rbac.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

rbac(5) rbac(5)

role A valid role, as deﬁned in

/etc/rbac/roles.

operation A speciﬁc operation that can be performed on an object. For example,

hpux.printer.add

is the operation of adding a printer. Or, hpux.printer.*

the operation of either adding or deleting a printer.

object The object the user can access. If

* is speciﬁed, all objects can be accessed by the

operation.

The following line speciﬁes auditing the role of

SecurityOfficer

with authorization of

(

hpux.passwd, /etc/passwd). The PrinterAdm role with authorization to perform

hpux.printer.add

on all objects is also speciﬁed for auditing.

SecurityOfficer, hpux.passwd, /etc/passwd

PrinterAdm, hpux.printer.add, *

EXAMPLES

The following example shows how a root user uses the RBAC administrative commands to allow non-root

user John to execute the

/usr/sbin/useradd

command.

1. Add a role named UserAdmin to the roles database:

# /usr/sbin/roleadm add UserAdmin

The above command adds the UserAdmin role to the /etc/rbac/roles

database.

2. List deﬁned authorizations in the system to determine what authorizations are available.

# /usr/sbin/authadm list sys

3. Add an authorization named

(hpux.admin.useradd,*) to the auths database. The operation

hpux.admin.useradd

and the object is *.

# /usr/sbin/authadm add hpux.admin.useradd

In the above example, the object is not speciﬁed and therefore defaults to *

, which means that the

operation applies to ALL objects. The

(hpux,admin.useradd,*)

is added to the

/etc/rbac/auths database.

4. Assign the authorization,

(hpux.admin.useradd,*), to the UserAdmin role.

# /usr/sbin/authadm assign UserAdmin hpux.admin.useradd

The above command adds the following entry to the /etc/rbac/role_auth

database:

UserAdmin:(hpux.admin.useradd,*)

5. Assign the role UserAdmin to user John:

# /usr/sbin/roleadm assign John UserAdmin

The above command adds the following entry in the /etc/rbac/user_role

database: "John:

UserAdmin"

6. Add the command

/usr/sbin/useradd to the cmd_priv database:

# /usr/sbin/cmdprivadm add cmd=/usr/sbin/useradd

op=hpux.admin.useradd ruid=0 euid=0

The above command adds the following entry to the /etc/rbac/cmd_priv database:

/usr/sbin/useradd:dflt:(hpux.admin.useradd,*):0/0//:dflt:dflt:dflt:

7. Check to see if syntax and entries in the RBAC database are valid:

# /usr/sbin/rbacdbchk

8. Now non-root user John has been associated with the UserAdmin role. The UserAdmin role has

been assigned an authorization named (hpux.admin.useradd, *) which is the needed author-

ization for executing /usr/sbin/useradd as per the entry added in the cmd_priv database.

Non-root user John can now run /usr/sbin/useradd using privrun to add regular users to

the system as follows:

# /usr/bin/privrun /usr/bin/useradd new_user

HP-UX 11i Version 3: September 2010 − 5 − Hewlett-Packard Company 5