Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
151152153154155156157158159160
You cannot run privedit on a file that is restricted by a compartment definition.
To provide a different application with fine-grained privileges, the privrun
command must be running with those same privileges it wants to provide to the
application. By default, privrun is configured to run with all privileges (see
getfilexsec(1M) for more information). However, sometimes this default privilege
set may be restricted. For example, if a compartment is configured to disallow
privileges, this specification prevents privrun from providing the privileges to
the application in that compartment because privrun does not have the
privileges itself. Note that by default, sealed compartments are configured to
disallow the POLICY compound privilege.
For privrun to invoke another application in a compartment, privrun must
assert the CHANGECMPT privilege. If privrun cannot assert the CHANGECMPT
privilege, for example, if the compartment is configured to disallow privileges,
privrun will fail. This behavior is intentional and designed to reinforce the
concept of a sealed compartment.
8.5 Configuring HP-UX RBAC
Configuring HP-UX RBAC is a three-step process:
1. Configure the roles.
2. Configure the authorizations.
3. Configure any additional commands.
IMPORTANT: Authorizations are built-in (hard-coded) to the HP-UX RBAC administration
commands and cannot be configured. However, you can configure which roles and
users have the required HP-UX RBAC administration command authorizations.
HP-UX RBAC administration commands do not need to be wrapped with the privrun
command because they are setuid=0. The HP-UX RBAC administration commands run
with privileges equal to root regardless of who invokes them. Access control checks limit
who can use the HP-UX RBAC administrative commands.
See the Authorization section in each of the HP-UX RBAC administrative commands
manpages for more information about their authorizations.
This Section 8.5 uses the example planning results and users in Table 8-6 to demonstrate
the HP-UX RBAC administrative commands and configuration process.
154 HP-UX Role-Based Access Control