SAC(1M) Maintenance Commands SAC(1M)


NAME


sac - service access controller

SYNOPSIS


sac -t sanity_interval


/usr/lib/saf/sac


DESCRIPTION


The Service Access Controller (SAC) is the overseer of the server
machine. It is started when the server machine enters multiuser mode. The
SAC performs several important functions as explained below.

Customizing the SAC Environment


When sac is invoked, it first looks for the per-system configuration
script /etc/saf/_sysconfig. sac interprets _sysconfig to customize its
own environment. The modifications made to the SAC environment by
_sysconfig are inherited by all the children of the SAC. This inherited
environment may be modified by the children.

Starting Port Monitors


After it has interpreted the _sysconfig file, the sac reads its
administrative file /etc/saf/_sactab. _sactab specifies which port
monitors are to be started. For each port monitor to be started, sac
forks a child (see fork(2)) and creates a utmpx entry with the type field
set to LOGIN_PROCESS. Each child then interprets its per-port monitor
configuration script /etc/saf/pmtag/_config , if the file exists. These
modifications to the environment affect the port monitor and will be
inherited by all its children. Finally, the child process execs the port
monitor, using the command found in the _sactab entry. (See sacadm; this
is the command given with the -c option when the port monitor is added to
the system.)

Polling Port Monitors to Detect Failure


The -t option sets the frequency with which sac polls the port monitors
on the system. This time may also be thought of as half of the maximum
latency required to detect that a port monitor has failed and that
recovery action is necessary.

Administrative functions


The Service Access Controller represents the administrative point of
control for port monitors. Its administrative tasks are explained below.


When queried (sacadm with either -l or -L), the Service Access Controller
returns the status of the port monitors specified, which sacadm prints
on the standard output. A port monitor may be in one of six states:

ENABLED
The port monitor is currently running and is accepting
connections. See sacadm(1M) with the -e option.


DISABLED
The port monitor is currently running and is not accepting
connections. See sacadm with the -d option, and see
NOTRUNNING, below.


STARTING
The port monitor is in the process of starting up. STARTING
is an intermediate state on the way to ENABLED or
DISABLED.


FAILED
The port monitor was unable to start and remain running.


STOPPING
The port monitor has been manually terminated but has not
completed its shutdown procedure. STOPPING is an
intermediate state on the way to NOTRUNNING.


NOTRUNNING
The port monitor is not currently running. (See sacadm with
-k.) This is the normal "not running" state. When a port
monitor is killed, all ports it was monitoring are
inaccessible. It is not possible for an external user to
tell whether a port is not being monitored or the system is
down. If the port monitor is not killed but is in the
DISABLED state, it may be possible (depending on the port
monitor being used) to write a message on the inaccessible
port telling the user who is trying to access the port that
it is disabled. This is the advantage of having a DISABLED
state as well as the NOTRUNNING state.


When a port monitor terminates, the SAC removes the utmpx entry for that
port monitor.


The SAC receives all requests to enable, disable, start, or stop port
monitors and takes the appropriate action.


The SAC is responsible for restarting port monitors that terminate.
Whether or not the SAC will restart a given port monitor depends on two
things:

o The restart count specified for the port monitor when the port
monitor was added by sacadm; this information is included in
/etc/saf/pmtag/_sactab.

o The number of times the port monitor has already been
restarted.

SECURITY


sac uses pam(3PAM) for session management. The PAM configuration policy,
listed through /etc/pam.conf, specifies the session management module to
be used for sac. Here is a partial pam.conf file with entries for sac
using the UNIX session management module.

sac session required pam_unix_session.so.1


If there are no entries for the sac service, then the entries for the
"other" service will be used.

OPTIONS


-t sanity_interval
Sets the frequency (sanity_interval) with which sac
polls the port monitors on the system.


FILES



o /etc/saf/_sactab

o /etc/saf/_sysconfig

o /var/adm/utmpx

o /var/saf/_log

SEE ALSO


pmadm(1M), sacadm(1M), fork(2) pam(3PAM), pam.conf(4), attributes(5),
pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5),
pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5),
pam_unix_session(5)

NOTES


The pam_unix(5) module is no longer supported. Similar functionality is
provided by pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5),
pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).


The service access controller service is managed by the service
management facility, smf(5), under the service identifier:

svc:/system/sac:default


Administrative actions on this service, such as enabling, disabling, or
requesting restart, can be performed using svcadm(1M). The service's
status can be queried using the svcs(1) command.


April 21, 2009 SAC(1M)