HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software

commands because it can be difficult to determine the target of an action from the command

name.

An example of this object ambiguity is the /usr/sbin/passwd command. The passwd command

can operate on a number of repositories, for example, the /etc/passwd file, an NIS table, and

an LDAP entry. You cannot determine the actual object by looking at the command line, so it is

typically easiest to require that the user have the operation on all objects, for example:

(hpux.security.passwd.change, *).

NOTE: You can configure a value for the default object. By default, if you do not specify an

object, HP-UX RBAC will use the * wildcard as the object. However, if you have configured a

value for the RBAC_DEFAULT_OBJECT= parameter in /etc/default/security, HP-UX

RBAC will use this value instead of the * wildcard as the default object.

Use the authadm command to edit authorization information in the HP-UX RBAC databases.

The authadm syntax is similar to the roleadm syntax. The following is the authadm command

syntax:

authadm add operation[object[comments]]

| delete operation[object]

| assign role operation[object]

| revoke [role=name][operation=name[object=name]]

| list [role=name][operation=name[object=name][sys]

The following is a list and brief description of the authadm command arguments:

add Adds an authorization to the system list of valid authorizations in /etc/rbac/auths.

delete

Deletes an authorization from the system list of valid authorizations in

/etc/rbac/auths.

assign Assigns an authorization to a role and adds an entry to /etc/rbac/role_auth.

revoke Revokes an authorization from a role and updates /etc/rbac/role_auth.

list

Lists valid authorizations per system or role, and lists roles associated with the

specified operation.

IMPORTANT: Be aware that when you assign an authorization that contains the asterisk *

character, you must surround the wildcard character with quotation marks to prevent shell

interpretation, as shown in the following examples.

The following are examples of authorization creation and assignment based on Table 3-6 “Example

Planning Results”:

# authadm add 'company.customauth.*'

authadm added auth: (company.customauth.*,*)

# authadm assign Administrator 'company.customauth.*'

authadm added auth for role Administrator

Use the list argument with the authadm command to verify the authorization assignment,

for example:

# authadm list

Administrator: (hpux.*, *) (company.customauth.*, *)

Step 3: Configuring Additional Command Authorizations and Privileges

Define any additional commands that are not provided in the default configuration. You must

have already created the authorizations needed to run the commands and assigned them to a

role. If you have not done this, the command will be configured, but no user will be appropriately

authorized to use the command.

38 HP-UX Role-Based Access Control