Solaris Projects

Solaris 9 introduced the concept of a project, which associates a running process with a Project ID. Administrators can configure resource accounting and resource limitations for the projects.

Solaris administrators can now configure Endpoint Privilege Management for Unix and Linux secured tasks to be associated with the Solaris project mechanism, and thus take advantage of the project accounting and project resource limits.

Endpoint Privilege Management for Unix and Linux secured tasks will honor those limitations by not executing when a limit has been reached, and are subject to signals configured for project resource limits.

Endpoint Privilege Management for Unix and Linux secured tasks can be associated with a Solaris project in one of two ways: with the PAM pam_setcred() function or with the projects.so library. Endpoint Privilege Management for Unix and Linux secured tasks are associated with a project that the runuser belongs to.

A Solaris project can be specified on the pbrun commandline, or specified in the policy (overrides the commandline), or when not specified, Endpoint Privilege Management for Unix and Linux 6.1 and 7.0 secured tasks and shells inherit the project from the initiating process (if it has a Solaris project, and the runuser is a member of that project). If the project is not specified and cannot be inherited, the Solaris default project for the runuser is assigned. When a project is not specified, pbrun 6.2.6 and 7.0.1+ normally assign the runuser’s default project to the secured task. The new keyword usesubmituserproject (which defaults to no), when set to yes will enable the Endpoint Privilege Management for Unix and Linux 6.1 behavior of inheriting the submituser’s project if possible.

The default to no changes the default behavior between Endpoint Privilege Management for Unix and Linux releases. This is a conscious decision to make the "better" behavior the default behavior.

Endpoint Privilege Management for Unix and Linux shells inherit the project from the previous shell (or assume the default project when used as a login shell).

This behavior can be changed by setting runsolarisproject in the policy when (pbclientmode == "shell start"). When iologging is enabled when pbclientmode == "shell start", the iologging parent Endpoint Privilege Management for Unix and Linux shell runs associated with the user’s default project regardless of the setting for runsolarisproject.

The project (and runuser) can be changed for subtasks by setting runsolarisproject in the policy when (pbclientmode == "shell command"). The Endpoint Privilege Management for Unix and Linux shells require the keyword enablesolarisprojects set to yes (regardless of the pamsetcred setting).

If the Endpoint Privilege Management for Unix and Linux usage of Solaris projects needs to be disabled on the runhost, set the keyword pam_setcred() to no, and the keyword enablesolarisprojects to no on the run host.

Endpoint Privilege Management for Unix and Linux shells have a safety feature to allow them to operate if Solaris projects are incorrectly configured. If the library specified by the sharedlibsolarisprojects keyword cannot be loaded (or is set to none), or if enablesolarisprojects is not set to yes, Endpoint Privilege Management for Unix and Linux shell commands function; however, they may operate associated with an incorrect project (the behavior reverts to that in Endpoint Privilege Management for Unix and Linux v6.0). Errors are logged, but are not displayed to the user.

PAM errors (including Solaris project pam_setcred() failures) result in the Endpoint Privilege Management for Unix and Linux servers shell failing.

sharedlibsolarisprojects

• Version 6.0 and earlier: sharedlibsolarisprojects setting not available.
• Version 6.1 and later: sharedlibsolarisprojects setting available.

The sharedlibsolarisprojects keyword specifies the location of the Solaris projects.so library file on runhosts. The sharedlibsolarisprojects keyword is required to function properly whether using the pamsetcred keyword, the enablesolarisprojects keyword, or both.

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

sharedlibsolarisprojects /usr/lib/libproject.so.1

Default

No default value

Used on

Run hosts

enablesolarisprojects

• Version 6.0 and earlier:enablesolarisprojects setting not available.
• Version 6.1 and later: enablesolarisprojects setting available.

On Solaris 9 and 10 runhosts, when Solaris projects are used without using PAM support (pam, pamsessionservice, andpam_setcred), enable non-PAM support by setting the enablesolarisprojects keyword to yes. For Solaris 9, PAM is not able to set a project other than the default project. For Solaris 9 runhosts, to allow a project specified on the pbrun command line or the Endpoint Privilege Management for Unix and Linux policy, set the enablesolarisprojects keyword to yes (regardless of the PAM settings).

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

enablesolarisprojects yes

Default

enablesolarisprojects no

Used on

Run hosts

usesubmituserproject

• Version 6.2.5 and earlier, 7.0 and earlier: usesubmituserproject setting not available.
• Version 6.2.6 and later, 7.0.1 and later: usesubmituserproject setting available.

The usesubmituserproject keyword, when set to yes, indicates that when a Solaris project is not specified, the secured task is associated with the submituser's current project if possible. When set to no and a Solaris project is not specified, or if inheriting the submituser's project is not possible, the secured task is associated with the runuser's default project. This keyword is only effective on Solaris run hosts.

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

usesubmituserproject yes

Default

usesubmituserproject no

Used on

Run hosts