Re: Security Configuration Settings?

From: Marek Antozi (Marek.Antozi_at_Sun.COM)
Date: 09/23/04

  • Next message: Lupe Christoph: "Re: Security Configuration Settings?"
    Date: Thu, 23 Sep 2004 12:08:43 +0200 (CEST)
    To: El C0chin0 <>

    Hash: SHA1

    On Tue, 21 Sep 2004, El C0chin0 wrote:
    > I don't understand and haven't been able to find anything related to what
    > describes 'compat'. Can any one provide me with why it is a good measure to
    > change this from 'files' to 'compat' and what other changes may be necessary
    > or what exactly is the difference?

    Hello El C0chin0.

    First I will answer your question about `compat' issue, below that answer you
    can find other things related to Sun Solaris security.

    Description of `compat' you can find in man page for nsswitch.conf.


    "compat Valid only for passwd and group; implements "+" and "-". See
    Interaction with +/- syntax."

    There is also section which described "+/- syntax":

    "Interaction with +/- syntax Releases prior to SunOS 5.0 did not have the
    name service switch but did allow the user some policy control. In
    /etc/passwd one could have entries of the form +user (include the
    specified user from NIS passwd.byname), -user (exclude the specified user)
    and + (include everything, except excluded users, from NIS passwd.byname).
    The desired behavior was often "everything in the file followed by
    everything in NIS", expressed by a solitary + at the end of /etc/passwd. The
    switch provides an alternative for this case ("passwd: files nis") that
    does not require + entries in /etc/passwd and /etc/shadow (the latter is a new
    addition to SunOS 5.0, see shadow(4)).

    If this is not sufficient, the NIS/YP compatibility source provides full +/-
    semantics. It reads /etc/passwd for getpwnam(3C) functions and /etc/shadow
    for getspnam(3C) functions and, if it finds +/- entries, invokes an appropri-
    ate source. By default, the source is "nis", but this may be overridden by
    specifying "nisplus" or "ldap" as the source for the pseudo-database

    Note that for every /etc/passwd entry, there should be a corresponding entry
    in the /etc/shadow file. The NIS/YP compatibility source also provides full
    +/- semantics for group; the relevant pseudo-database is group_compat."

    Sun provides "Solaris Security Toolkit (JASS)", which is available to user for
    download at no cost. Be sure to check
    "". This toolkit provides a
    flexible and extensible mechanism to minimize, harden, and secure Solaris
    Operating Environment systems.

    If you are interested in securing your Solaris OS, be sure to check Sun
    BluePrints archives at

    I hope this is helpful.


    - -Marek Antozi
    - --
    Senior System Administrator
    SUN Microsystems, Developer Platform Group
    Tel.: +420 2 3300-9126
    Fax.: +420 2 3300-9299
    Version: GnuPG v1.0.6 (SunOS)
    Comment: For info see

    -----END PGP SIGNATURE-----

  • Next message: Lupe Christoph: "Re: Security Configuration Settings?"

    Relevant Pages