compartment_login.5 (2010 09)
c
compartment_login(5) compartment_login(5)
NAME
compartment_login - description of compartment login feature
DESCRIPTION
In the HP-UX Security Containment product,
compartments provide a mechanism to host multiple
applications on a single operating system instance. This mechanism works well when all applications are
under the same administrative domain.
When different applications or their instances are under different administrative domains, you can use
the compartment login feature to define a relationship between users and compartments when the user
initially starts up a login session. The compartment login feature is part of the HP-UX Compartment
Login product. Refer to the HP-UX Compartment Login Release Notes for product information, and refer
to the HP-UX Compartment Login Using Secure Shell (SSH) white paper on how to configure and start
multiple instances of Secure Shell Daemon (SSHD) in different compartments.
In compartment login, the user-to-compartment association is valid only at the time of a new login session
creation. When users login to the system and if they are authorized, then they would be automatically
placed in the compartment of the login service to which the user is connected. Otherwise, the login will
fail. Refer to the How to Test a User Login to a Compartment section for more details.
How to Enable Compartment Login
By default, the compartment login feature is disabled. To enable compartment login, set
CMPT_LOGIN to
1 in the /etc/cmpt/cmpt.conf
compartment configuration file. To disable this feature, set
CMPT_LOGIN to 0.
Also refer to pam_hpsec (5) for information about the
bypass_cmpt_restrict
option. You can use
the
bypass_cmpt_restrict
option to bypass the compartment access check during login for a specific
service even when compartment login feature is enabled.
How to Configure Login Compartments for Users
Upon installing the Compartment Login product, the following new authorization is created in the sys-
tem, (
hpux.security.compartment.login,*
). Administrators use this authorization to define
login compartments for users in the system. Authorizations cannot be assigned directly to users. Instead,
authorizations are assigned to roles and roles are defined for users. Refer to rbac(5) for more information
about roles.
Administrators must use the object part of the new authorization to specify the login compartment for a
user. Only compartment names can be used in the object part of this authorization. Only one compart-
ment can be specified in the object part. Multiple login compartments for a user have to be specified with
more than one authorization assignment. That is, the same authorization has to be assigned more than
once with the operation part being the same and by varying only the object part with compartment
names.
The following steps explain for user "joe" how to define C1 and C2 as login compartments:
1. Create a new App1Role role.
# roleadm add App1Role
2. Assign user joe to App1Role.
# roleadm assign joe App1Role
3. Assign (allow) compartment login authorizations with compartments C1 and C2 to the App1Role
role.
# authadm assign App1Role hpux.security.compartment.login "C1"
# authadm assign App1Role hpux.security.compartment.login "C2"
The above assignment means that any user who belongs to the App1Role role (in our example only
user joe belongs to this role) can login to compartments C1 and C2.
If an asterisk
* is in the object part, then it represents every compartment in the system. For
example, the following assignment means that users belonging to the App1Role role can login to
all compartments in the system.
# authadm assign App1Role hpux.security.compartment.login *
HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1