Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software
41424344454647484950
Refer to “HP-UX RBAC Access Control Policy Switch”, and acps.conf(4), acps(3), and rbac(5) for
more information about the ACPS.
Troubleshooting HP-UX RBAC
The following is a list of the primary mechanisms used to troubleshoot and debug HP-UX RBAC:
The rbacdbchk utility verifies HP-UX RBAC database syntax.
The privrun -v command reports additional and relevant information.
The rbacdbchk Database Syntax Tool
The most common bugs are caused by manual editing of the HP-UX RBAC databases, resulting
in syntactically invalid configurations or in configurations that are inconsistent between databases
(for example, a role in /etc/rbac/user_role that is not defined in /etc/rbac/roles). To
assist in diagnosing these common mistakes, HP-UX RBAC includes an rbacdbchk command.
This command reads through the HP-UX RBAC databases and prints warnings where incorrect
or inconsistent configuration entries are found:
# rbacdbchk
[/etc/rbac/user_role] chandrika: UserOperator
invalid user
The value 'chandrika' for the Username field is bad.
[/etc/rbac/cmd_priv]
/opt/cmd:dflt:(newop,*):0/0//:dflt:dflt:dflt:
invalid command: Not found in the system
The value '/opt/cmd' for the Command field is bad.
[Role in role_auth DB with no assigned user in user_role DB]
Rebooter:(hpux.admin.*, *)
[Invalid Role in user_role DB. Role 'UserOperator' assigned to user 'chandrika' does not exist in the roles DB]
On a correctly configured system, the rbacdbchk command produces no output, indicating no
errors are present.
privrun -v Information
The second method for detecting issues is to run the privrun command with the -v option
(verbose mode). In verbose mode, privrun provides additional information about the entries
that the input command matched and the status of the authorization checking, as well as other
relevant data. In many cases, this output clarifies the issue causing privrun to fail. Specify the
-v option multiple times for additional levels of verbose output. The following is an example of
the privrun -v output with the ipfstat command:
# privrun -v /sbin/ipfstat
privrun: user root intends to execute command /sbin/ipfstat
privrun: input entry: '/sbin/ipfstat:dflt:(,):///:dflt:dflt::'
privrun: found matching entry: '/sbin/ipfstat:dflt:(hpux.network.filter.readstat,*):0/0//:dflt:dflt::'
privrun: passed authorization check
privrun: attempting to set ruid/euid/rgid/egid to 0/0/-1/-1
privrun: current settings for ruid/euid/rgid/egid are 0/0/3/3
privrun: executing: /sbin/ipfstat
50 HP-UX Role-Based Access Control