Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

161

162

163

164

165

166

167

168

169

170

In some cases, this may not be ideal. For example, all users may be allowed to run the

passwd command to change their own password but if a user administrator runs it, they

need the privileges to change other users' passwords. If the entry for all the normal users

is listed before the entry for the user administrators, it is executed first, and this might

prevent the user administrators from running the more privileged version.

For cases like this, privrun has options that allow users to specify the desired privileges.

Only entries matching the specified privileges (for example, UID) are used. If no entries

match the desired privileges, privrun returns an error message.

The following is an example invocation of privrun that matches only entries where the

effective UID is set to 0:

# privrun -u 0 ipfstat

NOTE: See the privrun(1M) and rbac(5) manpages for more about using the privrun

command.

8.6.1.1 HP-UX RBAC in Serviceguard Clusters

Serviceguard does not support the use of HP-UX RBAC and privrun to grant access to

Serviceguard commands. Serviceguard version A.11.16 implemented its own Role-Based

Access Control by specifying Access Control Policies through package and cluster

configuration files, providing cluster-aware policies for Serviceguard operations. The

Serviceguard mechanism must be used for Role Based Access Control of Serviceguard

operations. See the latest Managing Serviceguard document for additional details on

Serviceguard Access Control Policies.

HP-UX RBAC can be used with non-Serviceguard commands in a Serviceguard cluster.

The same HP-UX RBAC rules should be applied to all nodes in the cluster.

8.6.2 Using the privedit Command to Edit Files Under Access Control

The privedit command allows authorized users to edit files they usually would not be

able to edit because of file permissions or ACLs. After you invoke the command and

identify the file you want to edit as an argument, privedit checks the

/etc/rbac/cmd_priv database, just as privrun does, to determine the authorization

required to edit the specified file. If the invoking user is authorized to edit the file,

privedit invokes an editor on a copy of the file.

NOTE: When you use privedit to invoke an editor to edit a file, the editor does not

run with any elevated privileges. Because the editor privedit invokes does not run

with elevated privileges, any attempted actions, such as shell escapes, run with the user's

typical (non-elevated) privilege set.

You can specify which editor privedit uses to edit the file by setting the EDITOR

environment variable. If you do not set the EDITOR variable, privedit uses the default

editor, vi. You cannot pass arguments to the editor via the privedit command line.

8.6 Using HP-UX RBAC 165