Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
161162163164165166167168169170
NOTE: The privrun -p MOUNT /etc/mount command matches the BASICROOT
privilege because the MOUNT simple privilege is part of the predefined BASICROOT
compound privilege. See the privileges(5) manpage for more information about simple
and compound privileges.
IMPORTANT: The sequence of the entries in /etc/rbac/cmd_priv is important
because privrun will execute according to the first explicit match it finds. In the
preceding example, while all three entries are considered matches to the privrun
command, privrun would execute the first entry. Keep the sequence of the entries in
mind when configuring commands and authorizations. The cmdprivadm tool adds
entries to the bottom of the /etc/rbac/cmd_priv file.
8.5.5 Configuring HP-UX RBAC with Compartments
HP-UX RBAC can also use compartments to configure applications to run in a particular
compartment. With compartments, you can logically partition a system into compartments
so that a process cannot communicate or access resources outside of its compartment
(unless a compartment rule is set up to allow this).
The following is an example cmdprivadm command that configures the
/sbin/init.d/hpws_apache command to run only in the apache compartment,
which is defined by the /etc/cmpt/apache.rules compartment rule:
# cmdprivadm add cmd='/sbin/init.d/hpws_apache -a start' \
op=hpux.network.service.start object=apache compartment=apache
The preceding cmdprivadm command creates an entry in the /etc/rbac/cmd_priv
file, as follows:
#---------------------------------------------------------------------------------------------------------------
# Command : Args :Authorizations :U/GID :Cmpt :Privs :Auth
:Flags
#-------------------------:--------:------------------------------------:--------------:--------:-------:-------
/sbin/init.d/hpws_apache :start :(hpux.network.service.start,apache) :/// :apache :dflt :dflt
:
After you create the entry using cmdprivadm and using privrun to wrap the command,
authorized users can execute the /sbin/init.d/hpws_apache -start command,
and it will run only in the apache compartment. The compartment tag for the process is
changed to apache, and properties of the process will follow the defined apache
compartment rules.
162 HP-UX Role-Based Access Control