Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

161

162

163

164

165

166

167

168

169

170

NOTE: Use only the cmdprivadm command to configure compartments for commands.

Do not edit the /etc/rbac/cmd_priv database file without using cmdprivadm.

To modify an existing entry in the /etc/rbac/cmd_priv file, you must first delete the

entry and then add the updated version back in. When you use cmdprivadm to delete

entries, arguments act as filters. For example, specifying the cmdprivadm delete

op=foo command removes all entries in which the operation is foo. As a result of this,

when you use cmdprivadm to delete entries, be careful to ensure that you specify

sufficient arguments to uniquely identify the entries to be removed.

8.6 Using HP-UX RBAC

This section explains how to run the privrun and privedit commands to operate

HP-UX RBAC.

8.6.1 Using the privrun Command to Run Applications with Privileges

The privrun command enables a user to run legacy applications with different privileges,

according to the authorizations associated with the invoking user. The user invokes

privrun, specifying the legacy application as command line arguments. Next, privrun

consults the /etc/rbac/cmd_priv database to determine what authorization is required

to run the command with additional privileges. If the user has the necessary authorization,

privrun invokes the specified command after changing its UID and or GID as specified

in the /etc/rbac/cmd_priv database.

The following is the privrun command syntax:

privrun [options] command [args]

| [-u eUID|username]

| [-g eGID|groupname]

| [-U rUID|username]

| [-G rGID|groupname]

| [-a (operation, object)]

| [-c compartment]

| [-p privilege[,privilege,privilege...]]

| [-x]

| [-v [-v]]

| [-h]

| [-t]

The following list explains each of the privrun command options:

-u Matches only those entries containing the effective user ID (EUID) corresponding

to the specified EUID or the EUID associated with the username.

-g Matches only those entries containing the effective group ID (EGID) corresponding

to the specified EGID or the EGID associated with the group name.

-U Matches only those entries containing the real user ID (RUID) corresponding to the

specified RUID or the RUID associated with the username.

8.6 Using HP-UX RBAC 163