Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
31323334353637383940
For example, if a compartment is configured to disallow privileges, this specification
prevents privrun from providing the privileges to the application in that compartment
because privrun does not have the privileges itself. Note that by default, sealed
compartments are configured to disallow the POLICY compound privilege.
For privrun to invoke another application in a compartment, privrun must assert
the CHANGECMPT privilege. If privrun cannot assert the CHANGECMPT privilege, for
example, if the compartment is configured to disallow privileges, privrun will fail.
This behavior is intentional and designed to reinforce the concept of a sealed
compartment.
Configuring HP-UX RBAC
HP-UX RBAC B.11.23.04 provides you with two different methods to configure the access control
roles, authorizations, and commands:
1. Using the command-line and associated management commands such as roleadm, authadm,
and cmdprivadm
2. Using the Web-based System Management Homepage (SMH) and the newly-available
HP-UX RBAC management tabs.
The command-line based method is described in further detail below and in the respective man
pages for the commands. The SMH-based method is similar to using the command line, but
made significantly easier by populating Web-based forms consistent with other features managed
through SMH. Further assistance with the Web-based management is available through on-line
help once SMH has been invoked. See HP System Management Homepage and HP System
Management Homepage Installation Guide: HP-UX, Linux, and Windows Systems for more
information on SMH and instructions on accessing the HP-UX RBAC on-line help.
For both methods, configuring HP-UX RBAC is a three-step process:
1. Configuring roles.
2. Configuring authorizations.
3. Configuring additional commands.
IMPORTANT: Authorizations are built-in (hard-coded) to the HP-UX RBAC administration
commands and cannot be configured. However, you can configure which roles and users have
the required HP-UX RBAC administration command authorizations.
HP-UX RBAC administration commands do not need to be wrapped with the privrun command
because they are setuid=0. The HP-UX RBAC administration commands run with privileges
equal to root regardless of who invokes them. Access control checks limit who can use the HP-UX
RBAC administrative commands.
Refer to the Authorization section in each of the HP-UX RBAC administrative commands manpages
for more information about their authorizations.
This “Configuring HP-UX RBAC” section uses the example planning results and users in
Table 3-6 “Example Planning Results” to demonstrate the HP-UX RBAC administrative commands
and configuration process.
Configuring HP-UX RBAC 35