User's Manual
Solaris 9 Security CX-310-301 60
Deleting an ACL
To remove an ACL, use the setfacl –d command to remove the specific permissions. When the last
permission is removed, there is no longer an ACL on the file:
# setfacl –d u:temptest testfile
Recalculating the Mask of an ACL
The mask of an ACL reports on the effective permissions that are in effect on an ACL. When the ACL
permissions are modified, the permissions need to be recalculated based on the mask:
To reapply the previous modification with the mask recalculation:
# setfacl –r –m mask:--- testfile
PAM and Kerberos
This section describes two methods of improving the authentication mechanism on a Solaris 9 system.
Pluggable Authentication Module (PAM)
PAM is a framework that provides the facility to add new authentication techniques without having to
make changes to system services. New modules can simply be “plugged in” to integrate with the existing
system.
PAM is used primarily for authentication with programs like login, telnet, ftp, rlogin and so on. It is
configured using the file /etc/pam.conf. The relevant lines for the login program in the default pam.conf are
shown here:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
The format of the file is:
¾ Service – The program being authenticated, such as login. A service called other can also be used
to make management of a number of services easier
¾ Module Type – The type of service being provided – can be auth, account, session or password