While Role-Based Access Control (RBAC) has been a part of Solaris for a long time now, Solaris 11 provides a few new knobs to play with. It is now possible to fine tune a user or process's ability to read or write a file, independently of each other. It is also possible to grant or take away the ability to have network access.
The specific new privileges are named, not surprisingly, file_read
, file_write
, and net_access
.
It should be noted that
net_access
also affects the ability to use InterProcess Communication (IPC) mechanisms.
To take away a particular user's ability in one of these areas, use the usermod
command as follows:
usermod -K defaultpriv=basic,!file_write targetuser