/etc/nscontrol.conf File

Purpose

Contains configuration information of some name services.

Description

The /etc/nscontrol.conf file is a stanza file, with each stanza name representing a database name. You can use the lssec command and the chsec commands to manage the /etc/nscontrol.conf file. The stanza controls the following stanza names and library subroutines:
Stanza Name RBAC and Domain RBAC library subroutines
authorizations getauthattr, getauthattrs, putauthattr, putauthattrs
roles getroleattr, getroleattrs, putroleattr, putroleattrs
privcmds getcmdattr, getcmdattrs, putcmdattr, putcmdattrs
privdevs getdevattr, getdevattrs, putdevattr, putdevattrs
privfiles getpfileattr, getpfileattrs, putpfileattr, putpfileattrs
The below stanzas are for EFS Library subroutines and for Remote EFS Keystore support:
  1. efsusrkeystore
  2. efsgrpkeystore
  3. efsadmkeystore
The below stanzas are for Trusted Execution Library subroutines and for Trusted Execution Remote Signature and Policy database support:
  1. tsddat
  2. tepolicies
You can specify the following attributes:
Item Description
secorder
A comma-separated list of module names that library subroutines use in searching and updating a database. The following module names are valid:
files
Specifies the local module, namely the database files from the /etc/security directory. This is the default value. For EFS Keystore /var/efs/<users/groups>/<username/groupname>/keystore directory.
LDAP
Specifies the LDAP module. You must configure the system as an LDAP client.

A search operation is performed on each module in the order that is specified until a matching entry is found. A failure is returned if no match is found from all of the modules. A modification operation is performed on the first entry match. A creation operation is performed on the first module in the list only.

You can override the value of the secorder attribute by calling the setsecorder subroutine in an application program, or by using the -R module option on commands that support the option.

databasename

Specifies the database names to consider with database operations. The databasename attribute is used for Trusted Execution Databases, such as the Trusted Signature Database and the TE policy Database. While the LDAP search operation is performed these names are used as a part of Distinguished Names (DN).

You can specify the following attribute for EFS stanzas:
Item Description
Searchorder
A comma-separated list of module names that library subroutines use in searching and updating a database. The following module names are valid:
files
Specifies the local module, namely the database files from the /var/efs/<users/groups>/<username/groupname>/keystore directory.
LDAP
Specifies the LDAP module. You must configure the system as an LDAP client.

A search operation is performed on each module in the order that is specified until a matching entry is found. A failure is returned if no match is found from all of the modules. A modification operation is performed on the first entry match. A creation operation is performed on the first module in the list only.

You can override the value of the searchorder attribute by using the -R module option on commands that support the option.

Files

Item Description
/etc/security/domains Contains domain definitions.
/etc/security/domobjs Contains domain objects and their associated security settings.
/etc/security/authorizations Contains the user-defined authorizations.
/etc/security/roles Contains role definitions.
/etc/security/privcmds Contains privileged command names and their associated security settings.
/etc/security/privdevs Contains privileged device names and their associated security settings.
/etc/security/privfiles Contains authorization lists for privileged configuration files that the trvi editor can access.
/etc/security/tsd/tsd.dat Contains trusted signature database.
/etc/security/tsd/tepolicies.dat Contains trusted execution policies for the system.
/var/efs Contains all the EFS Keystores.

Security

This files grants read and write access to the root user. Access for other users and groups depends on the security policy for the system.

Examples

  1. An example of the authorizations stanza follows:
    authorizations:
            secorder = files,LDAP

    This entry states that the search for an authorization is done in the local /etc/security/authorizations database first. If no matching entry is found, further search is done in the LDAP database.

  2. An example of the domains stanza follows:
    domains:
            secorder = files,LDAP
    This entry states that the domain is searched in the local /etc/security/domains database first. If no matching entry is found, in the LDAP database is searched.
  3. An example of the TE Signature Database stanza follows:
    tsddat:
    			secorder = LDAP,files
    			databasename = TSD_v1
    Note: In case of tsddat stanza and tepolicies stanza the secorder files, LDAP is not a valid use case.
  4. An example of the efsusrkeystore stanza follows:
    efsusrkeystore:
            secorder = LDAP,files