HP-UX Secure Resource Partitions (SRP) A.02.01 Administrator's Guide
38
• usr
• var
For example, SRP creates a /var/hpsrp/compartment_name/sbin directory with init.d,
rc0.d, rc1.d, rc2.d, rc3.d, and rc4.d subdirectories for use by initialization scripts, as
described in
12.1 SRP Startup and Shutdown Processing.
6.1.2 The admin Service
The admin service uses the HP-UX Security Containment RBAC and compartment login features to
associate an HP-UX user with an RBAC role that has authorization to administer the compartment. By
default, this authorization enables the administrator to start and stop the compartment.
6.1.2.1 Input Data
SRP prompts for the following data. You can also specify a variable name and value in the command
line, as described in
13.1 Creating an SRP Compartment or Adding Data to a Compartment.
Unix usernames for
compartment administrator
HP-UX user names separated by “,” for the SRP administrator.
These user names must already exist in the HP-
UX user database
(/etc/password).
Variable Name: admin_user.
Default:
root
6.1.2.2 Configuration Data
The admin service uses RBAC to add information about the administrator in the RBAC configuration
directory, /etc/rbac.
The admin service performs the following tasks:
• Creates a role with the name SRPadmin-compartment_name for the compartment. SRP
uses the roleadm add command to perform this task.
• Creates an authorization with the name hpux.SRPadmin-compartment_name with the
object set to the compartment. SRP uses the authadm add command to perform this task.
• Assigns the authorization hpux.SRPadmin.compartment_name to the role SRPadmin-
compartment_name. SRP uses the authadm assign command to perform this task.
• Associate the specified HP-UX user name to the role SRPadmin-compartment_name. The
user name must already exist in the HP-UX user database. SRP uses the roleadm assign
command to perform this task.
• Assigns hpux.SRPadmin-compartment_name the authorization to execute the SRP master
startup script /opt/hpsrp/bin/srp_rc in the compartment. This enables the administrator
to start up and shut down the compartment. SRP uses the cmdprivadm add command to
perform this task.
Login Access
Configuring an administrative user does not grant that user login access to the compartment. A user
does not have to be logged in to an SRP compartment to start or stop the compartment, or to modify
the configuration data.
To specify the users authorized to log in to the compartment, use the SRP login service or the
authadm command.
6.1.3 The prm Service
The prm Service creates a new PRM group for an SRP compartment. SRP does not allow you to add
an SRP compartment to an existing PRM group. To add an SRP compartment to an existing PRM