Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
161162163164165166167168169170
However, the editor recognizes and supports editor-specific environment variables if you
set them before invoking privedit.
Use a fully qualified file name as a privedit argument to identify which file to edit. If
you do not use a fully qualified file name, privedit adds the current working directory
to the beginning of the file name you specify. Regardless of how you specify the file to
edit, all file names are fully qualified after you invoke privedit. The privedit
command also recognizes and supports files that are symbolic links.
The privedit command can edit only one file at a time. If you specify multiple file
names as privedit arguments, privedit edits the first file specified and ignores the
subsequent file names. The following shows the privedit command syntax:
privedit [option] fully-qualified-file-name
| [-a (operation, object)]
| [-v]
| [-h]
| [-t]
| [-x]
The following is a list and brief description of the privedit command options:
-a authorization Match only the /etc/rbac/cmd_priv file entries with that
have the specified authorization.
-v Invokes privedit in verbose mode.
-h Prints privedit help information.
-t Checks if the user has the required authorization to edit the
file and reports the results.
-x If the authorization check fails, the file will be edited with the
caller's original privileges.
The following is an example of using a privedit command to edit the
/etc/default/security file with the specific authorization of (hpux.sec.edit,
secfile):
# privedit -a "(hpux.sec.edit, secfile)" /etc/default/security
NOTE: Remember that the flag values for each entry in the cmd_priv database dictate
whether or not privedit can edit a file. See “Configuring Additional Command
Authorizations and Privileges” and the privedit(1M) manpage for more information about
flags and using the privedit command.
8.6.3 Customizing privrun and privedit Using the ACPS
The HP-UX RBAC feature provides the ability to customize how privedit and privrun
check user authorizations. The ACPS module is a customizeable interface that provides
responses to applications that must make authorization decisions. The ACPS configuration
file, /etc/acps.conf, controls the following aspects of the ACPS:
166 HP-UX Role-Based Access Control