HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software

NOTE: When you use privedit to invoke an editor to edit a file, the editor does not run with

any elevated privileges. Because the editor privedit invokes does not run with elevated

privileges, any attempted actions, such as shell escapes, run with the user's typical (non-elevated)

privilege set.

You can specify which editor privedit uses to edit the file by setting the EDITOR environment

variable. If you do not set the EDITOR variable, privedit uses the default editor, vi. You cannot

pass arguments to the editor via the privedit command line. However, the editor recognizes

and supports editor-specific environment variables if you set them before invoking privedit.

Use a fully qualified file name as a privedit argument to identify which file to edit. If you do

not use a fully qualified file name, privedit adds the current working directory to the beginning

of the file name you specify. Regardless of how you specify the file to edit, all file names are fully

qualified after you invoke privedit. The privedit command also recognizes and supports

files that are symbolic links.

The privedit command can edit only one file at a time. If you specify multiple file names as

privedit arguments, privedit edits the first file specified and ignores the subsequent file

names. The following shows the privedit command syntax:

privedit [option] fully-qualified-file-name

| [-a (operation, object)]

| [-v]

| [-h]

| [-t]

| [-x]

The following is a list and brief description of the privedit command options:

-a authorization Match only the /etc/rbac/cmd_priv file entries with that have the

specified authorization.

-v Invokes privedit in verbose mode.

-h Prints privedit help information.

-t

Checks if the user has the required authorization to edit the file and

reports the results.

-x

If the authorization check fails, the file will be edited with the caller's

original privileges.

The following is an example of using a privedit command to edit the

/etc/default/security file with the specific authorization of (hpux.sec.edit, secfile):

# privedit -a "(hpux.sec.edit, secfile)" /etc/default/security

NOTE: Remember that the flag values for each entry in the cmd_priv database dictate whether

or not privedit can edit a file. Refer to “Step 3: Configuring Additional Command

Authorizations and Privileges” and the privedit(1m) manpage for more information about flags

and using the privedit command.

Customizing privrun and privedit Using the ACPS

The HP-UX RBAC feature provides the ability to customize how privedit and privrun check

user authorizations. The ACPS module is a customizeable interface that provides responses to

applications that must make authorization decisions. The ACPS configuration file,

/etc/acps.conf, controls the following aspects of the ACPS:

• which modules are consulted for making access decisions

• the sequence in which the modules are consulted

• the rules for combining module responses to return results to applications

Using HP-UX RBAC 49