This chapter describes how you install SunScreen 3.1 on a machine running Trusted Solaris 7. Installing SunScreen on a machine running Trusted Solaris is different from installing on a regular machine because of the security features built into this operating system.
Topics covered include:
Overview
Before you install SunScreen
Installing SunScreen software
On a Trusted Solaris system, any user has a set of profiles assigned, which list the operations they can perform as well as the privileges of the operations. For example, in order for a user to run a command (with certain privileges), that command must be present in one of the user's profiles. Therefore, to install and run SunScreen on a Trusted Solaris system, a SunScreen profile and a SunScreen Admin profile should be created. The ASCII format of the profile can be found in:
/cdrom/cdrom0/TS/tsolprof.sunscreen for installing on a Screen.
/cdrom/cdrom0/TS/tsolprof.sunscreenadm for installing on an Administration Station.
These files should be appended to the Trusted Solaris system profile (/etc/security/tsol/tsolprof) by the System administrator before installing SunScreen. Please refer to "To Edit the System Profile."
In Trusted Solaris, every process has privileges associated with it (called effective privileges). These effective privileges fall into the following categories:
Some privileges
All privileges
No privileges
A Trusted Solaris file also has a set of privileges called the allowed privileges. When a Trusted Solaris user executes a file (to create a process), the resulting process's effective privileges are the intersection of the file's allowed privileges and the user's privileges defined in the user's profile.
Therefore, all SunScreen executable files should have their allowed privileges set to all. This action is performed by two shell scripts:
for installing on the Screen, the script is named /opt/SUNWicg/SunScreen/lib/ss_ts_pset
for installing on an Administration Station, the script is named /opt/SUNWicg/SunScreen/lib/ss_ts_psetadm
If you use the SunScreen Installation program, these scripts are automatically called (see the following installation instructions).
SunScreen 3.1 software should be installed by the root role. However, before you can install the software, you have to assign the corresponding SunScreen profiles to the root role.
The first task is to append the SunScreen or SunScreen Admin profile to Trusted Solaris system profile.
Login as sys or as a user who at least has file_owner, and file_dac_write, privileges.
From the front panel, choose Allocate Device then select device cdrom0 and mount it.
Before you proceed, you should make a backup copy of the original system profile.
For installing the Screen software, run the following commands:
cat /cdrom/cdrom0/TS/tsolprof.sunscreen >>/etc/security/tsolprof
cat /cdrom/cdrom0/TS/vfstab_adjunct.sunscreen >>/etc/security/tsol/vfstab_adjunct;
For installing Administration software, run the following commands:
cat /cdrom/cdrom0/tsolprof.sunscreenadm >>/etc/security/tsol/tsolprof;
cat /cdrom/cdrom0/vfstab_adjunct.sunscreen >>/etc/security/tsol/vfstab_adjunct
Before you install the software, you must make the secadmin role assumable by the user who will be performing the installation. You need the secadmin role to assign the profile to root role. In Trusted Solaris, root is not supposed to assign a profile to itself. In the following procedure, the user named install will be used as an example.
Login as install and assume the root role.
In the root workspace, open Applications -> Solstics_Apps User Manager.
Open-User Manager, double click on user install then choose Roles ... Next, make root and secadmin be the assumable roles.
Log out.
The last task is to assign a SunScreen profile or a SunScreen Admin profile to root role.
Login as install or some other user.
Assume secadmin role.
In secadmin workspace, open Applications -> Solstics Apps -> User Manager.
Open User Manager, double click on user root, choose Profiles.
Assign the profile SunScreen in the available list to the selected list .
If you are installing an Administration Station, assign the profile 'SunScreen Admin.'
Save the changes.
SunScreen and SunScreen administration software should be installed by root role.
Assume the root role.
From the front panel, choose Allocate Device, select device cdrom0 and mount it.
The rest of the installation steps are the same as a regular installation. Refer to the appropriate chapter in this book for further instructions on your particular installation.
Assume the root role.
From the front panel, choose Allocate Device, select device cdrom0 and mount it.
The rest of the installation steps are the same as a regular installation. Refer to the appropriate chapter in this book for further instruction on your particular installation.
If you choose to install on an Administration Station manually, immediately after adding the required packages, you should run the /opt/SUNWicg/SUNScreen/lib/ss_ts_psetadm command.