Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
41424344454647484950
fine-grained privilege and without UID=0 if the user has the (hpux.adm.mount, *)
authorization.
As described in “Using the privrun Command to Run Applications with Privileges”, the privrun
-p command option matches only the entries in the /etc/rbac/cmd_priv database file that
have the privileges specified by the -p option. Be aware when you specify a privilege using the
privrun -p option that privrun will match all entries that contain the specified
privilege—including groups of privileges and compound privileges that include the -p specified
privilege. The privrun command will execute according to the first match in
/etc/rbac/cmd_priv. For example, the following is an example privrun -p command and
a list of entries the command will match in /etc/rbac/cmd_priv:
The command:
# privrun -p MOUNT /etc/mount
matches the following /etc/rbac/cmd_priv entries:
#---------------------------------------------------------------------------------------------------------------
# Command : Args :Authorizations :U/GID :Cmpt :Privs :Auth :Flags
#----------------:--------:-------------------:------:------:---------------------------------------:-----:-----
/etc/mount :dflt :(hpux.adm.mount,*) :/// :dflt :PRIV_CHOWN, MOUNT :dflt :
/etc/mount :dflt :(hpux.*,nfs) :/// :dflt :MOUNT, PRIV_RTPRIO, PRIV_MLOCK :dflt :
/etc/mount :dflt :(hpux.adm.*,*) :/// :dflt :BASICROOT :dflt :
NOTE: The privrun -p MOUNT /etc/mount command matches the BASICROOT privilege
because the MOUNT simple privilege is part of the predefined BASICROOT compound privilege.
Refer to the privileges(5) manpage for more information about simple and compound privileges.
IMPORTANT: The sequence of the entries in /etc/rbac/cmd_priv is important because
privrun will execute according to the first explicit match it finds. In the preceding example,
while all three entries are considered matches to the privrun command, privrun would execute
the first entry. Keep the sequence of the entries in mind when configuring commands and
authorizations. The cmdprivadm tool adds entries to the bottom of the /etc/rbac/cmd_priv
file.
NOTE: Use only the cmdprivadm command to configure fine-grained privileges for
commands—do not edit the /etc/rbac/cmd_priv database file without using cmdprivadm.
To modify an existing entry in the /etc/rbac/cmd_priv file, you must first delete the entry
and then add the updated version back in. When you use cmdprivadm to delete entries,
arguments act as filters. For example, specifying the cmdprivadm delete op=foo command
removes all entries in which the operation is foo. As a result of this, when you use cmdprivadm
to delete entries, be careful to ensure that you specify sufficient arguments to uniquely identify
the entries to be removed.
Configuring HP-UX RBAC with Compartments
NOTE: HP-UX RBAC version B.11.23.01 does not support the Compartments component of
the HP-UX 11i Security Containment feature.
HP-UX RBAC can also use the Compartments component of the HP-UX 11i Security Containment
feature to configure applications to run in a particular compartment. With the Compartments
component you can logically partition a system into compartments so that a process cannot
communicate or access resources outside of its compartment (unless a compartment rule is set
up to allow this).
Configuring HP-UX RBAC 43