Re: Security Configuration Settings?
From: Marek Antozi (Marek.Antozi_at_Sun.COM)
Date: Thu, 23 Sep 2004 12:08:43 +0200 (CEST) To: El C0chin0 <firstname.lastname@example.org>
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 21 Sep 2004, El C0chin0 wrote:
> I don't understand and haven't been able to find anything related to what
> describes 'compat'. Can any one provide me with why it is a good measure to
> change this from 'files' to 'compat' and what other changes may be necessary
> or what exactly is the difference?
Hello El C0chin0.
First I will answer your question about `compat' issue, below that answer you
can find other things related to Sun Solaris security.
Description of `compat' you can find in man page for nsswitch.conf.
"compat Valid only for passwd and group; implements "+" and "-". See
Interaction with +/- syntax."
There is also section which described "+/- syntax":
"Interaction with +/- syntax Releases prior to SunOS 5.0 did not have the
name service switch but did allow the user some policy control. In
/etc/passwd one could have entries of the form +user (include the
specified user from NIS passwd.byname), -user (exclude the specified user)
and + (include everything, except excluded users, from NIS passwd.byname).
The desired behavior was often "everything in the file followed by
everything in NIS", expressed by a solitary + at the end of /etc/passwd. The
switch provides an alternative for this case ("passwd: files nis") that
does not require + entries in /etc/passwd and /etc/shadow (the latter is a new
addition to SunOS 5.0, see shadow(4)).
If this is not sufficient, the NIS/YP compatibility source provides full +/-
semantics. It reads /etc/passwd for getpwnam(3C) functions and /etc/shadow
for getspnam(3C) functions and, if it finds +/- entries, invokes an appropri-
ate source. By default, the source is "nis", but this may be overridden by
specifying "nisplus" or "ldap" as the source for the pseudo-database
Note that for every /etc/passwd entry, there should be a corresponding entry
in the /etc/shadow file. The NIS/YP compatibility source also provides full
+/- semantics for group; the relevant pseudo-database is group_compat."
Sun provides "Solaris Security Toolkit (JASS)", which is available to user for
download at no cost. Be sure to check
"http://wwws.sun.com/software/security/jass/". This toolkit provides a
flexible and extensible mechanism to minimize, harden, and secure Solaris
Operating Environment systems.
If you are interested in securing your Solaris OS, be sure to check Sun
BluePrints archives at
I hope this is helpful.
- -Marek Antozi
Senior System Administrator
SUN Microsystems, Developer Platform Group
Tel.: +420 2 3300-9126
Fax.: +420 2 3300-9299
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SunOS)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----