Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
161162163164165166167168169170
BASICROOT compound privilege and that requires the (hpux.adm.mount, *)
authorization:
# cmdprivadm add cmd=/etc/mount op=hpux.adm.mount object='*' privs=BASICROOT
The preceding cmdprivadm command creates an entry in the /etc/rbac/cmd_priv
file as follows:
#--------------------------------------------------------------------------------------------------------
# Command : Args :Authorizations :U/GID :Cmpt :Privs :Auth :Flags
#----------------:--------:---------------------:------:-------:----------:------:-------------------
/etc/mount :dflt :(hpux.adm.mount,*) :/// :dflt :BASICROOT :dflt :
After you create the entry using cmdprivadm and using privrun to wrap the
command,/etc/mount will run with the elevated privilege of the BASICROOT compound
fine-grained privilege and without UID=0 if the user has the (hpux.adm.mount, *)
authorization.
As described in Section 8.6.1, the privrun -p command option matches only the
entries in the /etc/rbac/cmd_priv database file that have the privileges specified
by the -p option. Be aware when you specify a privilege using the privrun -p option
that privrun will match all entries that contain the specified privilege—including groups
of privileges and compound privileges that include the -p specified privilege. The
privrun command will execute according to the first match in /etc/rbac/cmd_priv.
For example, the following is an example privrun -p command and a list of entries
the command will match in /etc/rbac/cmd_priv:
The command:
# privrun -p MOUNT /etc/mount
matches the following /etc/rbac/cmd_priv entries:
#---------------------------------------------------------------------------------------------------------------
# Command : Args :Authorizations :U/GID :Cmpt :Privs
:Auth :Flags
#----------------:--------:-------------------:------:------:---------------------------------------:-----:-----
/etc/mount :dflt :(hpux.adm.mount,*) :/// :dflt :PRIV_CHOWN, MOUNT
:dflt :
/etc/mount :dflt :(hpux.*,nfs) :/// :dflt :MOUNT, PRIV_RTPRIO, PRIV_MLOCK
:dflt :
/etc/mount :dflt :(hpux.adm.*,*) :/// :dflt :BASICROOT
:dflt :
8.5 Configuring HP-UX RBAC 161