Administrator's Guide
7 Fine-Grained Privileges
This chapter describes the fine-grained privileges feature of HP-UX 11i . This chapter
addresses the following topics:
• Overview (Section 7.1)
• Fine-grained privileges components (Section 7.2)
• Available privileges (Section 7.3)
• Configuring applications with fine-grained privileges (Section 7.4)
• Security implications of fine-grained privileges (Section 7.5)
• Fine-grained privileges in HP Serviceguard Clusters (Section 7.6)
• Troubleshooting fine-grained privileges (Section 7.7)
7.1 Overview
The UNIX operating system traditionally uses an "all or nothing" privilege model, in
which superusers (those with effective UID=0, such as the root user) have virtually unlimited
power, and other users have few or no special privileges.
HP-UX provides several legacy methods of delegating limited powers, including restricted
smh(1M), the privilege groups described in privgrp(4), the shutdown.allow file
described in shutdown(1M), and the cron.allow file described in crontab(1).
These legacy methods can be replaced by the use of fine-grained privileges and the
HP-UX RBAC access control framework.
The HP-UX fine-grained privilege model splits the powers of superusers into a set of
privileges. Fine-grained privileges are granted to processes. Each privilege grants a
process that possesses that privilege the right to a certain set of restricted services provided
by the kernel.
See privileges(5) for more information.
7.2 Fine-Grained Privileges Components
The fine-grained privileges feature of HP-UX 11i include configuration files, commands,
and manpages. You can use these components to configure and administer fine-grained
privileges.
7.2.1 Commands
Table 7-1 briefly describes the fine-grained privileges commands.
7.1 Overview 131