Administrator's Guide
To meet file permission bits requirements (DAC restrictions), the user must have root authority
to modify tar with wlisign. The command is signed with the administrator key:
% su root
# wlisign -a -k adm1.pvt /usr/bin/tar
The wmd capability is not granted to /usr/bin/tar. Only the key authorizing execution of
wliwrap must be granted wmd capability. File permission bits restrictions (DAC permissions)
on /usr/bin/tar must be met for wlisign, therefore the signing was executed by root user.
Signing tar with an administrator key is required because it executes as a child process of
wliwrap. If tar is signed by a WLI key without administrator privilege, wmd capability is not
granted through wliwrap.
The key authorizing wliwrap execution must have wmd capability. The key can be granted wmd
before or after the signing, but must be granted wmd before tar executes as a child process of
wliwrap. To grant wmd to key adm1.pvt:
% wlicert -s -c wli.admin1 -o wmd -k adm1.pvt
In Example B-1 (page 49), all capabilities are granted to adm1.pvt, but only the capabilities
granted in the previous command are necessary. The backup can now be generated because wmd
is granted through key adm1.pvt.
% wliwrap -k adm1.pvt -o wmd "/tar -cvf tartest.tar /tmp/tartest"
wliwrap: process capability wmd set
wliwrap: executing command: tar -cvf tartest.tar /tmp/tartest
a ./tartest/tfile1 1 blocks
a ./tartest/tfile2 1 blocks
a ./tartest/tfile3 1 blocks
a ./tartest/.$WLI_POLICY$/tfile1 4 blocks
a ./tartest/.$WLI_POLICY$/tfile2 4 blocks
a ./tartest/.$WLI_POLICY$/tfile3 4 blocks
The wmd capability granted to the executing process overrides any IBAC, allowing tar to read
all files. Granting an IBAC policy to any file to allow the backup to proceed is not necessary.
Protected files and associated metadata files are now stored on the archive tartest.tar. The
metadata storage is either pseudo or the file system is not VxFS 5.0.1 or later. If VxFS named data
streams are used for metadata storage, the .$WLI_POLICY$ directory and its files do not appear.
For details on setting metadata storage type, see wlisys(1M).
The administrator key is used to authorize wliwrap execution and grant wmd capability to the
tar child process in this example. This is done only for convenience because it is likely the same
user would sign the backup command and generate backups. A WLI user key without
administrator authority is sufficient to authorize wliwrap execution.
The tar command is executed with the effective user ID of the login user in this example. The
owner and group IDs of the generated archive matches the login values of owner and group, as
if tar is executed directly.
This preparation for backing up policy protected files can be applied to backing up non ELF
binary executables with associated metadata in .$WLI_SIGNATURE$ directories. A
.$WLI_FSPARMS$ file can also be backed up. This procedure can be applied to backing up an
entire file system containing policy protected files and signed executables.
Example B-3 Restoring policy protected files
HP recommends using wliwrap to backup and restore policy protected files and associated
metadata. Granting permanent wmd capability to a command with wliwrap is not necessary, as
demonstrated in Example B-2 (page 49).
This example demonstrates how to restore the backup archive generated in Example B-2 (page 49).
As with the generation of the archive, the WLI security mode is restricted so all WLI file access
policies are enforced. Guidelines for the server do not allow security to be downgraded at any
time.
50 Administration examples