Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
31323334353637383940
Table 3-4 HP-UX RBAC Commands
DescriptionCommand
Invokes legacy application with privileges after performing authorization checks and
optionally re-authenticating the user.
privrun
Allows authorized users to edit files that are under access control.
privedit
Edits of role information in the /etc/rbac/user_role, /etc/rbac/role_auth, and
/etc/rbac/roles files.
roleadm
Edits authorization information in the /etc/rbac/role_auth and /etc/rbac/roles
files.
authadm
Edits command authorizations and privileges in the /etc/rbac/cmd_priv database.cmdprivadm
Verifies authorizations and syntax in the HP-UX RBAC and privrun database files.rbacdbchk
These shells automatically invoke the access control subsystem to run commands with
privileges when appropriate.
privsh, privcsh, and
privksh
HP-UX RBAC Manpages
Table 3-5 “HP-UX RBAC Manpages” lists and briefly describes the HP-UX RBAC manpages.
Table 3-5 HP-UX RBAC Manpages
DescriptionManpage
Describes the HP-UX RBAC feature.rbac(5)
Describes the ACPS and its interfaces.acps(3)
Describes the ACPS configuration file and its syntax.acps.conf(4)
Describes the ACPS Application Programming Interface.acps_api(3)
Describes the ACPS Service Provider Interface.acps_spi(3)
Describes privrun functionality and syntax.
privrun(1m)
Describes privedit functionality and syntax.
privedit(1m)
Describes roleadm functionality and syntax.
roleadm(1m)
Describes authadm functionality and syntax.
authadm(1m)
Describes cmdprivadm functionality and syntax.
cmdprivadm(1m)
Describes rbacdbchk functionality and syntax.
rbacdbchk(1m)
Overview of various privileged system shells.privsh(5m)
HP-UX RBAC Architecture
The primary component of HP-UX RBAC is the privrun command, which invokes existing
commands, applications, and scripts. The privrun command uses the ACPS subsystem to make
access control requests. An access request is granted or denied based on a set of configuration
files that define user-to-role and role-to-authorization mappings.
If the access request is granted, privrun invokes the target command with additional privileges,
which can include one or more of either a UID, GID, fine-grained privileges, and compartments.
The privileges are configured to enable the target command to run successfully.
Figure 3-1 “HP-UX RBAC Architecture” illustrates the HP-UX RBAC architecture.
HP-UX RBAC Components 31