pin in a special smf(7) property that
+ Then store the value of the PIN in a special smf(7) property that
requires special authorizations to read from or write to. See
smf_security(7).
@@ -407,7 +407,7 @@
setprop pkcs11_token/pin = pin_value
refresh
- If security policy dictates that the pin cannot be stored in SMF,
+ If security policy dictates that the PIN cannot be stored in SMF,
this property may be left blank and the administrator may run the
following command to interactively unlock the softtoken in the run-
ning daemon:
@@ -423,19 +423,19 @@
1. Initialize the token if you have not already done so.
- The default pin for the uninitialized token is changeme.
- Set this pin to a strong passphrase when prompted.
+ The default PIN for the uninitialized token is changeme.
+ Set this PIN to a strong passphrase when prompted.
# ikev2cert setpin
- 2. Set the pin property using svccfg(8).
+ 2. Set the PIN property using svccfg(8).
# svccfg -s ike:ikev2 editprop
- Pass the pin to the running daemon to unlock the token.
+ Pass the PIN to the running daemon to unlock the token.
# ikeadm -v2 token login "Sun Metaslot"
@@ -455,7 +455,7 @@
IPsec Management rights profile allows users to log into and out of
PKCS#11 token objects. See the prof_attr(5) man page.
- See auths(1), ikeadm(8), user_attr(5), rbac(7), ikev2cert(8).
+ See auths(1), ikeadm(8), user_attr(5), rbac(7), and ikev2cert(8).
@@ -543,34 +543,48 @@
auths(1), kmfcfg(1), pktool(1), svcprop(1), svcs(1), ipsecesp(4P),
ike.config(5), ikev2.config(5), ikev2.preshared(5), prof_attr(5),
user_attr(5), attributes(7), pkcs11_softtoken(7), rbac(7), smf(7),
- smf_security(7), coreadm(8), ikeadm(8), ikev2cert(8), in.iked(8), ipse-
- calgs(8), ipsecconf(8), ipseckey(8), pfedit(8), svcadm(8), svccfg(8)
-
+ smf_security(7), coreadm(8), ikeadm(8), ikev2cert(8), in.iked(8),
+ ipsecalgs(8), ipsecconf(8), ipseckey(8), pfedit(8), svcadm(8),
+ svccfg(8)
Harkins, Dan and Carrel, Dave. RFC 2409, Internet Key Exchange (IKE).
- Network Working Group. November 1998.
+ Network Working Group, November 1998.
+
+ https://tools.ietf.org/html/rfc2409
Maughan, Douglas, Schertler, M., Schneider, M., Turner, J. RFC 2408,
Internet Security Association and Key Management Protocol (ISAKMP).
Network Working Group. November 1998.
+ https://tools.ietf.org/html/rfc2408
- Piper, Derrell, RFC 2407, The Internet IP Security Domain of Interpre-
+
+ Piper, Derrell. RFC 2407, The Internet IP Security Domain of Interpre-
tation for ISAKMP. Network Working Group. November 1998.
+ https://tools.ietf.org/html/rfc2407
+
Fu, D.; Solinos, J., RFC 4753, ECP Groups for IKE and IKEv2. Network
Working Group. January 2007.
+ https://tools.ietf.org/html/rfc4753
+
Lepinski, M.; Kent, S., RFC 5114, Additional Diffie-Hellman Groups for
Use with IETF Standards. Network Working Group. January 2008.
+ https://tools.ietf.org/html/rfc5114
+
+
+ Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen. RFC 5996, Internet
+ Key Exchange Protocol Version 2 (IKEv2). Network Working Group. Septem-
+ ber 2010.
+
+ https://tools.ietf.org/html/rfc5996
- Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, RFC 5996, Internet
- Key Exchange Protocol Version 2 (IKEv2). September 2010.
-Oracle Solaris 11.4 27 Nov 2017 in.ikev2d(8)
+Oracle Solaris 11.4 21 Jun 2021 in.ikev2d(8)
diff -NurbBw 11.4.36/man8/ipsecalgs.8 11.4.39/man8/ipsecalgs.8
--- 11.4.36/man8/ipsecalgs.8 2021-11-16 13:14:19.163849956 +0000
+++ 11.4.39/man8/ipsecalgs.8 2021-11-16 13:14:54.391281296 +0000
@@ -25,10 +25,10 @@
[-e exec-mode] [-f] [-s]
- ipsecalgs -r -p protocol-name [] -n alg-name [-s]
+ ipsecalgs -r -p protocol-name -n alg-name [-s]
- ipsecalgs -r -p protocol-name [] -N alg-number [-s]
+ ipsecalgs -r -p protocol-name -N alg-number [-s]
ipsecalgs -R -P protocol-number [-s]
@@ -119,13 +119,13 @@
options.
- -b
+ -b blocklen-list
Specifies the block or MAC lengths of an algorithm, in bytes. Set
more than one block length by separating the values with commas.
- -e
+ -e exec-mode
Designates the execution mode of cryptographic requests for the
specified protocol in the absence of cryptographic hardware
@@ -157,14 +157,14 @@
protocol if an entry with the same name or number already exists.
- -i
+ -i inc
Specifies the valid key length increments in bits. This option must
be used when the valid key lengths for an algorithm are specified
by a range with the -k option.
- -K
+ -K default-keylen
Specifies the default key lengths for an algorithm, in bits. If the
-K option is not specified, the minimum key length will be deter-
@@ -180,7 +180,7 @@
- -k
+ -k keylen-list
Specifies the supported key lengths for an algorithm, in bits. You
can designate the supported key lengths by enumeration or by range.
@@ -209,20 +209,20 @@
Displays the kernel algorithm tables.
- -m
+ -m mech-name
Specifies the name of the cryptographic framework mechanism corre-
sponding to the algorithm. Cryptographic framework mechanisms are
described in the cryptoadm(8) man page.
- -N
+ -N alg-number
Specifies an algorithm number. The algorithm number for a protocol
must be unique. IANA manages the algorithm numbers. See RFC 2407.
- -n
+ -n alg-names
Specifies one or more names for an algorithm. When adding an algo-
rithm with the -a option, alg-names contains a string or a comma-
@@ -235,7 +235,7 @@
tains one of the valid algorithm names.
- -P
+ -P protocol-number
Adds a protocol of the number specified by protocol-number with the
name specified by the -p option. This option is also used to spec-
@@ -243,7 +243,7 @@
Protocol numbers are managed by the IANA. See RFC 2407.
- -p
+ -p protocol-name
Specifies the name of the IPsec protocol.
@@ -277,24 +277,24 @@
rithms that provide encryption and authentication in a single opera-
tion.
- -I
+ -I initialization-vector_length
The length of the Initialization Vector (IV) in bytes. The default
IV length is the same as the block length.
- -M
+ -M MAC-length
The length of the MAC or ICV in bytes for combined mode algorithms.
- -S
+ -S length-of-salt
The number of bytes of salt needed by the algorithm. The salt needs
to be provided by the key management mechanism.
- -F
+ -F flags
Algorithm flags. These influence the way in which the kernel han-
dles security tasks, especially authentication, in the kernel. They
@@ -411,14 +407,16 @@
+-----------------------------+-----------------------------+
SEE ALSO
- getipsecalgbyname(3C), getipsecprotobyname(3C), ipsecah(4P), ipse-
- cesp(4P), ike.config(5), attributes(7), smf(7), cryptoadm(8), ipsec-
- conf(8), ipseckey(8), svcadm(8)
+ getipsecalgbyname(3C), getipsecprotobyname(3C), ipsecah(4P),
+ ipsecesp(4P), ike.config(5), attributes(7), smf(7), cryptoadm(8),
+ ipsecconf(8), ipseckey(8), svcadm(8)
-
- Piper, Derrell, RFC 2407, The Internet IP Security Domain of Interpre-
+ Piper, Derrell. RFC 2407, The Internet IP Security Domain of Interpre-
tation for ISAKMP. Network Working Group. November 1998.
+ https://tools.ietf.org/html/rfc2407
+
+
NOTES
When protocols or algorithm definitions that are removed or altered,
services that rely upon these definitions can become unavailable. For
@@ -502,4 +500,4 @@
-Oracle Solaris 11.4 14 Oct 2016 ipsecalgs(8)
+Oracle Solaris 11.4 21 Jun 2021 ipsecalgs(8)
diff -NurbBw 11.4.36/man8/ipsecconf.8 11.4.39/man8/ipsecconf.8
--- 11.4.36/man8/ipsecconf.8 2021-11-16 13:14:19.219330183 +0000
+++ 11.4.39/man8/ipsecconf.8 2021-11-16 13:14:54.447814141 +0000
@@ -45,9 +45,9 @@
the traffic will automatically drop. The difference in behavior is
because of the assumptions about IPsec tunnels made in many implementa-
tions. Datagrams that are being forwarded will not be subjected to pol-
- icy checks that are added using this command. See ifconfig(8) and
- dladm(8) for information on how to protect forwarded packets. Depending
- upon the match of the policy entry, a specific action will be taken.
+ icy checks that are added using this command. See dladm(8) for informa-
+ tion on how to protect forwarded packets. Depending upon the match of
+ the policy entry, a specific action will be taken.
This command can be run only by superuser.
@@ -424,9 +416,9 @@
value can be a hostname as described in getaddrinfo(3SOCKET) or a
network name as described in getnetbyname(3C) or a host address or
network address in the Internet standard dot notation. See
- inet_addr(3C). If a hostname is given and getaddrinfo(3SOCKET)
- returns multiple addresses for the host, then policy will be added
- for each of the addresses with other entries remaining the same.
+ inet_addr(3C). If a hostname is given and getaddrinfo(3C) returns
+ multiple addresses for the host, then policy will be added for each
+ of the addresses with other entries remaining the same.
@@ -507,21 +499,21 @@
The value that follows is the local port of the datagram. This can
be either a port number or a string searched with a NULL proto
- argument, as described in getservbyname(3XNET)
+ argument, as described in getservbyname(3C).
rport
The value that follows is the remote port of the datagram. This can
be either a port number or a string searched with a NULL proto
- argument, as described in getservbyname(3XNET)
+ argument, as described in getservbyname(3C).
sport
The value that follows is the source port of the datagram. This can
be either a port number or a string searched with a NULL proto
- argument, as described in getservbyname(3C)
+ argument, as described in getservbyname(3C).
dport
@@ -624,9 +614,8 @@
Can be one of the following:
-
string value: Algorithm Used: See RFC:
- --------------------------------------------------------------------
+ ------------------------------------------------------
sha256 or hmac-sha256 HMAC-SHA256 4868
sha384 or hmac-sha384 HMAC-SHA384 4868
sha512 or hmac-sha512 HMAC-SHA512 4868
@@ -652,9 +639,8 @@
algorithms as soon as feasible.
-
string value: Algorithm Used: See RFC:
- --------------------------------------------------------------------
+ ------------------------------------------------------------
sha1 or hmac-sha1 or sha HMAC-SHA1 2404
You can use the ipsecalgs(8) command to obtain the complete
@@ -698,9 +684,8 @@
192, or 256 bits.
-
string value: Algorithm Used: See RFC:
- --------------------------------------------------------------------
+ ----------------------------------------------------------
aes or aes-cbc AES-CBC 2451
camellia or camellia-cbc Camellia-CBC 4312
@@ -714,7 +699,7 @@
string value: Algorithm Used: ICV Length See RFC:
- -----------------------------------------------------------------------
+ ---------------------------------------------------------------
aes-ccm or aes-ccm16 AES-CCM 16 bytes 4309
aes-ccm8 AES-CCM 8 bytes 4309
aes-ccm12 AES-CCM 12 bytes 4309
@@ -769,7 +754,7 @@
string value: Algorithm Used: See RFC:
- --------------------------------------------------------------------
+ ------------------------------------------------------
sha256 or hmac-sha256 HMAC-SHA256 4868
sha384 or hmac-sha384 HMAC-SHA384 4868
sha512 or hmac-sha512 HMAC-SHA512 4868
@@ -777,7 +762,7 @@
For backward compatibility reasons, the following deprecated
- authentication algorithms are also allowed. Hhowever, adminis-
+ authentication algorithms are also allowed. However, adminis-
trators are encouraged to migrate away from these obsolete
algorithms as soon as feasible.
@@ -782,9 +767,8 @@
algorithms as soon as feasible.
-
string value: Algorithm Used: See RFC:
- --------------------------------------------------------------------
+ -----------------------------------------------------------
sha1 or hmac-sha1 or sha HMAC-SHA1 2404
You can use the ipsecalgs(8) command to obtain the complete
@@ -1577,50 +1528,72 @@
fig(8), in.iked(8), init(8), ipsecalgs(8), ipseckey(8), netcfg(8),
svcadm(8), svccfg(8)
-
Glenn, R. and Kent, S. RFC 2410, The NULL Encryption Algorithm and Its
Use With IPsec. The Internet Society. 1998.
+ https://tools.ietf.org/html/rfc2410
+
Kent, S. and Atkinson, R. RFC 2402, IP Authentication Header. The
Internet Society. 1998.
+ https://tools.ietf.org/html/rfc2402
+
Kent, S. and Atkinson, R. RFC 2406, IP Encapsulating Security Payload
(ESP). The Internet Society. 1998.
+ https://tools.ietf.org/html/rfc2406
+
Madsen, C. and Glenn, R. RFC 2404, The Use of HMAC-SHA-1-96 within ESP
and AH. The Internet Society. 1998.
+ https://tools.ietf.org/html/rfc2404
+
Madsen, C. and Doraswamy, N. RFC 2405, The ESP DES-CBC Cipher Algorithm
With Explicit IV. The Internet Society. 1998.
+ https://tools.ietf.org/html/rfc2405
+
Pereira, R. and Adams, R. RFC 2451, The ESP CBC-Mode Cipher Algorithms.
The Internet Society. 1998.
+ https://tools.ietf.org/html/rfc2451
- Frankel, S. and Kelly, R. Glenn, The AES Cipher Algorithm and Its Use
- With IPsec. 2001.
+
+ Frankel, S. and Kelly, R. Glenn, RFC 3602, The AES Cipher Algorithm and
+ Its Use With IPsec. The Internet Society. 2003.
+
+ https://tools.ietf.org/html/rfc3602
Kelly, S. and Frankel, S. RFC 4868, Using HMAC-SHA-256, HMAC-SHA-384,
- and HMAC-SHA-512 with IPsec, The Internet Society. 2007.
+ and HMAC-SHA-512 with IPsec. The Internet Society. 2007.
+
+ https://tools.ietf.org/html/rfc4868
Kato, A., Moriai, S., and Kanda, M. RFC 4312, The Camellia Cipher Algo-
- rithm and Its Use With IPsec, The Internet Society. 2005.
+ rithm and Its Use With IPsec. The Internet Society. 2005.
+
+ https://tools.ietf.org/html/rfc4312
McGrew, D., and Viega, J. RFC 4543, The Use of Galois Message Authenti-
cation Code (GMAC) in IPsec ESP and AH. The Internet Society. 2006.
+ https://tools.ietf.org/html/rfc4543
+
Frankel, S. and Herbert, H. RFC 3566, The AES-XCBC-MAC-96 Algorithm and
Its Use With IPsec. The Internet Society. 2003.
+ https://tools.ietf.org/html/rfc3566
+
+
DIAGNOSTICS
Bad "string" on line N.
Duplicate "string" on line N.
@@ -1753,4 +1726,4 @@
-Oracle Solaris 11.4 11 May 2021 ipsecconf(8)
+Oracle Solaris 11.4 21 Jun 2021 ipsecconf(8)
diff -NurbBw 11.4.36/man8/ipseckey.8 11.4.39/man8/ipseckey.8
--- 11.4.36/man8/ipseckey.8 2021-11-16 13:14:19.266803053 +0000
+++ 11.4.39/man8/ipseckey.8 2021-11-16 13:14:54.490877775 +0000
@@ -22,10 +22,10 @@
ipseckey [-np] [monitor | passive_monitor | pmonitor]
- ipseckey [-nvp] flush {SA_TYPE}
+ ipseckey [-nvp] flush [SA_TYPE]
- ipseckey [-nvp] dump {SA_TYPE}
+ ipseckey [-nvp] dump [SA_TYPE]
ipseckey [-nvp] save SA_TYPE {filename}
@@ -62,7 +62,7 @@
securely.
OPTIONS
- -c [filename]
+ -c filename
Analogous to the -f option (see following), except that the input
is not executed but only checked for syntactical correctness.
@@ -71,7 +71,7 @@
Management Facility" for more information.
- -f [filename]
+ -f filename
Read commands from an input file, filename. The lines of the input
file are identical to the command line language. The load command
@@ -93,7 +93,7 @@
is turned on.
- -s [filename]
+ -s filename
The opposite of the -f option. If '-' is given for a filename, then
the output goes to the standard output. A snapshot of all current
@@ -226,18 +226,18 @@
here, followed by the commands that use them, and the commands that
require them. Requirements are currently documented based upon the
IPsec definitions of an SA. Required extensions may change in the
- future. <number> can be in either hex (0xnnn), decimal (nnn) or octal
- (0nnn).<string> is a text string. <hexstr> is a long hexadecimal number
+ future. number can be in either hex (0xnnn), decimal (nnn) or octal
+ (0nnn). string is a text string. hexstr is a long hexadecimal number
with a bit-length. Extensions are usually paired with values; however,
some extensions require two values after them.
- spi <number>
+ spi number
Specifies the security parameters index of the SA. This extension
is required for the add, delete, get and update commands.
- pair-spi <number>
+ pair-spi number
When pair-spi is used with the add or update commands, the SA being
added or updated will be paired with the SA defined by pair-spi. A
@@ -262,12 +262,12 @@
which hash table to insert the new SA based on its knowledge the IP
addresses specified with the src and dst extensions.
- When these flags are used with the update, delete, update-pair or
+ When these flags are used with the update, delete, update-pair, or
get commands, the flags provide a hint as to the hash table in
which the kernel should find the SA.
- replay <number>
+ replay number
Specifies the replay window size. If not specified, the replay win-
dow size is assumed to be zero. It is not recommended that manually
@@ -275,22 +275,22 @@
and update commands.
- replay_value <number>
+ replay_value number
Specifies the replay value of the SA. This extension is used by the
add and update commands.
- state <string>|<number>
+ state string|number
Specifies the SA state, either by numeric value or by the strings
- "larval", "mature", "dying" or "dead". If not specified, the value
+ "larval", "mature", "dying", or "dead". If not specified, the value
defaults to mature. This extension is used by the add and update
commands.
- auth_alg <string>|<number>
- authalg <string>|<number>
+ auth_alg string|number
+ authalg string|number
Specifies the authentication algorithm for an SA, either by numeric
value, or by strings indicating an algorithm name. Current authen-
@@ -325,8 +325,8 @@
- encr_alg <string>|<number>
- encralg <string>|<number>
+ encr_alg string|number
+ encralg string|number
Specifies the encryption algorithm for an SA, either by numeric
value, or by strings indicating an algorithm name. Current encryp-
@@ -347,8 +347,8 @@
will be downgraded to dying from mature. See pf_key(4P). The monitor
command to key allows you to view SADB_EXPIRE messages.
- idle_addtime <number>
- idle_usetime <number>
+ idle_addtime number
+ idle_usetime number
Specifies the number of seconds that this SA can exist if the SA is
not used before the SA is revalidated. If this extension is not
@@ -357,8 +357,8 @@
- soft_bytes <number>
- hard_bytes <number>
+ soft_bytes number
+ hard_bytes number
Specifies the number of bytes that this SA can protect. If this
extension is not present, the default value is zero, which means
@@ -367,8 +367,8 @@
- soft_addtime <number>
- hard_addtime <number>
+ soft_addtime number
+ hard_addtime number
Specifies the number of seconds that this SA can exist after being
added or updated from a larval SA. An update of a mature SA does
@@ -379,8 +379,8 @@
- soft_usetime <number>
- hard_usetime <number>
+ soft_usetime number
+ hard_usetime number
Specifies the number of seconds this SA can exist after first being
used. If this extension is not present, the default value is zero,
@@ -402,7 +402,8 @@
either remain unset, or it will be set to a wildcard address if a
destination address was supplied. To not specify the source address
is valid for IPsec SAs. Future SA types may alter this assumption.
- This extension is used by the add, update, get and delete commands.
+ This extension is used by the add, update, get, and delete com-
+ mands.
@@ -410,18 +411,18 @@
- daddr <address>|<name>
- dstaddr <address>|<name>
- daddr6 <IPv6 address>|<name>
- dstaddr6 <IPv6 address>|<name>
- dst <addr>|<name>
- dst6 <IPv6 address>|<name>
+ daddr address|name
+ dstaddr address|name
+ daddr6 IPv6 address|name
+ dstaddr6 IPv6 address|name
+ dst addr|name
+ dst6 IPv6 address|name
- dstaddr <addr> and dst <addr> are synonyms that indicate the desti-
- nation address of the SA. If unspecified, the destination address
+ dstaddr addr and dst addr are synonyms that indicate the destina-
+ tion address of the SA. If unspecified, the destination address
will remain unset. Because IPsec SAs require a specified destina-
tion address and spi for identification, this extension, with a
- specific value, is required for the add, update, get and delete
+ specific value, is required for the add, update, get, and delete
commands.
If a name is given, ipseckey will attempt to invoke the command on
@@ -437,36 +438,36 @@
- sport <portnum>
+ sport portnum
sport specifies the source port number for an SA. It should be used
in combination with an upper-layer protocol (see below), but it
does not have to be.
- dport <portnum>
+ dport portnum
- sport specifies the destination port number for an SA. It should be
+ dport specifies the destination port number for an SA. It should be
used in combination with an upper-layer protocol (see below), but
it does not have to be.
- encap <protocol>
+ encap protocol
Identifies the protocol used to encapsulate NAT-traversal IPsec
packets. Other NAT-traversal parameters (nat_*) are below. The only
- acceptable value for <protocol> currently is udp.
+ acceptable value for protocol currently is udp.
- proto <protocol number>
- ulp <protocol number>
+ proto protocol number
+ ulp protocol number
proto, and its synonym ulp, specify the IP protocol number of the
SA.
- nat_loc <address>|<name>
+ nat_loc address|name
If the local address in the SA (source or destination) is behind a
NAT, this extension indicates the NAT node's globally-routable
@@ -474,7 +475,7 @@
a nat_lport (see below) specified.
- nat_rem <address>|<name>
+ nat_rem address|name
If the remote address in the SA (source or destination) is behind a
NAT, this extension indicates that node's internal (that is,
@@ -482,31 +483,30 @@
address if there is a nat_rport (see below) specified.
- nat_lport <portnum>
+ nat_lport portnum
Identifies the local UDP port on which encapsulation of ESP occurs.
- nat_rport <portnum>
+ nat_rport portnum
Identifies the remote UDP port on which encapsulation of ESP
occurs.
- isrc <address> | <name>[/<prefix>]
- innersrc <address> | <name>[/<prefix>]
- isrc6 <address> | <name>[/<prefix>]
- innersrc6 <address> | <name>[/<prefix>]
- proxyaddr <address> | <name>[/<prefix>]
- proxy <address> | <name>[/<prefix>]
+ isrc address | name[/prefix]
+ innersrc address | name[/prefix]
+ isrc6 address | name[/prefix]
+ innersrc6 address | name[/prefix]
+ proxyaddr address | name[/prefix]
+ proxy address | name[/prefix]
- isrc <address>[/<prefix>] and innersrc <address>[/<prefix>] are
- synonyms. They indicate the inner source address for a tunnel-mode
- SA.
+ isrc and innersrc are synonyms. They indicate the inner source
+ address for a tunnel-mode SA.
An inner-source can be a prefix instead of an address. As with
- other address extensions, there are IPv6-specific forms. In such
- cases, use only IPv6-specific addresses or prefixes.
+ other address extensions, there are IPv6-specific forms to use only
+ IPv6-specific addresses or prefixes.
Previous versions referred to this value as the proxy address. The
usage, while deprecated, remains.
@@ -517,25 +517,24 @@
- idst <address> | <name>[/<prefix>]
- innerdst <address> | <name>[/<prefix>]
- idst6 <address> | <name>[/<prefix>]
- innerdst6 <address> | <name>[/<prefix>]
-
- idst <address>[/<prefix>] and innerdst <address>[/<prefix>] are
- synonyms. They indicate the inner destination address for a tunnel-
- mode SA.
+ idst address | name[/prefix]
+ innerdst address | name[/prefix]
+ idst6 address | name[/prefix]
+ innerdst6 address | name[/prefix]
+
+ idst and innerdst are synonyms. They indicate the inner destination
+ address for a tunnel-mode SA.
An inner-destination can be a prefix instead of an address. As with
- other address extensions, there are IPv6-specific forms. In such
- cases, use only IPv6-specific addresses or prefixes.
+ other address extensions, there are IPv6-specific forms to use only
+ IPv6-specific addresses or prefixes.
- innersport <portnum>
- isport <portnum>
+ innersport portnum
+ isport portnum
innersport specifies the source port number of the inner header for
a tunnel-mode SA. It should be used in combination with an upper-
@@ -543,8 +542,8 @@
- innerdport <portnum>
- idport <portnum>
+ innerdport portnum
+ idport portnum
innerdport specifies the destination port number of the inner
header for a tunnel-mode SA. It should be used in combination with
@@ -552,13 +551,15 @@
- iproto <protocol number>iulp <protocol number>
+ iproto protocol number
+ iulp protocol number
iproto, and its synonym iulp, specify the IP protocol number of the
inner header of a tunnel-mode SA.
- authkey <hexstring>
+
+ authkey hexstring
Specifies the authentication key for this SA. The key is expressed
as a string of hexadecimal digits, with an optional / at the end,
@@ -569,7 +570,7 @@
the add and update commands.
- encrkey <hexstring>
+ encrkey hexstring
Specifies the encryption key for this SA. The syntax of the key is
the same as authkey. A concrete example of a multi-key encryption
@@ -578,9 +579,9 @@
used by the add and update commands.
- reserved_bits <number>
+ reserved_bits number
- The last <number> bits of the encrkey string are marked as reserved
+ The last number bits of the encrkey string are marked as reserved
in the PF_KEY message. This option is only for testing certain
encryption algorithms.
@@ -621,13 +622,13 @@
The value is an arbitrary text string that should identify the certifi-
cate.
- srcidtype <type, value>
+ srcidtype type, value
Specifies a source certificate identity for this SA. This extension
is used by the add and update commands.
- dstidtype <type, value>
+ dstidtype type, value
Specifies a destination certificate identity for this SA. This
extension is used by the add and update commands
@@ -1016,7 +1011,8 @@
example # ipseckey
- ipseckey> add esp spi 0x6789 src6 fec0:bbbb::4483 dst6 fec0:bbbb::7843\
+ ipseckey> add esp spi 0x6789 \
+ src6 fec0:bbbb::4483 dst6 fec0:bbbb::7843 \
authalg sha1 authkey d3b3be95dd3d688086d06c67c5e28482943142c9 \
encralg aes encrkey be11a84eb75255e0d3add0c0cd9c5315 \
hard_usetime 28800
@@ -1117,12 +1113,12 @@
A duplicate extension was entered.
- Don't use extension for <string> for <command>.
+ Don't use extension for string for command.
An extension not used by a command was used.
- One of the entered values is incorrect: Diagnostic code NN: <msg>
+ One of the entered values is incorrect: Diagnostic code NN: msg
This is a general invalid parameter error. The diagnostic code and
message provides more detail about what precise value was incorrect
@@ -1152,4 +1148,4 @@
-Oracle Solaris 11.4 6 Dec 2019 ipseckey(8)
+Oracle Solaris 11.4 21 Jun 2021 ipseckey(8)
diff -NurbBw 11.4.36/man8/kclient-kt2prof.8 11.4.39/man8/kclient-kt2prof.8
--- 11.4.36/man8/kclient-kt2prof.8 2021-11-16 13:14:19.302232575 +0000
+++ 11.4.39/man8/kclient-kt2prof.8 2021-11-16 13:14:54.527873369 +0000
@@ -13,22 +13,22 @@
The kclient-kt2prof command is used to bundle a binary keytab file into
a System Configuration XML, so that it can be transferred by Automated
Installer onto the client. For that purpose, the binary file is base64
- encoded, partitioned into chunks if required, and stored in property
- element of the System Configuration XML profile. The resulting profile
- can be used by installadm create-profile to configure Kerberos on the
- client of Automated Installation.
+ encoded, partitioned into chunks if required, and stored in the System
+ Configuration XML profile. The resulting profile can be used by instal-
+ ladm create-profile to configure Kerberos on the client of Automated
+ Installation.
OPTIONS
The following options are supported:
- -k keytab Specifies the input filename to read from or standard
- input if this option is not specified. The maximum size
- of keytab for bundling into configuration profile is lim-
- ited to 750 KB.
+ -k keytab Specifies the input filename to read from. If this option
+ is not specified, standard input is read. The maximum
+ size of keytab for bundling into configuration profile is
+ limited to 750 KB.
- -p profile Specifies the output filename to write to or standard
- output by default.
+ -p profile Specifies the output filename to write to. If this option
+ is not specified, output is written to standard output.
EXAMPLES
@@ -55,6 +55,12 @@
|Interface Stability |Committed |
+-----------------------------+-----------------------------+
+SEE ALSO
+ ai_manifest(5), installadm(8)
+HISTORY
+ The kclient-kt2prof command was added in Oracle Solaris 11.2.0.
-Oracle Solaris 11.4 10 July 2013 kclient-kt2prof(8)
+
+
+Oracle Solaris 11.4 21 Jun 2021 kclient-kt2prof(8)
diff -NurbBw 11.4.36/man8/kclient.8 11.4.39/man8/kclient.8
--- 11.4.36/man8/kclient.8 2021-11-16 13:14:19.335506231 +0000
+++ 11.4.39/man8/kclient.8 2021-11-16 13:14:54.562522822 +0000
@@ -9,14 +9,15 @@
/usr/sbin/kclient [-n] [-R realm] [-a adminuser] [-c filepath]
[-d dnsarg] [-f fqdn_list] [-h logical_host_name] [-k kdc_list]
[-m master_kdc_list] [-p profile]
- [-s service:{first|only|optional}[,..]] [-T kdc_vendor]
+ [-s pam_service:{first|only|optional}[,..]] [-T kdc_vendor]
DESCRIPTION
By specifying the various command options, you can use the kclient
utility to:
o Configure a machine as a Kerberos client for a specified
- realm and for KDC by setting up krb.conf.
+ realm and Key Distribution Center (KDC) by setting up a
+ krb5.conf(5) file.
o Add the Kerberos host principal to the local host's keytab
@@ -34,8 +35,8 @@
realm mapping lookups by means of DNS.
- o Configure a Kerberos client to use an MS Active Directory
- server. This generates a keytab file with the Kerberos
+ o Configure a Kerberos client to use a Microsoft Active Direc-
+ tory server. This generates a keytab file with the Kerberos
client's service keys populated.
@@ -52,8 +53,8 @@
o Set up a Kerberos client to join an environment that con-
- sists of Kerberos servers that are non-Solaris and non-MS
- Active Directory servers.
+ sists of Kerberos servers that are non-Solaris and non-Mi-
+ crosoft Active Directory servers.
o Configure pam.conf(5) to use Kerberos authentication for
@@ -108,7 +109,7 @@
if the -K option has not been specified.
- -R [ realm ]
+ -R realm
Specifies the Kerberos realm.
@@ -124,7 +125,7 @@
example 1 in the EXAMPLES section below.
- -a [ adminuser ]
+ -a adminuser
Specifies the Kerberos administrative user.
@@ -158,7 +159,7 @@
the client with the server if the ms_ad option is specified.
- -c [ filepath ]
+ -c filepath
Specifies the pathname to the krb5.conf master file, to be copied
over to the local host. The path specified normally points to a
@@ -166,11 +167,11 @@
means of NFS.
- -d [ dnsarg ]
+ -d dnsarg
Specifies the DNS lookup option to be used and specified in the
krb5.conf file. Valid dnsarg entries are: none, dns_lookup_kdc,
- dns_lookup_realm and dns_fallback. Any other entry is considered
+ dns_lookup_realm, and dns_fallback. Any other entry is considered
invalid. The latter three dnsarg values assume the same meaning as
those described in krb5.conf. dns_lookup_kdc implies DNS lookups
for the KDC and the other servers. dns_lookup_realm is for
@@ -211,7 +212,7 @@
- -f [ fqdn_list ]
+ -f fqdn_list
This option creates a service principal entry (host/nfs/root) asso-
ciated with each of the listed fqdn's, if required, and subse-
@@ -243,7 +244,7 @@
the -k option is the master KDC.
- -p [ profile ]
+ -p profile
Specifies the profile to be used to enable the reading in of the
values of all the parameters required for set up of the machine as
@@ -252,16 +253,16 @@
The profile should have entries in the format:
- PARAM <value>
+ PARAM value
Valid PARAM entries are: REALM, KDC, ADMIN, FILEPATH, NFS,
DNSLOOKUP, FQDN, NOKEY, NOSOL, LHN, KDCVENDOR, RMAP, MAS, and PAM.
- These profile entries correspond to the -R [realm], -k [kdc], -a
- [adminuser], -c [filepath], -n, -d [dnsarg], -f [fqdn_list], -K, -h
- [logical_host_name], -T [kdc_vendor], -D [domain_list], -m [mas-
- ter_kdc], and -s [pam_service] command-line options, respectively.
- Any other PARAM entry is considered invalid and is ignored.
+ These profile entries correspond to the -R realm, -k kdc, -a
+ adminuser, -c filepath, -n, -d dnsarg, -f fqdn_list, -K, -h
+ logical_host_name, -T kdc_vendor, -D domain_list, -m master_kdc,
+ and -s pam_service command-line options, respectively. Any other
+ PARAM entry is considered invalid and is ignored.
The NFS profile entry can have a value of 0 (do nothing) or 1
(operation is requested). Any other value is considered invalid and
@@ -271,13 +272,13 @@
ues listed in the profile.
- -s [pam_service:]auth_type[,...]
+ -s pam_service:auth_type[,...]
Specifies that the PAM service names, specified in pam_service, are
authenticated through Kerberos. Using this option updates/creates
/etc/pam.d/<pam_service> to include a separate authentication stack
with pam_krb5(7). Examples of pam_service names are sshd-kbdint,
- xscreensaver, and so forth.
+ su, and so forth.
auth_type can be one of the following keywords:
@@ -317,35 +318,34 @@
To set up a Kerberos client using the clntconfig/admin administrative
- principal for realm 'ABC.COM', kdc 'example1.com' and that also does
- kerberized NFS, enter:
+ principal for realm 'EXAMPLE.COM', kdc 'example1.com', and that also
+ does kerberized NFS, enter:
- # /usr/sbin/kclient -n -R ABC.COM -k example1.com -a clntconfig
+ # /usr/sbin/kclient -n -R EXAMPLE.COM -k example1.com -a clntconfig
Alternatively, to set up a Kerberos client using the clntconfig/admin
- administrative principal for the realm 'EAST.ABC.COM', kdc 'exam-
- ple2.east.abc.com' and that also needs service principal(s) created
- and/or added to the local keytab for multiple DNS domains, enter:
+ administrative principal for the realm 'EAST.EXAMPLE.COM', kdc 'exam-
+ ple2.east.example.com', and that also needs service principal(s) cre-
+ ated and/or added to the local keytab for multiple DNS domains, enter:
- # /usr/sbin/kclient -n -R EAST.ABC.COM -k example2.east.abc.com \
- -f west.abc.com,central.abc.com -a clntconfig
+ # /usr/sbin/kclient -n -R EAST.EXAMPLE.COM -k example2.east.example.com \
+ -f west.example.com,central.example.com -a clntconfig
Note that the krb5 administrative principal used by the administrator
- needs to have only add, inquire, change-pwd and modify privileges (for
+ needs to have only add, inquire, change-pwd, and modify privileges (for
the principals in the KDC database) in order for the kclient utility to
run. A sample kadm5.acl entry is:
- clntconfig/[email protected] acmi
-
+ clntconfig/[email protected] acmi
Example 2 Setting Up a Kerberos Client Using the Profile Option
@@ -353,8 +353,8 @@
To set up a Kerberos client using the clntconfig/admin administrative
- principal for realm 'ABC.COM', kdc 'example1.com' and that also copies
- over the master krb5.conf from a specified location, enter:
+ principal for realm 'EXAMPLE.COM', kdc 'example1.com', and that also
+ copies over the master krb5.conf from a specified location, enter:
# /usr/sbin/kclient -p /net/example1.com/export/profile.krb5
@@ -365,7 +365,7 @@
The contents of profile.krb5:
- REALM ABC.COM
+ REALM EXAMPLE.COM
KDC example1
ADMIN clntconfig
FILEPATH /net/example1.com/export/krb5.conf
@@ -373,21 +373,19 @@
DNSLOOKUP none
-
Example 3 Setting Up a Kerberos Client That Has a Dynamic IP Address
In this example a Kerberos client is a DHCP client that has a dynamic
IP address. This client does not wish to host any Kerberized services
- and therefore does not require a keytab (/etc/krb5/krb5.keytab
- ) file.
+ and therefore does not require a keytab (/etc/krb5/krb5.keytab) file.
For this type of client the administrator would issue the following
- command to configure this machine to be a Kerberos client of the
- ABC.COM realm with the KDC server kdc1.example.com:
+ command to configure this machine to be a Kerberos client of the EXAM-
+ PLE.COM realm with the KDC server kdc1.example.com:
# /usr/sbin/kclient -K -R EXAMPLE.COM -k kdc1.example.com
@@ -433,16 +430,20 @@
+-----------------------------+-----------------------------+
SEE ALSO
- encrypt(1), nfssec.conf(5), pam.conf(5), resolv.conf(5), attributes(7),
- pam_krb5(7), dd(8), smbadm(8)
+ kadm5.acl(5), krb5.conf(5), nfssec.conf(5), pam.conf(5),
+ resolv.conf(5), attributes(7), kerberos(7), pam_krb5(7), kclient-
+ kt2prof(8), smbadm(8)
+
+
+ Managing Kerberos in Oracle Solaris 11.4
NOTES
fqdn stands for the Fully Qualified Domain Name of the local host. The
- kclient utility saves copies of both the krb5.conf and nfssec.conf(5)
- files to files with corresponding names and .sav extensions. The
- optional copy of the krb5.conf master file is neither encrypted nor
- integrity-protected and it takes place over regular NFS.
+ kclient utility saves copies of both the krb5.conf(5) and
+ nfssec.conf(5) files to files with corresponding names and .sav exten-
+ sions. The optional copy of the krb5.conf master file is neither
+ encrypted nor integrity-protected and it takes place over regular NFS.
-Oracle Solaris 11.4 11 May 2021 kclient(8)
+Oracle Solaris 11.4 21 Jun 2021 kclient(8)
diff -NurbBw 11.4.36/man8/kmipcfg.8 11.4.39/man8/kmipcfg.8
--- 11.4.36/man8/kmipcfg.8 2021-11-16 13:14:19.395271086 +0000
+++ 11.4.39/man8/kmipcfg.8 2021-11-16 13:14:54.610201114 +0000
@@ -35,7 +35,8 @@
kmipcfg info [-n] [-H [-v]] [-o property[,property,...]] [server_group]
- kmipcfg list [-c] [-s] [-H [-v]] [-o property[,property,...]] [server_group]
+ kmipcfg list [-c] [-s] [-H [-v]] [-o property[,property,...]]
+ [server_group]
kmipcfg set [-f] -o property=value ... server_group
@@ -46,7 +47,7 @@
Solaris Cryptographic Framework (SCF).
- The KMIP provider (pkcs11_kmip) provides the system with access to the
+ The KMIP provider, pkcs11_kmip(7), provides the system with access to
remote KMIP servers. The communication between the client and the
server is secured with TLS. Multiple remote KMIP systems can be grouped
into server groups. It is assumed that a KMIP client using the same
@@ -125,7 +124,7 @@
server_list=ip_address|host_name[:port_number][,...]
- The mandatory, coma-delimited list of IP addresses or host
+ The mandatory, comma-delimited list of IP addresses or host
names of the KMIP servers. If an IPv6 address and port are
specified, the IPv6 address must be enclosed in the square
brackets. If port_number is not specified, the default port
@@ -272,15 +261,12 @@
option has no effect if server_group is specified.
-
Note -
-
- This command is equivalent to kmipcfg set -o
- token_state=disabled.
-
+ This command is equivalent to kmipcfg set -o token_state=dis-
+ abled.
@@ -295,15 +280,11 @@
option has no effect if server_group is specified.
-
Note -
-
- This command is equivalent to kmipcfg set -o
- token_state=enabled.
-
+ This command is equivalent to kmipcfg set -o token_state=enabled.
@@ -328,7 +308,7 @@
-s This option extracts sensitive informa-
tion. For example, encoded certificates,
- and PKCS#12 bundle pin.
+ and PKCS#12 bundle PIN.
-t all|pkcs11|libkmip Extracts profile for the svc:/sys-
@@ -472,15 +448,13 @@
-
kmipcfg list [-c] [-s] [-H [-v]] [-o property[,property,...]]
[server_group]
Lists parameters configured using kmipcfg create command. If
- server_group is specified, only configuration parameters of the-
+ server_group is specified, only configuration parameters of the
server_group are listed.
-
-c Lists configuration parameters in a format that can be used
by the non-interactive kmipcfg create command. Sensitive
information is not printed. The password locator string is
@@ -548,8 +516,7 @@
dle.
-
- $ % kmipcfg create -o server_list=kmip-server-1.example.com:5696 \
+ % kmipcfg create -o server_list=kmip-server-1.example.com:5696 \
-o p12_bundle=kmip-server-1_keys.p12 KMIP_server
@@ -575,7 +540,7 @@
Encode type [TTLV]: TTLV
Failover limit [3]: 1
Client keystore [/var/user/jf/kmip/KMIP_cluster]:
- PKCS#12 bundle: /tmp/kmip_cluser_credentials.p12
+ PKCS#12 bundle: /var/user/jf/kmip/kmip_cluster_credentials.p12
Verify CN in the subject of the server certificate [Y|n]:
Secondary authentication [none]: username-password
Username: jf_kmip
@@ -630,7 +592,7 @@
Encode type: TTLV
Failover limit: 1
Client keystore: /var/user/jf/kmip/KMIP_cluster
- Client PKCS#12 bundle: /tmp/kmip_cluser_credentials.p12
+ Client PKCS#12 bundle: /var/user/jf/kmip/kmip_cluser_credentials.p12
Server certificate subject CN verification: enabled
Secondary authentication type: username-password
Username: jf_kmip
@@ -657,7 +617,7 @@
Encode type: TTLV
Failover limit: 1
Client keystore: /var/user/jf/kmip/KMIP_cluster
- Client PKCS#12 bundle: /tmp/kmip_cluser_credentials.p12
+ Client PKCS#12 bundle: /var/user/jf/kmip/kmip_cluser_credentials.p12
Server certificate subject CN verification: enabled
Secondary authentication type: username-password
Username: jf_kmip
@@ -692,11 +649,10 @@
configuration of "Default KMIP token".
-
# kmipcfg list -o cred_source_type "Default KMIP token"
TLS credentials source type: raw
- # kmipcfg set -o cert=/tmp/cert.pem "Default KMIP token"
+ # kmipcfg set -o cert=/var/user/jf/kmip/cert.pem "Default KMIP token"
# kmipcfg list -o cert -s "Default KMIP token"
Client certificate: 1612 Bytes
@@ -748,8 +699,7 @@
The following example generates an SMF profile interactively.
-
- # kmipcfg extract -s -i -p /tmp/profile.xml
+ # kmipcfg extract -s -i -p ./profile.xml
Extract service instance [all]:
Libkmip configuration in service instance [svc:/system/kmip/client:default]:
Property group name [kmip_client_default]:
@@ -766,7 +716,7 @@
Private key:
Certificate:
CA certificate:
- PKCS#12 bundle: /tmp/kmip_cred_bundle.p12
+ PKCS#12 bundle: /var/user/jf/kmip/kmip_cred_bundle.p12
PKCS#12 bundle password locator [prompt]:
'p12_bundle_pass' password: ********
Verify CN in the subject of the server certificate [Y|n]:
@@ -788,8 +737,7 @@
- This shows server capablities, not client.
-
+ This shows server capabilities, not client.
@@ -836,4 +783,4 @@
-Oracle Solaris 11.4 26 Nov 2020 kmipcfg(8)
+Oracle Solaris 11.4 21 Jun 2021 kmipcfg(8)
diff -NurbBw 11.4.36/man8/ktkt_warnd.8 11.4.39/man8/ktkt_warnd.8
--- 11.4.36/man8/ktkt_warnd.8 2021-11-16 13:14:19.436901928 +0000
+++ 11.4.39/man8/ktkt_warnd.8 2021-11-16 13:14:54.637804945 +0000
@@ -15,8 +15,9 @@
is obtained for the first time, such as after using the kinit command.
ktkt_warnd can be configured through per user and system configuration
files on the client. In the configuration files, you can specify that
- you be supplied notice of ticket expiration--through terminal, mail, or
- syslog--or to renew the TGT.
+ the user be supplied notice of ticket expiration--through terminal,
+ mail, or syslog--or to renew the TGT. See the warn.conf(5) manual page
+ for further details.
FILES
/etc/krb5/warn.conf
@@ -40,6 +41,8 @@
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
+ |Availability |service/security/kerberos-5 |
+ +-----------------------------+-----------------------------+
|Interface Stability |Committed |
+-----------------------------+-----------------------------+
@@ -51,6 +54,10 @@
Managing Kerberos in Oracle Solaris 11.4
NOTES
+ The auto-renew of the TGT is attempted only if the user is logged-in,
+ as determined by examining utmpx(5).
+
+
The ktkt_warnd service is managed by the service management facility,
smf(7), under the service identifier:
@@ -58,7 +65,7 @@
- ktkt_warnd is off by default, and can be turned on by administrator.
+ ktkt_warnd is off by default, and can be turned on by an administrator.
Administrative actions on this service, such as enabling, disabling, or
requesting restart, can be performed using svcadm(8). Responsibility
for initiating and restarting this service is delegated to inetd(8).
@@ -68,4 +75,4 @@
-Oracle Solaris 11.4 28 Oct 2014 ktkt_warnd(8)
+Oracle Solaris 11.4 21 Jun 2021 ktkt_warnd(8)
diff -NurbBw 11.4.36/man8/labeladm.8 11.4.39/man8/labeladm.8
--- 11.4.36/man8/labeladm.8 2021-11-16 13:14:19.470381872 +0000
+++ 11.4.39/man8/labeladm.8 2021-11-16 13:14:54.676768161 +0000
@@ -18,7 +18,7 @@
labeladm disable [-n | -fim | -fr] [-q]
- labeladm encodings [<label-encodings-file>]
+ labeladm encodings [label-encodings-file]
DESCRIPTION
labeladm controls the labeling services which are provided by the
@@ -80,8 +80,8 @@
Enabling or disabling Trusted Extensions, or changing its properties
(such as the effective encodings file), can only be done by a user or
role with the solaris.smf.manage.labels authorization. For example, a
- user or role that has either the Information Security or Object Label
- Management Rights Profile.
+ user or role that has either the "Information Security" or "Object
+ Label Management" Rights Profile.
OPTIONS
The following options are supported:
@@ -137,11 +137,13 @@
+-----------------------------+-----------------------------+
|Availability |system/trusted |
+-----------------------------+-----------------------------+
- |Interface Stability |The invocation and subcom- |
- | |mands are committed. Output |
- | |is Not-an-Interface. |
+ |Interface Stability |See below. |
+-----------------------------+-----------------------------+
+
+ The invocation and subcommands are committed. Output is Not-an-Inter-
+ face.
+
SEE ALSO
is_system_labeled(3C), labels(7), trusted_extensions(7), chk_encod-
ings(8), labeld(8), tncfg(8)
@@ -149,6 +151,9 @@
Trusted Extensions Configuration and Administration
+HISTORY
+ The labeladm command was added in Oracle Solaris 11.2.0.
+
-Oracle Solaris 11.4 16 Nov 2016 labeladm(8)
+Oracle Solaris 11.4 21 Jun 2021 labeladm(8)
diff -NurbBw 11.4.36/man8/labelcfg.8 11.4.39/man8/labelcfg.8
--- 11.4.36/man8/labelcfg.8 2021-11-16 13:14:19.521682215 +0000
+++ 11.4.39/man8/labelcfg.8 2021-11-16 13:14:54.718184839 +0000
@@ -57,18 +57,15 @@
The following properties apply to the entire encodings:
-
title An arbitrary title which is stored as a comment in
the labeling encodings file.
min_label The default minimum label for users. When Trusted
- Extensions is enabled, this property also specifies
- the initial label to use when logging in to the
- Trusted Desktop. For standard Oracle Solaris, it
- specifies the lowest label to which authorized users
- may downgrade their files. In this case, the value
- ADMIN_LOW is recommended.
+ Extensions is not enabled, this property specifies
+ the lowest label to which authorized users may down-
+ grade their files. In this case, the value ADMIN_LOW
+ is recommended.
clearance The default clearance for users. Unless Trusted
@@ -414,12 +400,10 @@
#
-
Example 3 Using the info Subcommand in the Encodings Context
-
- gfaden@islay% labelcfg -e /etc/security/tsol/lef
+ % labelcfg -e /etc/security/tsol/lef
labelcfg:lef> info
title=Sample Data Protection Policy
classification=Public
@@ -505,6 +482,9 @@
SEE ALSO
sandbox(1), clearance(7), labels(7), chk_encodings(8), labeld(8)
+HISTORY
+ The labelcfg command was added in Oracle Solaris 11.4.0.
+
-Oracle Solaris 11.4 27 Nov 2017 labelcfg(8)
+Oracle Solaris 11.4 21 Jun 2021 labelcfg(8)
diff -NurbBw 11.4.36/man8/labeld.8 11.4.39/man8/labeld.8
--- 11.4.36/man8/labeld.8 2021-11-16 13:14:19.578238668 +0000
+++ 11.4.39/man8/labeld.8 2021-11-16 13:14:54.746566612 +0000
@@ -39,11 +39,11 @@
+-----------------------------+-----------------------------+
SEE ALSO
- svcs(1), attributes(7), smf(7), svcadm(8), syslogd(8)
+ svcs(1), attributes(7), smf(7), trusted_extensions(7), labeladm(8)
Trusted Extensions Configuration and Administration
-Oracle Solaris 11.4 27 Nov 2017 labeld(8)
+Oracle Solaris 11.4 21 Jun 2021 labeld(8)
diff -NurbBw 11.4.36/man8/ldm.8 11.4.39/man8/ldm.8
--- 11.4.36/man8/ldm.8 2021-11-16 13:14:19.781544760 +0000
+++ 11.4.39/man8/ldm.8 2021-11-16 13:14:54.969618579 +0000
@@ -4344,7 +4344,7 @@
Syntax:
- ldm add-spconfig config-name
+ ldm add-spconfig [-m] config-name
ldm add-spconfig -r autosave-name [new-config-name]
@@ -4352,6 +4352,12 @@
where:
+ o -m specifies that the memory allocation of all domains is
+ re-built before the configuration is saved to the SP. This
+ option will eliminate memory fragmentation that might exist
+ in the current configuration.
+
+
o config-name is the name of the SP configuration to add.
diff -NurbBw 11.4.36/man8/logadm.8 11.4.39/man8/logadm.8
--- 11.4.36/man8/logadm.8 2021-11-16 13:14:19.830109338 +0000
+++ 11.4.39/man8/logadm.8 2021-11-16 13:14:55.028510296 +0000
@@ -141,6 +141,10 @@
Rotate the log file by copying it and truncating the original log-
file to zero length, rather than renaming the file.
+ This option cannot be used along with -o, -g or -m as the file per-
+ missions need to match the owner of the original file being trun-
+ cated.
+
-C count
@@ -707,4 +711,4 @@
-Oracle Solaris 11.4 11 May 2021 logadm(8)
+Oracle Solaris 11.4 28 Jun 2021 logadm(8)
diff -NurbBw 11.4.36/man8/logins.8 11.4.39/man8/logins.8
--- 11.4.36/man8/logins.8 2021-11-16 13:14:19.860684344 +0000
+++ 11.4.39/man8/logins.8 2021-11-16 13:14:55.056913556 +0000
@@ -10,17 +10,17 @@
[-l login_name...]
DESCRIPTION
- This command displays information on user, role, and system logins
- known to the system. Contents of the output is controlled by the com-
- mand options and can include the following: user, role, or system
- login; user id number; passwd account field value (user name or other
- information); primary group name; primary group id; multiple group
- names; multiple group ids; home directory; login shell; and four pass-
- word-aging parameters. The default information is the following: login
- id, user id, primary group name, primary group id, and the account
- field value. Output is sorted by user id, unless the -t option is spec-
- ified. The -S option restricts the search for logins to the specified
- name service repository. See nsswitch.conf(5).
+ This command displays information on user, role, and system login
+ accounts known to the system. Contents of the output is controlled by
+ the command options and can include the following: user, role, or sys-
+ tem login; user id number; passwd account field value (user name or
+ other information); primary group name; primary group id; multiple
+ group names; multiple group ids; home directory; login shell; and four
+ password-aging parameters. The default information is the following:
+ login id, user id, primary group name, primary group id, and the
+ account field value. Output is sorted by user id, unless the -t option
+ is specified. The -S option restricts the search for logins to the
+ specified name service repository. See nsswitch.conf(5).
OPTIONS
Options may be used together. If so, any login that matches any crite-
@@ -49,18 +49,18 @@
user belongs to more than one of the selected groups.
- -l login_name...
+ -l login_name
Selects the requested login. Multiple logins can be specified as a
comma-separated list. Unless the -S option is specified, the lookup
- depends on the nameservice lookup types set in /etc/nsswitch.conf,
+ depends on the nameservice lookup types set in nsswitch.conf(5),
the information can come from the /etc/passwd and /etc/shadow files
and other nameservices. When the -l and -g options are combined, a
user is only listed once, even if the user belongs to more than one
of the selected groups.
- -S
+ -S repository
Select logins only from an available name service database reposi-
tory.
@@ -166,8 +166,9 @@
+-----------------------------+-----------------------------+
SEE ALSO
- passwd(1), crypt(3C), nsswitch.conf(5), attributes(7)
+ groups(1), passwd(1), roles(1), crypt(3C), nsswitch.conf(5), passwd(5),
+ shadow(5), rbac(7), attributes(7)
-Oracle Solaris 11.4 9 Mar 2020 logins(8)
+Oracle Solaris 11.4 21 Jun 2021 logins(8)
diff -NurbBw 11.4.36/man8/mkntfs.8 11.4.39/man8/mkntfs.8
--- 11.4.36/man8/mkntfs.8 2021-11-16 13:14:19.899755261 +0000
+++ 11.4.39/man8/mkntfs.8 1969-12-31 16:00:00.000000000 +0000
@@ -1,206 +0,0 @@
-System Administration Commands mkntfs(8)
-
-
-
-NAME
- mkntfs - create an NTFS file system
-
-SYNOPSIS
- mkntfs [options] device [number_of_sectors]
-
-
- mkntfs [-C] [-c cluster-size] [-F] [-f] [-H heads] [-h] [-I]
- [-L volume-label] [-l] [-n] [-p part-start-sect] [-Q] [-q]
- [-S sectors-per-track] [-s sector-size] [-T] [-V] [-v]
- [-z mft-zone-multiplier] [--debug] device [number-of-sectors]
-
-DESCRIPTION
- The mkntfs utility is used to create an NTFS file system on a device,
- usually a disk partition, or file. The device operand is the special
- file corresponding to the device; for example, /dev/dsk/c0d0p0. The
- number-of-sectors operand is the number of blocks on the device. If
- omitted, mkntfs automatically figures the file system size.
-
-OPTIONS
- Supported options are listed below. Most options have both single-let-
- ter and full-name forms. Multiple single-letter options that do not
- take an argument can be combined. For example, -fv is the equivalent of
- -f -v. A full-name option can be abbreviated to a unique prefix of its
- name.
-
-
- Options are divided among basic, advanced, output, and help options, as
- listed below.
-
- Basic Options
- -C, --enable-compression
-
- Enable compression on the volume.
-
-
- -f, --fast or -q, --quick
-
- Perform quick (fast) format. This option skips both zeroing of the
- volume and bad sector checking.
-
-
- -L, --label string
-
- Set the volume label for the filesystem to string.
-
-
- -n, --no-action
-
- Causes mkntfs to not actually create a file system, but display
- what it would do if it were to create a file system. All formatting
- steps are carried out except the actual writing to the device.
-
-
- Advanced Options
- -c, --cluster-size bytes
-
- Specify the size of clusters in bytes. Valid cluster size values
- are powers of two, with at least 256, and at most 65536, bytes per
- cluster. If omitted, mkntfs uses 4096 bytes as the default cluster
- size.
-
- Note that the default cluster size is set to be at least equal to
- the sector size, as a cluster cannot be smaller than a sector.
- Also, note that values greater than 4096 have the side effect that
- compression is disabled on the volume. This is due to limitations
- in the NTFS compression algorithm used by Windows.
-
-
- -F, --force
-
- Force mkntfs to run, even if the specified device is not a block
- special device, or appears to be mounted.
-
-
- -H, --heads num
-
- Specify the number of heads. The maximum is 65535 (0xffff). If
- omitted, mkntfs attempts to determine the number of heads automati-
- cally. If that fails a default of 0 is used. Note that specifying
- num is required for Windows to be able to boot from the created
- volume.
-
-
- -I, --no-indexing
-
- Disable content indexing on the volume. This option is only mean-
- ingful on Windows 2000 and later. Windows NT 4.0 and earlier ignore
- this, as they do not implement content indexing.
-
-
- -p, --partition-start sector
-
- Specify the partition start sector. The maximum is 4294967295
- (2^32-1). If omitted, mkntfs attempts to determine sectorautomati-
- cally. If that fails, a default of 0 is used. Note that specifying
- sector is required for Windows to be able to boot from the created
- volume.
-
-
- -S, --sectors-per-track num
-
- Specify the number of sectors per track. The maximum is 65535
- (0xffff). If omitted, mkntfs attempts to determine the number of
- sectors-per-track automatically and if that fails a default of 0 is
- used. Note that sectors-per-track is required for Windows to be
- able to boot from the created volume.
-
-
- -s, --sector-size bytes
-
- Specify the size of sectors in bytes. Valid sector size values are
- 256, 512, 1024, 2048, and 4096. If omitted, mkntfs attempts to
- determine the sector-size automatically. If that fails, a default
- of 512 bytes per sector is used.
-
-
- -T, --zero-time
-
- Fake the time to be 00:00:00 UTC, Jan 1, 1970, instead of the cur-
- rent system time. This can be useful for debugging purposes.
-
-
- -z, --mft-zone-multiplier num
-
- Set the master file table (MFT) zone multiplier, which determines
- the size of the MFT zone to use on the volume. The MFT zone is the
- area at the beginning of the volume reserved for the MFT, which
- stores the on-disk inodes (MFT records). It is noteworthy that
- small files are stored entirely within the inode; thus, if you
- expect to use the volume for storing large numbers of very small
- files, it is useful to set the zone multiplier to a higher value.
- Although the MFT zone is resized on the fly as required during
- operation of the NTFS driver, choosing an optimal value reduces
- fragmentation. Valid values are 1, 2, 3, and 4. The values have the
- following meaning:
-
- MFT zone MFT zone size
- multiplier (% of volume size)
- 1 12.5% (default)
- 2 25.0%
- 3 37.5%
- 4 50.0%
-
-
-
- Output Options
- --debug
-
- Includes the verbose output from the -v option, as well as addi-
- tional output useful for debugging mkntfs.
-
-
- -q, --quiet
-
- Verbose execution. Errors are written to stderr, no output to std-
- out occurs at all. Useful if mkntfs is run in a script.
-
-
- -v, --verbose
-
- Verbose execution.
-
-
- Help Options
- -h, --help
-
- Show a list of options with a brief description of each one.
-
-
- -l, --license
-
- Display the mkntfs licensing information and exit.
-
-
- -V, --version
-
- Display the mkntfs version number and exit.
-
-
-ATTRIBUTES
- See attributes(7) for descriptions of the following attributes:
-
-
- +-----------------------------+-----------------------------+
- | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
- +-----------------------------+-----------------------------+
- |Availability |system/file-system/ntfsprogs |
- +-----------------------------+-----------------------------+
- |Interface Stability |Uncommitted |
- +-----------------------------+-----------------------------+
-
-SEE ALSO
- attributes(7), ntfsprogs(8), ntfsresize(8), ntfsundelete(8)
-
-AUTHORS
- mkntfs was written by Anton Altaparmakov, Richard Russon, Erik Sornes
- and Szabolcs Szakacsits.
-
-
-
-Oracle Solaris 11.4 23 Aug 2017 mkntfs(8)
diff -NurbBw 11.4.36/man8/mkpwdict.8 11.4.39/man8/mkpwdict.8
--- 11.4.36/man8/mkpwdict.8 2021-11-16 13:14:19.930235721 +0000
+++ 11.4.39/man8/mkpwdict.8 2021-11-16 13:14:55.098261963 +0000
@@ -6,7 +6,7 @@
mkpwdict - maintain password-strength checking database
SYNOPSIS
- /usr/bin/mkpwdict [-s dict1,... ,dictN]
+ /usr/bin/mkpwdict [-s dict1,... ,dictN] [-l minwordlength]
[-d destination-path]
DESCRIPTION
@@ -23,8 +23,8 @@
characters are discarded. Words shorter than the specified minimum (see
below) are skipped. The file /usr/share/lib/dict/words or another
spell-checking dictionary can be used as a source file but needs to be
- processed first so that it contains only words with minimum length, by
- specifying DICTIONMINWORDLENGTH or "-l" option.
+ processed so that it contains only words with minimum length, by speci-
+ fying DICTIONMINWORDLENGTH in /etc/default/passwd or the -l option.
If -s is omitted, mkpwdict will use the value of DICTIONLIST specified
@@ -47,10 +47,10 @@
added to the dictionary-lookup database.
- -l Specifies the minimum dictionary word length. Words shorter than
- the specified number will be omitted from the corresponding
- source file. This option takes a number greater or equal to 2
- [letters].
+ -l Specifies the minimum dictionary word length, in letters. Words
+ shorter than the specified number will be omitted from the corre-
+ sponding source file. This option takes a number greater or equal
+ to 2.
-d Specifies the target location of the dictionary-database.
@@ -94,6 +94,13 @@
SEE ALSO
passwd(1), attributes(7), pam_authtok_check(7)
+HISTORY
+ The -l option and DICTIONMINWORDLENGTH property were added in Oracle
+ Solaris 11.1.17 and a Solaris 10 patch.
-Oracle Solaris 11.4 21 Jan 2014 mkpwdict(8)
+ The mkpwdict command was added to Oracle Solaris in Solaris 10 3/05.
+
+
+
+Oracle Solaris 11.4 21 Jun 2021 mkpwdict(8)
diff -NurbBw 11.4.36/man8/mount_nfs.8 11.4.39/man8/mount_nfs.8
--- 11.4.36/man8/mount_nfs.8 2021-11-16 13:14:19.968514625 +0000
+++ 11.4.39/man8/mount_nfs.8 2021-11-16 13:14:55.151159696 +0000
@@ -127,6 +127,17 @@
update. The default value is 30.
+ acl | noacl
+
+ If noacl is specified, then NFS client will not issue ACL-
+ related RPCs using the NFS_ACL protocol. The default value is
+ determined by the client_nfs23_acl property, which can be
+ changed using sharectl(8). This option is relevant only for
+ NFSv3 or NFSv2 mounts; it is silently ignored for NFSv4. The
+ noacl option should only be used when no files in the specified
+ resource have an ACL.
+
+
acregmax=n
Hold cached attributes for no more than n seconds after file
@@ -732,4 +743,4 @@
-Oracle Solaris 11.4 30 Apr 2020 mount_nfs(8)
+Oracle Solaris 11.4 26 Jul 2021 mount_nfs(8)
diff -NurbBw 11.4.36/man8/nfsd.8 11.4.39/man8/nfsd.8
--- 11.4.36/man8/nfsd.8 2021-11-16 13:14:19.998406907 +0000
+++ 11.4.39/man8/nfsd.8 2021-11-16 13:14:55.186407763 +0000
@@ -234,6 +234,12 @@
.nfsXXX Client machine pointer to an open-but-unlinked
file.
+ .ORCLdeleted_files Directory used by the server to keep track of
+ the files which were removed by an NFS client
+ while still open (.nfsXXX files). This direc-
+ tory resides in root of shared filesystem.
+ This directory should not be removed.
+
/etc/system System configuration information file.
@@ -258,7 +264,7 @@
SEE ALSO
ps(1), svcs(1), sharetab(5), system(5), attributes(7), smf(7),
- mountd(8), share(8), sharectl(8), svcadm(8)
+ mountd(8), share(8), sharectl(8), svcadm(8), network-nfs-cleanup(8S)
Managing Network File Systems in Oracle Solaris 11.4
@@ -273,4 +279,4 @@
-Oracle Solaris 11.4 12 May 2016 nfsd(8)
+Oracle Solaris 11.4 24 Feb 2021 nfsd(8)
diff -NurbBw 11.4.36/man8/nfsstat.8 11.4.39/man8/nfsstat.8
--- 11.4.36/man8/nfsstat.8 2021-11-16 13:14:20.048410803 +0000
+++ 11.4.39/man8/nfsstat.8 2021-11-16 13:14:55.229338500 +0000
@@ -378,7 +378,8 @@
acl
- Server supports NFS_ACL.
+ Server supports NFS_ACL and noacl mount flag was not set by mount
+ options.
down
@@ -421,6 +422,11 @@
Server supports symbolic links.
+ xattr
+
+ Server supports extended attributes over NFS_ACL.
+
+
The following flags relate to additional mount information:
diff -NurbBw 11.4.36/man8/otpadm.8 11.4.39/man8/otpadm.8
--- 11.4.36/man8/otpadm.8 2021-11-16 13:14:20.516739522 +0000
+++ 11.4.39/man8/otpadm.8 2021-11-16 13:14:55.312522437 +0000
@@ -9,13 +9,13 @@
otpadm [-u user] subcommand [subcommand-options]
- otpadm [-u user] set <attribute[=value]> [<attribute>[=value]] ...
+ otpadm [-u user] set attribute[=value] [attribute[=value]] ...
otpadm [-u user] get [attribute1] [attribute2] ...
- otpadm [-u user] generate <attribute[=value]> [<attribute>[value]] ...
+ otpadm [-u user] generate attribute[=value] [attribute[=value]] ...
otpadm [-u user] expunge
@@ -203,12 +203,27 @@
ATTRIBUTES
+ See attributes(7) for descriptions of the following attributes:
+
+
+ +-----------------------------+-----------------------------+
+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+ +-----------------------------+-----------------------------+
+ |Availability |system/security/otp |
+ +-----------------------------+-----------------------------+
+ |Interface Stability |See below. |
+ +-----------------------------+-----------------------------+
+
+
The generate subcommand is Volatile, intended for testing only. All
other subcommands are Committed.
SEE ALSO
auth_attr(5), prof_attr(5), pam_otp_auth(7)
+HISTORY
+ The otpadm command was added in Oracle Solaris 11.3.14.
+
-Oracle Solaris 11.4 11 May 2021 otpadm(8)
+Oracle Solaris 11.4 21 Jun 2021 otpadm(8)
diff -NurbBw 11.4.36/man8/pfctl.8 11.4.39/man8/pfctl.8
--- 11.4.36/man8/pfctl.8 2021-11-16 13:14:20.587944223 +0000
+++ 11.4.39/man8/pfctl.8 2021-11-16 13:14:55.352207491 +0000
@@ -151,9 +148,9 @@
-K host | network
Kill all of the source tracking entries originating from the speci-
- fied host or network. A second -K host or -K network option may be
- specified, which will kill all the source tracking entries from the
- first host/network to the second.
+ fied host or network. A second -K host or -K network option may
+ be specified, which will kill all the source tracking entries from
+ the first host/network to the second.
-k host | network | label | id
@@ -401,8 +391,8 @@
-T expire number Delete addresses which had their statistics
cleared more than number seconds ago. For
entries which have never had their statistics
- cleared, number refers to the time they were
- added to the table.
+ cleared, number refers to the time since they
+ were added to the table.
-T replace Replace the addresses of the table. Automati-
@@ -579,8 +563,8 @@
- The 'PF' firewall service can be enabled and disabled by using the
- svcadm command:
+ The PF firewall service can be enabled and disabled by using the svcadm
+ command:
# svcadm enable svc:/network/firewall:default
@@ -589,7 +573,7 @@
To update the PF kernel module with new policy configuration, refresh
- the 'PF' firewall service:
+ the PF firewall service:
# svcadm refresh svc:/network/firewall:default
@@ -600,8 +584,7 @@
uration files. For more information, see the pfedit(8) man page.
- The smf(7) manifest for 'PF' firewall service defines two properties:
-
+ The smf(7) manifest for PF firewall service defines two properties:
firewall/rules defines a location of pf.conf(7)
@@ -622,7 +604,7 @@
After this, the svcadm restart command loads the configuration file.
SECURITY
- The process, which alters 'PF' kernel module configuration, must have
+ The process, which alters PF kernel module configuration, must have
sys_ip_config privilege. Solaris comes with a profile named Network
Firewall Management, which grants privilege to user/role.
@@ -633,16 +615,15 @@
/etc/pf.os Passive operating system fingerprint database.
-
SEE ALSO
pf.conf(7), pf.os(7), smf(7), svcadm(8)
HISTORY
- The pfctl program and the 'PF' filter mechanism first appeared in Open-
- BSD 3.0.
+ The pfctl program and the PF filter mechanism first appeared in OpenBSD
+ 3.0. It was added to Oracle Solaris in Solaris 11.3.0.
SOLARIS
- File has been introduced to Solaris as a part of firewall modernization
+ PF has been introduced to Solaris as a part of firewall modernization
project. The project brings slightly modified version of PF to Solaris.
The manual page has been tailored to match a PF feature set found on
Solaris Operating System. The PF version is derived from OpenBSD 5.5
@@ -650,4 +631,4 @@
-Oracle Solaris 11.4 08 Feb 2017 pfctl(8)
+Oracle Solaris 11.4 21 Jun 2021 pfctl(8)
diff -NurbBw 11.4.36/man8/pfedit.8 11.4.39/man8/pfedit.8
--- 11.4.36/man8/pfedit.8 2021-11-16 13:14:20.621532033 +0000
+++ 11.4.39/man8/pfedit.8 2021-11-16 13:14:55.382268893 +0000
@@ -75,7 +75,8 @@
-s
Mark a file "sensitive" (only valid when creating a file with
- pfedit).
+ pfedit). The file will be created with 0600 permissions and will
+ have the "sensitive" System Attribute.
EXAMPLES
@@ -152,10 +153,17 @@
leged access.
- Files with the "sensitive" System Attribute or created with the -s
- option do not have the contents or content changes included in the
- audit record.
+ Files with the "sensitive" System Attribute, including those created
+ with the -s option, do not have the contents or content changes
+ included in the audit record.
+HISTORY
+ The -s option and special handling of files with the "sensitive" System
+ Attribute was added in Oracle Solaris 11.2.0.
-Oracle Solaris 11.4 25 Jun 2012 pfedit(8)
+ The pfedit command was added in Oracle Solaris 11.1.0.
+
+
+
+Oracle Solaris 11.4 21 Jun 2021 pfedit(8)
diff -NurbBw 11.4.36/man8/praudit.8 11.4.39/man8/praudit.8
--- 11.4.36/man8/praudit.8 2021-11-16 13:14:20.650646148 +0000
+++ 11.4.39/man8/praudit.8 2021-11-16 13:14:55.409822540 +0000
@@ -11,10 +11,10 @@
DESCRIPTION
praudit reads the listed filenames (or standard input, if no filename
is specified) and interprets the data as audit trail records as defined
- in audit.log(5) man page. By default, times, user and group IDs (UIDs
- and GIDs respectively) are converted to their ASCII representation.
- Record type and event fields are converted to their ASCII representa-
- tion. Only users with the PRIV_FILE_DAC_READ privilege can use the
+ in the audit.log(5) man page. By default, times, user and group IDs
+ (UIDs and GIDs respectively) are converted to their ASCII representa-
+ tion. Record type and event fields are converted to their ASCII repre-
+ sentation. Only users with the PRIV_FILE_DAC_READ privilege can use the
praudit utility. If the Trusted Extensions have been enabled, users
must have the PRIV_SYS_TRANS_LABEL privilege. Both these privileges are
included in the Audit Review rights profile.
@@ -71,6 +71,7 @@
/etc/security/audit_class
+ /etc/security/audit_class.system
Audit class definitions.
@@ -87,6 +89,11 @@
put, for example, adt_record.xsl.1.
+USAGE
+ To print a subset of audit records, use the auditreduce(8) utility to
+ filter the contents of the audit log to select records for printing
+ before passing them to praudit.
+
EXAMPLES
Example 1 Generating an HTML Report of All Login/Logout Events
@@ -108,16 +114,16 @@
+-----------------------------+-----------------------------+
- The command stability is evolving. The output format is unstable.
+ The command stability is Committed. The output format is Uncommitted.
SEE ALSO
- xsltproc(1), ethers(3C), gethostbyaddr(3C), getipnodebyaddr(3C), getp-
- wuid(3C), audit.log(5), audit_class(5), audit_event(5), group(5), nss-
- witch.conf(5), passwd(5), attributes(7), privileges(7), getent(8)
+ xsltproc(1), getpwuid(3C), audit.log(5), audit_class(5),
+ audit_event(5), group(5), nsswitch.conf(5), passwd(5), attributes(7),
+ privileges(7), auditrecord(8), auditreduce(8), getent(8)
Managing Auditing in Oracle Solaris 11.4.
-Oracle Solaris 11.4 27 Nov 2017 praudit(8)
+Oracle Solaris 11.4 28 Jun 2021 praudit(8)
diff -NurbBw 11.4.36/man8/pwconv.8 11.4.39/man8/pwconv.8
--- 11.4.36/man8/pwconv.8 2021-11-16 13:14:20.691506870 +0000
+++ 11.4.39/man8/pwconv.8 2021-11-16 13:14:55.438529316 +0000
@@ -30,17 +30,17 @@
If the /etc/shadow file does exist, the following tasks will be per-
formed:
- Entries that are in the /etc/passwd file and not in the /etc/shadow
- file will be added to the /etc/shadow file.
+ o Entries that are in the /etc/passwd file and not in the
+ /etc/shadow file will be added to the /etc/shadow file.
- Entries that are in the /etc/shadow file and not in the /etc/passwd
- file will be removed from /etc/shadow.
+ o Entries that are in the /etc/shadow file and not in the
+ /etc/passwd file will be removed from /etc/shadow.
- Password attributes (for example, password and aging information)
- that exist in an /etc/passwd entry will be moved to the correspond-
- ing entry in /etc/shadow.
+ o Password attributes (for example, password and aging infor-
+ mation) that exist in an /etc/passwd entry will be moved to
+ the corresponding entry in /etc/shadow.
@@ -75,7 +75,7 @@
DIAGNOSTICS
pwconv exits with one of the following values:
- 0 SUCCESS.
+ 0 Success.
1 Permission denied.
@@ -98,4 +98,4 @@
-Oracle Solaris 11.4 9 Mar 1993 pwconv(8)
+Oracle Solaris 11.4 21 Jun 2021 pwconv(8)
diff -NurbBw 11.4.36/man8/sandboxadm.8 11.4.39/man8/sandboxadm.8
--- 11.4.36/man8/sandboxadm.8 2021-11-16 13:14:20.880181194 +0000
+++ 11.4.39/man8/sandboxadm.8 2021-11-16 13:14:55.597424469 +0000
@@ -9,31 +9,31 @@
/usr/bin/sandboxadm
- sandboxadm create -s <sandbox> -u <username>
- [[-c <classification] | [-p <parent_sandbox>]]
- [-g <group,[group]...]
- [-h <homedir>]
+ sandboxadm create -s sandbox -u username
+ [[-c classification] | [-p parent_sandbox]]
+ [-g group,[group]...]
+ [-h homedir]
- sandboxadm destroy -s <sandbox> [-u]
+ sandboxadm destroy -s sandbox [-u]
- sandboxadm list [-l] [[-p <parent_sandbox> | -c]
+ sandboxadm list [-l] [[-p parent_sandbox | -c]
- sandboxadm info [-s <sandbox>] [-e]
+ sandboxadm info [-s sandbox] [-e]
- sandboxadm verify -s <svcname> [-t | -u] [-k <keep_compartments>]
+ sandboxadm verify -s svcname [-t | -u] [-k keep_compartments]
sandboxadm init
- [-f <encodings_file>]
- [-c <classification_prefix>]
- [-i <classification_instances>]
- [-s <compartment_prefix>]
- [-n <number_of_compartments>]
- [-x <extra_compartments>]
+ [-f encodings_file]
+ [-c classification_prefix]
+ [-i classification_instances]
+ [-s compartment_prefix]
+ [-n number_of_compartments]
+ [-x extra_compartments]
DESCRIPTION
The sandboxadm command manages sandboxes which provide security isola-
@@ -205,7 +195,7 @@
# cd /etc/security/tsol
- # labelcfg -e <encodings_file> commit
+ # labelcfg -e encodings_file commit
The file must be either created in /etc/security/tsol directory
or copied there prior to committing it.
@@ -369,6 +349,9 @@
sandbox(1), sandbox_create(3SANDBOX), label_encodings(5), clearance(7),
labels(7), setlabel(1)
+HISTORY
+ The sandboxadm command was added in Solaris 11.4.0.
+
-Oracle Solaris 11.4 27 Nov 2015 sandboxadm(8)
+Oracle Solaris 11.4 21 Jun 2021 sandboxadm(8)
diff -NurbBw 11.4.36/man8/share_nfs.8 11.4.39/man8/share_nfs.8
--- 11.4.36/man8/share_nfs.8 2021-11-16 13:14:20.913048039 +0000
+++ 11.4.39/man8/share_nfs.8 2021-11-16 13:14:55.633466972 +0000
@@ -273,6 +273,11 @@
in a netgroup must be represented as a fully qualified DNS or LDAP
name.
+ If the explicit_netgroups setting is enabled, netgroup entries in
+ share access lists must be prefixed with the '%' character to dis-
+ tinguish them from hostnames. See nfs(5) for a description of the
+ explicit_netgroups setting.
+
domain name suffix
diff -NurbBw 11.4.36/man8/share_smb.8 11.4.39/man8/share_smb.8
--- 11.4.36/man8/share_smb.8 2021-11-16 13:14:20.950618645 +0000
+++ 11.4.39/man8/share_smb.8 2021-11-16 13:14:55.682053733 +0000
@@ -226,6 +226,18 @@
root share.
+ encrypt=boolean
+
+ Configures SMB encryption at the share level. This is an SMB per-
+ share property. It is a boolean type property, with false being the
+ default value. When set to true, the SMB server requires the client
+ to encrypt all the requests for accessing the specific share.
+ Again, the enforcement can be bypassed if the server allows unen-
+ crypted access. For more information, see the description about the
+ server_reject_unencypt property. Note that when server_encrypt_data
+ is true, encrypt will not have any effect.
+
+
guestok=boolean
Sets the guest access policy for the share. When set to true guest
@@ -254,6 +266,16 @@
(*), in which case ro or rw can override none.
+ oplocks=<empty> | disabled | enabled
+
+ Enables or disables oplocks for its corresponding share. The valid
+ values are <empty>, disabled,or enabled. Oplocks are enabled when
+ this share property is set to "enabled", and disabled when set to
+ "disabled". When this share property is not explicitly set or
+ deliberately cleared to <empty>, the global property is referred to
+ determine whether oplocks should be enabled for the share.
+
+
ro=access-list
Specifies that sharing is read-only to the clients listed in
@@ -268,26 +290,12 @@
See access-list.
- oplocks=<empty> | disabled | enabled
-
- Enables or disables oplocks for its corresponding share. The valid
- values are <empty>, disabled,or enabled. Oplocks are enabled when
- this share property is set to "enabled", and disabled when set to
- "disabled". When this share property is not explicitly set or
- deliberately cleared to <empty>, the global property is referred to
- determine whether oplocks should be enabled for the share.
-
-
- encrypt
+ shortnames=boolean
- Configures SMB encryption at the share level. This is an SMB per-
- share property. It is a boolean type property, with false being the
- default value. When set to true, the SMB server requires the client
- to encrypt all the requests for accessing the specific share.
- Again, the enforcement can be bypassed if the server allows unen-
- crypted access. For more information, see the description about the
- server_reject_unencypt property. Note that when server_encrypt_data
- is true, encrypt will not have any effect.
+ Specifies whether shortnames, also known as 8.3 names, are gener-
+ ated. Generating shortnames enables MS-DOS-based and Windows 3.x
+ based applications to recognize and load files that have long file
+ names. By default shortnames are not generated.
Access List Argument
@@ -309,6 +317,11 @@
specifies these naming schemes in the hosts portion of the nss-
witch.conf file.
+ If the explicit_netgroups setting is enabled, netgroup entries in
+ share access lists must be prefixed with the '%' character to dis-
+ tinguish them from hostnames. See smb(5) for a description of the
+ explicit_netgroups setting.
+
domainname.suffix
diff -NurbBw 11.4.36/man8/ssh-pubkey-ldap.8 11.4.39/man8/ssh-pubkey-ldap.8
--- 11.4.36/man8/ssh-pubkey-ldap.8 2021-11-16 13:14:20.993002202 +0000
+++ 11.4.39/man8/ssh-pubkey-ldap.8 2021-11-16 13:14:55.728048183 +0000
@@ -88,8 +91,8 @@
+-----------------------------+-----------------------------+
SEE ALSO
- ssh(1), sshd(8), sshd_config(5)
+ ssh(1), sshd_config(5), sshd(8)
-Oracle Solaris 11.4 27 Aug 2018 ssh-pubkey-ldap(8)
+Oracle Solaris 11.4 12 Jul 2021 ssh-pubkey-ldap(8)
diff -NurbBw 11.4.36/man8/sulogin.8 11.4.39/man8/sulogin.8
--- 11.4.36/man8/sulogin.8 2021-11-16 13:14:21.029556465 +0000
+++ 11.4.39/man8/sulogin.8 2021-11-16 13:14:55.767444154 +0000
@@ -9,12 +9,13 @@
sulogin
DESCRIPTION
- The sulogin utility is automatically invoked by init when the system is
- first started. It prompts the user to type a user name and password to
- enter system maintenance mode (single-user mode) or to type EOF (typi-
- cally CTRL-D) for normal startup (multi-user mode). The user should
- never directly invoke sulogin. The user must have the solaris.sys-
- tem.maintenance authorization.
+ The sulogin utility is automatically invoked on console if the system
+ is booted into single-user mode or if svc.startd(8) cannot start nor-
+ mally. It prompts the user to type a user name and password to enter
+ system maintenance mode (single-user mode) or to type EOF (typically
+ CTRL-D) for normal startup (multi-user mode). The user should never
+ directly invoke sulogin. The user must have the solaris.system.mainte-
+ nance authorization.
The sulogin utility can prompt the user to enter the root password on a
@@ -30,8 +31,7 @@
PASSREQ
- Determines if login requires a password. Default is PASS-
- REQ=YES.
+ Determines if login requires a password. The default is YES.
@@ -46,7 +46,8 @@
allowed. Default is 4 seconds. Minimum is 0 seconds. Maximum is
5 seconds.
- Both su(8) and login(1) are affected by the value of SLEEPTIME.
+ Both su(8) and login(1) are also affected by the value of
+ SLEEPTIME.
@@ -76,4 +77,4 @@
-Oracle Solaris 11.4 21 Aug 2008 sulogin(8)
+Oracle Solaris 11.4 21 Jun 2021 sulogin(8)
diff -NurbBw 11.4.36/man8/svc.periodicd.8 11.4.39/man8/svc.periodicd.8
--- 11.4.36/man8/svc.periodicd.8 2021-11-16 13:14:21.066746609 +0000
+++ 11.4.39/man8/svc.periodicd.8 2021-11-16 13:14:55.804427880 +0000
@@ -246,7 +246,7 @@
of that day, but not necessarily in the same minute of that hour.
- If the value of 'frequency' is greater than one, you must also specify
+ If the value of 'frequency' is greater than one, you may also specify
all constraints at or above the value of 'interval'. When defined in
this context, the constraints are used to determine a reference point
from which the rest of the schedule is computed. A service with an
@@ -256,7 +256,11 @@
these constraints are reference points and do not represent a start or
end date. It is possible to use any time on any date in any year, pro-
vided that the choice of values accurately reflects when the start
- method for the service should be run.
+ method for the service should be run. If the schedule does not define
+ the constraints 'year', 'month' or 'week_of_year', then they will be
+ assigned default values of '2000', 'January' and '1' respectively. If
+ the other constraints of 'day', 'hour', 'minute' and 'second' are not
+ specified they will be assigned random values by svc.periodicd.
Service States
Services managed by svc.periodicd can appear in any of the states
@@ -474,4 +478,4 @@
-Oracle Solaris 11.4 11 May 2021 svc.periodicd(8)
+Oracle Solaris 11.4 15 Jul 2021 svc.periodicd(8)
diff -NurbBw 11.4.36/man8/sxadm.8 11.4.39/man8/sxadm.8
--- 11.4.36/man8/sxadm.8 2021-11-16 13:14:21.115659450 +0000
+++ 11.4.39/man8/sxadm.8 2021-11-16 13:14:55.858257240 +0000
@@ -19,7 +19,7 @@
sxadm disable extension[,extension,...]
- sxadm get [-p -o field[,...]] property[,...] [extension]
+ sxadm get [-p] [-o field[,...]] property[,...] [extension]
sxadm help [subcommand]
@@ -28,7 +28,7 @@
sxadm set property=value[,property=value,...] extension
- sxadm status [-p -o field[,...]] [extension]
+ sxadm status [-p] [-o field[,...]] [extension]
DESCRIPTION
The sxadm command configures and provides information regarding Solaris
@@ -785,7 +765,7 @@
+-----------------------------+-----------------------------+
SEE ALSO
- ld(1), exec(2), adi(7), attributes(7)
+ ld(1), exec(2), sx_enabled(3c), adi(7), attributes(7)
Oracle ILOM Administrator's Guide for Configuration and Maintenance
@@ -794,6 +774,46 @@
Fujitsu XSCF Reference Manual
+HISTORY
+ The sxadm command was added in Oracle Solaris 11.1.0.
+
+
+ Support for the following security extensions was first added in the
+ listed Oracle Solaris release:
+
+
+ +-------------------------------------------------+---------+
+ | EXTENSION |RELEASE |
+ +-------------------------------------------------+---------+
+ |UMIP |11.4.30 |
+ +-------------------------------------------------+---------+
+ |TAA_NO, TSX_DISABLE |11.4.25 |
+ +-------------------------------------------------+---------+
+ |IF_PSCHANGE_MC_NO |11.4.21 |
+ +-------------------------------------------------+---------+
+ |RSBS |11.4.18 |
+ +-------------------------------------------------+---------+
+ |MD_CLEAR, MDS_NO |11.4.15 |
+ +-------------------------------------------------+---------+
+ |RDCL_NO |11.4.9 |
+ +-------------------------------------------------+---------+
+ |SSBD (SPARC - see below) |11.4.5 |
+ +-------------------------------------------------+---------+
+ |L1DF, SSBD (x86) |11.4.3 |
+ +-------------------------------------------------+---------+
+ |ADIHEAP, ADISTACK, HW_BTI, IBPB, IBRS, KADI, |11.4.0 |
+ |KPTI, SMAP | |
+ +-------------------------------------------------+---------+
+ |NXHEAP, NXSTACK |11.3.0 |
+ +-------------------------------------------------+---------+
+ |ASLR |11.1.0 |
+ +-------------------------------------------------+---------+
+
+
+ The SSBD extension for SPARC systems was originally delivered in Oracle
+ Solaris 11.4.5 under the name HW_SSB, and was then renamed to SSBD in
+ 11.4.18.
+
-Oracle Solaris 11.4 21 Oct 2020 sxadm(8)
+Oracle Solaris 11.4 21 Jun 2021 sxadm(8)
diff -NurbBw 11.4.36/man8/tncfg.8 11.4.39/man8/tncfg.8
--- 11.4.36/man8/tncfg.8 2021-11-16 13:14:21.165542783 +0000
+++ 11.4.39/man8/tncfg.8 2021-11-16 13:14:55.895411444 +0000
@@ -52,8 +52,8 @@
Hosts can be specified using hostnames, IP addresses, or masks. When
masks are used, a prefix length that specifies how many bits are
- required for a match must be appended . Hosts cannot be assigned to
- more than one template. When masks are used, the entry with the longest
+ required for a match must be appended. Hosts cannot be assigned to more
+ than one template. When masks are used, the entry with the longest
matching prefix is used to associate a host with a template. Packets
from hosts without a matching template are dropped.
@@ -88,11 +88,10 @@
Searches for template and host entries are resolved in the order speci-
- fied by means of the name service configuration file, /etc/nss-
- witch.conf. The keywords, tnrhdb and tnrhtp, are used to specify the
- search order for hosts and templates, respectively. Both the files and
- ldap repositories are supported, but it is recommended to specify files
- first.
+ fied by means of the name service configuration, nsswitch.conf(5). The
+ keywords tnrhdb and tnrhtp are used to specify the search order for
+ hosts and templates, respectively. Both the files and ldap repositories
+ are supported, but it is recommended to specify files first.
Creating or modifying a template requires the authorization
@@ -223,14 +222,12 @@
most one zone for each label can have its primary property set to
yes. This indicates that the zone should be selected as the target
of any operation that specifies only a label instead of a zone
- name, such as choosing the label of a desktop workspace, sharing an
- IP address, or relabeling a file.
+ name, such as sharing an IP address or relabeling a file.
By default all zones are created with their primary property set to
yes, unless an existing primary zone with a matching label already
exists. Primary zones are not required for any label except
- admin_low, which is reserved for the global zone. When primary is
- set to no, the desktop packages are not installed by default.
+ admin_low, which is reserved for the global zone.
label=sensitivity_label
@@ -297,8 +294,8 @@
-S repository
- The valid repositories are files and ldap. The repository specifies
- which name service will be updated. The default repository is
+ The repository specifies which name service will be updated. The
+ valid repositories are files and ldap. The default repository is
files.
@@ -471,7 +468,7 @@
set min_label="PUBLIC"
set max_label="CONFIDENTIAL : NEED TO KNOW"
add aux_label="SANDBOX PLAYGROUND"
- add host=myserver.oracle.com
+ add host=myserver.example.com
add host=10.5.0.0/16
tncfg:public> exit
@@ -530,12 +527,16 @@
+-----------------------------+-----------------------------+
- The invocation and subcommands are committed. Output, except for the
+ The invocation and subcommands are Committed. Output, except for the
export and info subcommands, is Not-an-Interface.
SEE ALSO
- nsswitch.conf(5), attributes(7), labels(7), zones(7), labeladm(8),
- tnctl(8), tnd(8), tninfo(8), txzonemgr(8), zonecfg(8)
+ nsswitch.conf(5), attributes(7), labels(7), trusted_extensions(7),
+ zones(7), labeladm(8), tnctl(8), tnd(8), tninfo(8), txzonemgr(8),
+ zonecfg(8)
+
+
+ Trusted Extensions Configuration and Administration
NOTES
The Labeled Zone Manager, txzonemgr(8), is an alternative application
@@ -544,4 +545,4 @@
-Oracle Solaris 11.4 27 Nov 2017 tncfg(8)
+Oracle Solaris 11.4 21 Jun 2021 tncfg(8)
diff -NurbBw 11.4.36/man8/tnchkdb.8 11.4.39/man8/tnchkdb.8
--- 11.4.36/man8/tnchkdb.8 2021-11-16 13:14:21.205740940 +0000
+++ 11.4.39/man8/tnchkdb.8 2021-11-16 13:14:55.924813591 +0000
@@ -24,7 +24,7 @@
You can specify an alternate path for any or all of the files by speci-
fying that path on the command line by using the -h (tnrhdb), -t
- (tnrhtp) and -z (tnzonecfg) options. The options are useful when test-
+ (tnrhtp), and -z (tnzonecfg) options. The options are useful when test-
ing a set of modified files before installing the files as new system
databases.
@@ -45,16 +45,16 @@
files are visible only in the global zone.
OPTIONS
- -h [ path ] Check path for proper tnrhdb syntax. If path is not
- specified, then check /etc/security/tsol/tnrhdb.
+ -h path Check path for proper tnrhdb syntax. If -h is not specified,
+ then check /etc/security/tsol/tnrhdb.
- -t [ path ] Check path for proper tnrhtp syntax. If path is not
- specified, then check /etc/security/tsol/tnrhtp.
+ -t path Check path for proper tnrhtp syntax. If -t is not specified,
+ then check /etc/security/tsol/tnrhtp.
- -z [ path ] Check path for proper tnzonecfg syntax. If path is not
- specified, then check /etc/security/tsol/tnzonecfg.
+ -z path Check path for proper tnzonecfg syntax. If -z is not speci-
+ fied, then check /etc/security/tsol/tnzonecfg.
EXAMPLES
@@ -122,6 +122,11 @@
It is possible to have inconsistent but valid configurations of tnrhtp
and tnrhdb when LDAP is used to supply missing templates.
+HISTORY
+ The tnchkdb command was added to Solaris in Solaris 10 4/08 (Update 5).
+ Prior to that it was included in the Trusted Extensions add-on for
+ Solaris.
-Oracle Solaris 11.4 20 Jul 2007 tnchkdb(8)
+
+Oracle Solaris 11.4 21 Jun 2021 tnchkdb(8)
diff -NurbBw 11.4.36/man8/tnctl.8 11.4.39/man8/tnctl.8
--- 11.4.36/man8/tnctl.8 2021-11-16 13:14:21.251569674 +0000
+++ 11.4.39/man8/tnctl.8 2021-11-16 13:14:55.962849265 +0000
@@ -8,7 +8,7 @@
SYNOPSIS
/usr/sbin/tnctl [-dfv] [-h host [/prefix] [:template]]
[-m zone:mlp:shared-mlp][-t template [:key=val [;key=val]]]
- [-HTz] file]
+ [-HTz file]
DESCRIPTION
tnctl provides an interface to manipulate trusted network parameters in
@@ -110,18 +110,6 @@
-ATTRIBUTES
- See attributes(7) for descriptions of the following attributes:
-
-
- +-----------------------------+-----------------------------+
- | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
- +-----------------------------+-----------------------------+
- |Availability |system/trusted |
- +-----------------------------+-----------------------------+
- |Interface Stability |Uncommitted |
- +-----------------------------+-----------------------------+
-
FILES
/etc/security/tsol/tnrhdb
@@ -143,6 +131,18 @@
Configuration file for the name service switch
+ATTRIBUTES
+ See attributes(7) for descriptions of the following attributes:
+
+
+ +-----------------------------+-----------------------------+
+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+ +-----------------------------+-----------------------------+
+ |Availability |system/trusted |
+ +-----------------------------+-----------------------------+
+ |Interface Stability |Uncommitted |
+ +-----------------------------+-----------------------------+
+
SEE ALSO
svcs(1), nsswitch.conf(5), protocols(5), services(5), attributes(7),
smf(7), svcadm(8), tnchkdb(8), tnd(8), tninfo(8), zoneadm(8)
@@ -173,6 +173,11 @@
svcadm restart svc:/network/tnctl
+HISTORY
+ The tnctl command was added to Solaris in Solaris 10 4/08 (Update 5).
+ Prior to that it was included in the Trusted Extensions add-on for
+ Solaris.
+
-Oracle Solaris 11.4 3 Jul 2012 tnctl(8)
+Oracle Solaris 11.4 21 Jun 2021 tnctl(8)
diff -NurbBw 11.4.36/man8/tnd.8 11.4.39/man8/tnd.8
--- 11.4.36/man8/tnd.8 2021-11-16 13:14:21.299663760 +0000
+++ 11.4.39/man8/tnd.8 2021-11-16 13:14:55.991380149 +0000
@@ -12,7 +12,7 @@
The tnd (trusted network daemon) initializes the kernel with trusted
network databases and also reloads the databases on demand from an LDAP
server and local files. tnd follows the order specified in the nss-
- witch.conf(5) file when loading configuration databases.
+ witch.conf(5) configuration when loading configuration databases.
tnd is intended to be started from the svc:/network/tnd smf(7) service
@@ -29,8 +29,8 @@
If a local trusted networking database file is modified, the adminis-
trator should run tnchkdb(8) to check the syntax, and should also run
- svcadm refresh
- svc:/network/tnd to initiate an immediate database scan by tnd.
+ svcadm refresh svc:/network/tnd to initiate an immediate database scan
+ by tnd.
tnd is intended to be started from an smf(7) script and to run in the
@@ -151,6 +151,11 @@
svcadm restart svc:/network/tnd
+HISTORY
+ The tnd daemon was added to Solaris in Solaris 10 4/08 (Update 5).
+ Prior to that it was included in the Trusted Extensions add-on for
+ Solaris.
-Oracle Solaris 11.4 9 Apr 2010 tnd(8)
+
+Oracle Solaris 11.4 21 Jun 2021 tnd(8)
diff -NurbBw 11.4.36/man8/tninfo.8 11.4.39/man8/tninfo.8
--- 11.4.36/man8/tninfo.8 2021-11-16 13:14:21.341380579 +0000
+++ 11.4.39/man8/tninfo.8 2021-11-16 13:14:56.030089376 +0000
@@ -158,6 +158,14 @@
The functionality described on this manual page is available only if
the system is configured with Trusted Extensions.
+HISTORY
+ The -i option was added in Oracle Solaris 11.1.0.
-Oracle Solaris 11.4 12 Apr 2012 tninfo(8)
+ The tninfo command was added to Solaris in Solaris 10 4/08 (Update 5).
+ Prior to that it was included in the Trusted Extensions add-on for
+ Solaris.
+
+
+
+Oracle Solaris 11.4 21 Jun 2021 tninfo(8)
diff -NurbBw 11.4.36/man8/tpdlogin.8 11.4.39/man8/tpdlogin.8
--- 11.4.36/man8/tpdlogin.8 2021-11-16 13:14:21.368328986 +0000
+++ 11.4.39/man8/tpdlogin.8 2021-11-16 13:14:56.085520939 +0000
@@ -45,6 +45,9 @@
SEE ALSO
login(1), attributes(7), tpd(7), ttymon(8)
+HISTORY
+ The tpdlogin utility was added in Oracle Solaris 11.2.0.
-Oracle Solaris 11.4 27 Nov 2017 tpdlogin(8)
+
+Oracle Solaris 11.4 21 Jun 2021 tpdlogin(8)
diff -NurbBw 11.4.36/man8/tpmadm.8 11.4.39/man8/tpmadm.8
--- 11.4.36/man8/tpmadm.8 2021-11-16 13:14:21.407566913 +0000
+++ 11.4.39/man8/tpmadm.8 2021-11-16 13:14:56.126253641 +0000
@@ -75,7 +75,7 @@
SUB-COMMANDS
The following subcommands are used in the form:
- # tpamadm <subcommand> [operand]
+ # tpmadm <subcommand> [operand]
status
@@ -206,15 +205,8 @@
loaded in order to load the key being exported. The user will be
prompted for all authorization passwords as needed.
-
- tpmadm migrate import This subcommand prompts for the migration
- PIN that was created with the tpmadm
- migrate export subcommand.
-
- Here is an example. The PIN is not dis-
- played on the screen, but is shown in this
- example:
-
+ Here is an example. The PIN is not displayed on the screen, but is
+ shown in this example:
# tpmadm migrate import
Enter TPM Owner PIN: BAKUP555
@@ -250,19 +240,14 @@
After completing the requested operation, tpmadm exits with one of the
following status values.
- 0
-
- Successful termination.
-
+ 0 Successful termination.
- 1
- Failure. The requested operation could not be completed.
+ 1 Failure. The requested operation could not be completed.
- 2
-
- Usage error. The tpmadm command was invoked with invalid arguments.
+ 2 Usage error. The tpmadm command was invoked with invalid
+ arguments.
ATTRIBUTES
@@ -284,9 +269,10 @@
See also the tcsd(8) man page, available in the pkg:/library/secu-
rity/trousers package.
+ TCG Software Stack (TSS) Specifications:
+
+ https://www.trustedcomputinggroup.org/specs/TSS
- TCG Software Stack (TSS) Specifications: https://www.trustedcomputing-
- group.org/specs/TSS (as of the date of publication)
NOTES
tpmadm communicates with the TPM device through the tcsd service. tcsd
@@ -301,4 +287,4 @@
-Oracle Solaris 11.4 24 Mar 2020 tpmadm(8)
+Oracle Solaris 11.4 21 Jun 2021 tpmadm(8)
diff -NurbBw 11.4.36/man8/txzonemgr.8 11.4.39/man8/txzonemgr.8
--- 11.4.36/man8/txzonemgr.8 2021-11-16 13:14:21.439854177 +0000
+++ 11.4.39/man8/txzonemgr.8 2021-11-16 13:14:56.161296660 +0000
@@ -70,19 +70,13 @@
No values are returned for GUI mode. For command-line operation, the
following exit values are returned:
- 0
+ 0 Successful completion.
- Successful completion.
+ 1 An error occurred.
- 1
- An error occurred.
-
-
- 2
-
- Invalid usage.
+ 2 Invalid usage.
ATTRIBUTES
@@ -104,6 +98,11 @@
Trusted Extensions Configuration and Administration
+HISTORY
+ The txzonemgr command was added to Solaris in Solaris 10 4/08 (Update
+ 5). Prior to that it was included in the Trusted Extensions add-on for
+ Solaris.
+
-Oracle Solaris 11.4 27 Nov 2017 txzonemgr(8)
+Oracle Solaris 11.4 21 Jun 2021 txzonemgr(8)
diff -NurbBw 11.4.36/man8/useradd.8 11.4.39/man8/useradd.8
--- 11.4.36/man8/useradd.8 2021-11-16 13:14:21.477088292 +0000
+++ 11.4.39/man8/useradd.8 2021-11-16 13:14:56.200956209 +0000
@@ -17,6 +17,12 @@
[-s shell] [-S repository] [-u uid [-o]] username
+ useradd -D [-A authorization[,authorization...]]
+ [-b base_dir] [-s shell [-k skel_dir]] [-e expire]
+ [-f inactive] [-g group] [-K key=value] [-p projname]
+ [-P profile[,profile...]]
+
+
roleadd [-A authorization [,authorization...]]
[-b base_dir | -d dir] [-c comment] [-e expire]
[-f inactive] [-g group] [-G group [,group]...]
@@ -26,7 +32,7 @@
[-s shell] [-S repository] [-u uid [-o]] rolename
- useradd -D [-A authorization [,authorization...]]
+ roleadd -D [-A authorization[,authorization...]]
[-b base_dir] [-s shell [-k skel_dir]] [-e expire]
[-f inactive] [-g group] [-K key=value] [-p projname]
[-P profile [,profile...]]
@@ -40,7 +46,7 @@
[-P profile [,profile...]]
[-R role [, role...]]
[-l new_username]
- [-q qualifier
+ [-q qualifier]
[-s shell] [-S repository] [-u uid [-o]] username
@@ -51,28 +57,40 @@
[-z yes | no | nodelegation]
[-P profile [,profile...]]
[-l new_rolename]
- [-q qualifier
+ [-q qualifier]
[-s shell] [-S repository] [-u uid [-o]] rolename
DESCRIPTION
- useradd adds a new user to the passwd, shadow, and user_attr databases
- in the files and ldap repositories. The -A and -P options respectively
- assign authorizations and profiles to the user. The -R option assigns
- roles to a user. The -p option associates a project with a user. The -K
- option adds a key=value pair to user_attr entry for the user. Multiple
- key=value pairs may be added with multiple -K options.
+ The useradd and roleadd utilities add a new user or role entry to the
+ passwd(5), shadow(5), and user_attr(5) databases in the files or ldap
+ repository.
+
+
+ The usermod and rolemod utilities modify a user's or role's login defi-
+ nition on the system. They change the definition of the specified login
+ and make the appropriate login-related changes to the appropriate
+ repository and corresponding file system changes.
- useradd also creates supplementary group memberships for the user (-G
- option) and creates the home directory (-m option) for the user if
+ The -A and -P options respectively assign authorizations and profiles
+ to the user or role. The -R option assigns roles to a user. (Roles can-
+ not be assigned to other roles.) The -p option associates a project
+ with a user or role. The -K option adds a key=value pair to the
+ user_attr entry for the user or role. Multiple key=value pairs may be
+ added with multiple -K options.
+
+
+ The -G option creates supplementary group memberships for the user or
+ role. The -m option creates the home directory for the user or role if
requested. The new login remains locked until the passwd(1) command is
executed.
- Specifying useradd -D with the -s, -k,-g, -b, -f, -e, -A, -P, -p, -R,
- or -K option (or any combination of these options) sets the default
- values for the respective fields. See the -D option, below. Subsequent
- useradd commands without the -D option use these arguments.
+ Specifying the -D to useradd or roleadd with the -s, -k, -g, -b, -f,
+ -e, -A, -P, -p, -R, or -K option (or any combination of these options)
+ sets the default values for the respective fields. See the -D option,
+ below. Subsequent useradd or roleadd commands without the -D option use
+ these arguments.
Alternatively, default settings may be specified that are applied
@@ -84,9 +102,20 @@
icy.conf(5).
- useradd requires that usernames be in the format described in
- passwd(5). A warning message is displayed if these restrictions are not
- met. See passwd(5) for the requirements for usernames.
+ useradd and usermod require that usernames be in the format described
+ in passwd(5). A warning message is displayed if these restrictions are
+ not met.
+
+
+ roleadd and rolemod require that role names be a string of no more than
+ eight bytes consisting of characters from the set of alphabetic charac-
+ ters, numeric characters, period (.), underscore (_), and hyphen (-).
+ The first character should be alphabetic and the name should contain at
+ least one lower case alphabetic character. A warning message is written
+ if these restrictions are not met. A future Solaris release might
+ refuse to accept role names that do not meet these requirements. Role
+ names must contain at least one character and must not contain a colon
+ (:) or a newline (\n).
When used with usermod or rolemod the -A, -G, -K, -P, and -R options
@@ -98,10 +127,13 @@
An administrator must be granted the User Management Profile to be able
- to create a new user. The authorizations required to set the various
- fields in passwd, shadow and user_attr can be found in passwd(5),
- shadow(5), and user_attr(5). The authorizations required to assign
- groups and projects can be found in group(5) and project(5).
+ to create a new user or role. An administrator must be granted the User
+ Security Profile to modify the security attributes for an existing
+ user. To be able to modify the non-security attributes of an existing
+ user requires the User Management Profile. The authorizations required
+ to set the various fields in passwd, shadow, and user_attr can be found
+ in passwd(5), shadow(5), and user_attr(5). The authorizations required
+ to assign groups and projects can be found in group(5) and project(5).
OPTIONS
The following options are supported:
@@ -150,75 +182,39 @@
the -D option sets the default values for the specified fields. The
default values are:
- group
-
- other (GID of 1)
-
-
- base_dir
-
- /export/home
-
-
- skel_dir
-
- /etc/skel
-
-
- shell
-
- /usr/bin/bash
-
-
- inactive
-
- 0
-
-
- expire
-
- null
-
-
- auths
-
- null
-
-
- profiles
-
- null
-
-
- auth_profiles
-
- null
-
-
- proj
-
- 3
-
-
- projname
-
- default
-
-
- zfshome
-
- yes
-
-
- key=value (pairs defined in user_attr(5)
-
- not present
-
-
- roles
-
- null
+ +-----------------------------+-----------------------------+
+ | FIELD | DEFAULT VALUE |
+ +-----------------------------+-----------------------------+
+ |group |other (GID of 1) |
+ +-----------------------------+-----------------------------+
+ |base_dir |/export/home |
+ +-----------------------------+-----------------------------+
+ |skel_dir |/etc/skel |
+ +-----------------------------+-----------------------------+
+ |shell |/usr/bin/bash |
+ +-----------------------------+-----------------------------+
+ |inactive |0 |
+ +-----------------------------+-----------------------------+
+ |expire |null |
+ +-----------------------------+-----------------------------+
+ |auths |null |
+ +-----------------------------+-----------------------------+
+ |profiles |null |
+ +-----------------------------+-----------------------------+
+ |auth_profiles |null |
+ +-----------------------------+-----------------------------+
+ |proj |3 |
+ +-----------------------------+-----------------------------+
+ |projname |default |
+ +-----------------------------+-----------------------------+
+ |zfshome |yes |
+ +-----------------------------+-----------------------------+
+ |key=value (pairs defined in |not present |
+ |user_attr(5)) | |
+ +-----------------------------+-----------------------------+
+ |roles |null |
+ +-----------------------------+-----------------------------+
-e expire
@@ -320,6 +316,15 @@
the projname field as defined in project(5).
+ -q qualifier
+
+ The name of a host or netgroup which qualifies where the extended
+ attributes (specified through the -K, -P, -A, and -R options) are
+ applicable. The prefix @ is required to indicate that the qualifier
+ is a netgroup name. The -q option is only valid if the login
+ account is maintained in the LDAP name service.
+
+
-R [+|-]role
One or more comma-separated execution profiles defined in
@@ -341,12 +346,10 @@
home directory. The option can be set as the system wide default or
set per user/role.
-
-
yes
- User has their own ZFS filesystem with the mount,create,snap-
- shot zfs allow delegations
+ User has their own ZFS filesystem with the mount, create, and
+ snapshot zfs allow delegations
nodelegation
@@ -504,13 +499,12 @@
jdoe::::type=normal;defaultpriv=basic,!proc_session;limitpriv=all
-
Example 8 Assigning a Role to a User
The following command assigns a role to a user. The role must have been
- created prior to this command through use of roleadd(8).
+ created prior to running this command.
# usermod -R mailadm jdoe
@@ -535,8 +528,8 @@
assigns the mailadm role to the user.
- # usermod -A 'solaris.zone.manage' -P 'Project Management' -K limitpriv=basic
- -R mailadm -S files jdoe_ldap
+ # usermod -A 'solaris.zone.manage' -P 'Project Management' \
+ -K limitpriv=basic -R mailadm -S files jdoe_ldap
@@ -544,9 +537,8 @@
This command results in the following entry in user_attr:
- jdoe_ldap::::auths=solaris.zone.manage;profiles=ProjectManagement;limitpriv=basic;
- roles=mailadm
-
+ jdoe_ldap::::auths=solaris.zone.manage;profiles=ProjectManagement;
+ limitpriv=basic;roles=mailadm
Example 10 Granting an Authenticated Rights Profile to a User
@@ -593,8 +583,7 @@
This will change the root account to be a role and add the root role to
any existing role assignments for the user jdoe.
-
- Example 13 Set the root account back to a login account
+ Example 13 Set the root account to be a direct login account
@@ -626,10 +614,9 @@
user_attr databases, and will delete the users home directory and all
of its content.
-
EXIT STATUS
- In case of an error, useradd prints an error message and exits with one
- of the following values:
+ In case of an error, these commands print an error message and exit
+ with one of the following values:
1 No permission for attempted operation.
@@ -742,9 +729,9 @@
SEE ALSO
auths(1), passwd(1), profiles(1), roles(1), getdate(3C), auth_attr(5),
- group(5), passwd(5), prof_attr(5), project(5), user_attr(5),
- attributes(7), labels(7), groupadd(8), groupdel(8), groupmod(8),
- grpck(8), logins(8), pwck(8), userdel(8), usermod(8)
+ group(5), passwd(5), prof_attr(5), project(5), shadow(5), user_attr(5),
+ attributes(7), labels(7), rbac(7), groupadd(8), groupdel(8), group-
+ mod(8), grpck(8), logins(8), pwck(8), pwconv(8), roledel(8), userdel(8)
Managing User Accounts and User Environments in Oracle Solaris 11.4
@@ -817,12 +804,12 @@
NOTES
- The useradd utility adds definitions to the passwd, shadow, group,
+ These utilities add or modify definitions in the passwd, shadow, group,
project, and user_attr databases in the scope (default or specified).
- It will verify the uniqueness of the user name (or role) and user id
+ They will verify the uniqueness of the user name (or role) and user id
and the existence of any group names specified against the external
name service.
-Oracle Solaris 11.4 31 Mar 2020 useradd(8)
+Oracle Solaris 11.4 21 Jun 2021 useradd(8)
diff -NurbBw 11.4.36/man8/userdel.8 11.4.39/man8/userdel.8
--- 11.4.36/man8/userdel.8 2021-11-16 13:14:21.506112745 +0000
+++ 11.4.39/man8/userdel.8 2021-11-16 13:14:56.230326807 +0000
@@ -16,8 +16,8 @@
DESCRIPTION
The userdel or roledel utility deletes a user (or role) account from
- the local files or specified name-service repository and optiontional
- and removes the account home directory from the file system.
+ the local files or specified name-service repository and optionally
+ removes the account home directory from the file system.
For accounts that are created using -S ldap, the default values for
@@ -115,8 +114,9 @@
SEE ALSO
auths(1), passwd(1), profiles(1), roles(1), passwd(5), prof_attr(5),
- user_attr(5), attributes(7), groupadd(8), groupdel(8), groupmod(8),
- logins(8), roleadd(8), rolemod(8), useradd(8), usermod(8)
+ shadow(5), user_attr(5), attributes(7), rbac(7), groupadd(8),
+ groupdel(8), groupmod(8), logins(8), roleadd(8), rolemod(8), user-
+ add(8), usermod(8)
Managing User Accounts and User Environments in Oracle Solaris 11.4
@@ -125,10 +125,10 @@
Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP
NOTES
- The userdel utility deletes an account definition that is in the group,
+ These utilities delete an account definition that is in the group,
passwd, shadow, and user_attr databases in the files or ldap reposi-
tory.
-Oracle Solaris 11.4 31 Mar 2020 userdel(8)
+Oracle Solaris 11.4 21 Jun 2021 userdel(8)
diff -NurbBw 11.4.36/man8/utmpd.8 11.4.39/man8/utmpd.8
--- 11.4.36/man8/utmpd.8 2021-11-16 13:14:21.571604046 +0000
+++ 11.4.39/man8/utmpd.8 2021-11-16 13:14:56.297935385 +0000
@@ -9,8 +9,8 @@
utmpd [-debug]
DESCRIPTION
- The utmpd daemon monitors the /var/adm/utmpx file. See utmpx(5) (and
- utmp(5) for historical information).
+ The utmpd daemon monitors and updates the /var/adm/utmpx file. See
+ utmpx(5).
utmpd receives requests from pututxline(3C) by way of a named pipe. It
@@ -21,6 +21,11 @@
removes the entry. By periodically scanning the /var/adm/utmpx file,
utmpd also monitors processes that are not in its table.
+
+ utmpd also periodically opens the /var/adm/wtmpx file. The wtmpx file's
+ last access time is used by init(8) on reboot to determine when the
+ operating system became unavailable if it did not shut down cleanly.
+
OPTIONS
-debug
@@ -63,9 +68,7 @@
WTMPX_UPDATE_FREQ
The number of seconds that utmpd sleeps between read accesses
- of the wtmpx file. The wtmpx file's last access time is used by
- init(8) on reboot to determine when the operating system became
- unavailable. The default is 60.
+ of the wtmpx file. The default is 60.
@@ -116,6 +119,9 @@
requesting restart, can be performed using svcadm(8). The service's
status can be queried using the svcs(1) command.
+HISTORY
+ The utmpd daemon was added in Solaris 2.4.
+
-Oracle Solaris 11.4 27 Nov 2017 utmpd(8)
+Oracle Solaris 11.4 21 Jun 2021 utmpd(8)
diff -NurbBw 11.4.36/man8/whodo.8 11.4.39/man8/whodo.8
--- 11.4.36/man8/whodo.8 2021-11-16 13:14:21.600608493 +0000
+++ 11.4.39/man8/whodo.8 2021-11-16 13:14:56.325921032 +0000
@@ -9,8 +9,8 @@
/usr/sbin/whodo [-h] [-l] [user]
DESCRIPTION
- The whodo command produces formatted and dated output from information
- in the /var/adm/utmpx and /proc/pid files.
+ The whodo command produces formatted and timestamped output from infor-
+ mation in the /var/adm/utmpx and /proc/pid/psinfo files.
The display is headed by the date, time, and machine name. For each
@@ -116,13 +116,10 @@
FILES
- /etc/passwd System password file
-
-
/var/adm/utmpx User access and administration information
- /proc/pid Contains PID
+ /proc/pid/psinfo Process information for pid
ATTRIBUTES
@@ -136,8 +133,8 @@
+-----------------------------+-----------------------------+
SEE ALSO
- ps(1), who(1), attributes(7), environ(7)
+ ps(1), who(1), utmpx(5), attributes(7), environ(7)
-Oracle Solaris 11.4 11 May 2021 whodo(8)
+Oracle Solaris 11.4 21 Jun 2021 whodo(8)
diff -NurbBw 11.4.36/man8/zfs_share.8 11.4.39/man8/zfs_share.8
--- 11.4.36/man8/zfs_share.8 2021-11-16 13:14:21.646285026 +0000
+++ 11.4.39/man8/zfs_share.8 2021-11-16 13:14:56.376201961 +0000
@@ -743,6 +743,9 @@
share.smb.catia Enables CATIA translation on or off
support. The default
value is off.
+ share.smb.cont_avail Enables continuous avail- on or off
+ ability for the share.
+ The default value is off.
share.smb.csc Enables client-side disabled, manual, auto, or vdo
caching support. The
default value is dis-
@@ -769,6 +772,9 @@
read-write access for the
specified hosts in
access-list.
+ share.smb.shortnames Enables shortnames gener- on or off
+ ation. The default value
+ is off.
SUBCOMMANDS
diff -NurbBw 11.4.36/man8/zoneadm.8 11.4.39/man8/zoneadm.8
--- 11.4.36/man8/zoneadm.8 2021-11-16 13:14:21.712348810 +0000
+++ 11.4.39/man8/zoneadm.8 2021-11-16 13:14:56.478618233 +0000
@@ -414,7 +414,7 @@
zoneadm list [list-options]
- zoneadm list [-c] [-i] [[-p] | [-s] | [-v]] [-b brandlist]
+ zoneadm list [-c] [-i] [[-p] | [-s] | [-v]] [-d] [-b brandlist]
Display the name of the current zones, or the specified zone if
indicated.
@@ -448,16 +448,17 @@
zoneid:zonename:state:zonepath:uuid:brand:ip-type:\
- r/w:file-mac-profile:auxstate
+ r/w:file-mac-profile:auxstate:description
- If the zonepath contains embedded colons, those are escaped by
- a backslash ("\:"), which is parsable by using the shell
- read(1) function with the environmental variable IFS. The uuid
- value is assigned by libuuid(3LIB) when the zone is installed,
- and is useful for identifying the same zone when present (or
- renamed) on alternate boot environments. Any software that
- parses the output of the zoneadm list -p command must be able
- to handle any fields that may be added in the future.
+ If the zonepath and/or description contains embedded colons,
+ those are escaped by a backslash ("\:"), which is parsable by
+ using the shell read(1) function with the environmental vari-
+ able IFS. The uuid value is assigned by libuuid(3LIB) when the
+ zone is installed, and is useful for identifying the same zone
+ when present (or renamed) on alternate boot environments. Any
+ software that parses the output of the zoneadm list -p command
+ must be able to handle any fields that may be added in the
+ future.
If zoneid or r/w is not set, their values are printed as a sin-
gle dash ('-'). Values that are not set are left empty. For
@@ -465,13 +466,13 @@
# zoneadm -z myzone list -p
- -:myzone:incomplete:::::-::no-config
+ -:myzone:incomplete:::::-::no-config:
Any new fields that may be added in the future will be printed
as empty if not set.
The -s, -v, and -p options are mutually exclusive. If neither
- -v nor -p is used, just the zone name is listed.
+ -v, -p nor -d is used, just the zone name is listed.
-s
@@ -482,6 +483,10 @@
The -s, -p, and -v options are mutually exclusive.
+ There is no support for displaying the auxiliary states
+ together with the zone description, so -s and -d can't be used
+ together either.
+
-v
@@ -491,6 +496,15 @@
The -s, -v, and -p options are mutually exclusive.
+ -d
+
+ Display zone description. This option works separately, and in
+ combination with -v, -c and -i by adding a rightmost column to
+ display the zone description.
+
+ The -s and -d options are mutually exclusive.
+
+
-b brand[,brand]
Display only the brand(s) specified by this option.
diff -NurbBw 11.4.36/man8/zpool.8 11.4.39/man8/zpool.8
--- 11.4.36/man8/zpool.8 2021-11-16 13:14:21.807276530 +0000
+++ 11.4.39/man8/zpool.8 2021-11-16 13:14:56.546904771 +0000
@@ -45,7 +45,8 @@
zpool history [-il] [pool] ...
- zpool import [-d path ... | -c cachefile] [-D] [-l] [-s all | field[,...]]
+ zpool import [-d path ... | -c cachefile] [-D] [-l]
+ [-S section[,...]] [-s all | field[,...]]
zpool import [-d path ... |-c cachefile] [-D] [-F [-n]] <pool | id>
@@ -105,7 +106,8 @@
newpool [device ...]
- zpool status [-s all | field[,...]] [-l] [-v] [-x] [-T d|u ] [pool] ... [interval[count]]
+ zpool status [-S section[,...]] [-s all | field[,...]]
+ [-l] [-v] [-x] [-T d|u ] [pool] ... [interval[count]]
zpool upgrade
@@ -1234,8 +1236,8 @@
- zpool import [-d path ... | -c cachefile] [-D] [-l] [-s all |
- field[,...]]
+ zpool import [-d path ... | -c cachefile] [-D] [-l] [-S section[,...]]
+ [-s all | field[,...]]
Lists pools available to import. If the -d option is not specified,
this command searches for devices in /dev/dsk. The -d option can be
@@ -1284,7 +1286,17 @@
psize, lsize. See 'Device status properties' section for more
details.
- Without -s option no device status will be displayed.
+ When used in combination with -S, 'config' section is implic-
+ itly included in the sections displayed.
+
+
+ -S section[,...]]
+
+ A comma-separated list of sections to display. The list of sta-
+ tus sections available are: pool, id, state, scan, config,
+ dedup, errors.
+
+ Without -S option all available sections will be displayed.
@@ -1833,8 +1845,8 @@
- zpool status [-s all | field[,...]] [-l] [- v] [-x] [-T d|u] [pool]
- ... [interval[count]]
+ zpool status [-s all | field[,...]] [-S section[,...]] [-l] [- v] [-x]
+ [-T d|u] [pool] ... [interval[count]]
Displays the detailed health status for the given pools. If no pool
is specified, then the status of each pool in the system is dis-
@@ -1858,10 +1870,22 @@
psize, lsize. See 'Device status properties' section for more
details.
+ When used in combination with -S, 'config' section is implic-
+ itly included in the sections displayed.
+
Without -s option, the default fields (name, state, read,
write, checksum) will be displayed.
+ -S section[,...]]
+
+ A comma-separated list of sections to display. The list of sta-
+ tus sections available are: pool, id, state, scan, config,
+ dedup, errors.
+
+ Without -S option all available sections will be displayed.
+
+
-l
If possible, display vdev status in current /dev/chassis loca-
diff -NurbBw 11.4.36/man8s/account-policy.8s 11.4.39/man8s/account-policy.8s
--- 11.4.36/man8s/account-policy.8s 2021-11-16 13:14:21.857618412 +0000
+++ 11.4.39/man8s/account-policy.8s 2021-11-16 13:14:56.594292184 +0000
@@ -10,7 +10,7 @@
DESCRIPTION
The svc:/system/account-policy:default service provides the security
- policy configuration for user account attributes. Authentication Pol-
+ policy configuration for user account attributes, authentication pol-
icy, password complexity, and default RBAC settings.
@@ -430,13 +430,11 @@
user.
-
EXAMPLES
Example 1 Enabling a password policy
-
- svccfg -s account-policy
+ % svccfg -s account-policy
svc:/.../account-policy> setprop password/history = 5
svc:/.../account-policy> setprop password/complexity/min_special = 1
svc:/.../account-policy> refresh
@@ -464,13 +460,11 @@
specifications are unaffected by any future addition of privileges that
might occur.
-
FILES
To turn a given file to the master copy of the configuration when sten-
ciling has been enabled run:
-
- svccfg -s svc:/system/account-policy:default \
+ # svccfg -s svc:/system/account-policy:default \
setprop config/etc_default_login/disabled = boolean: true
@@ -503,12 +495,15 @@
SEE ALSO
login(1), pfexec(1), chkauthattr(3C), getexecuser(3C), auth_attr(5),
- crypt.conf(5), prof_attr(5), user_attr(5), attributes(7), privi-
- leges(7), clearance(7)
+ crypt.conf(5), prof_attr(5), user_attr(5), attributes(7), clearance(7),
+ privileges(7), rbac(7)
NOTES
The console user is defined as the owner of /dev/console.
+HISTORY
+ The account-policy service was added in Oracle Solaris 11.4.0.
+
-Oracle Solaris 11.4 11 May 2021 account-policy(8S)
+Oracle Solaris 11.4 21 Jun 2021 account-policy(8S)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment