Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
51525354555657585960
4 Fine-Grained Privileges
This chapter describes the fine-grained privileges feature of HP-UX 11i Security Containment.
This chapter addresses the following topics:
“Overview”
“Fine-Grained Privileges Components”
Available Privileges”
“Configuring Applications with Fine-Grained Privileges”
“Security Implications of Fine-Grained Privileges”
“Fine-Grained Privileges in HP Serviceguard Clusters”
“Troubleshooting Fine-Grained Privileges”
Overview
The UNIX operating system traditionally uses an "all or nothing" privilege model, in which
superusers (those with effective UID=0, such as the root user) have virtually unlimited power,
and other users have few or no special privileges.
HP-UX provides several legacy methods of delegating limited powers, including restricted
sam(1M), the privilege groups described in privgrp(4), the shutdown.allow file described in
shutdown(1M), and the cron.allow file described in crontab(1).
These legacy methods are replaced by the security containment model, including the use of
fine-grained privileges and the HP-UX RBAC access control framework.
The HP-UX fine-grained privilege model splits the powers of superusers into a set of privileges.
Fine-grained privileges are granted to processes. Each privilege grants a process that possesses
that privilege the right to a certain set of restricted services provided by the kernel.
Refer to privileges(5) for more information.
Fine-Grained Privileges Components
The fine-grained privileges feature of HP-UX 11i Security Containment includes files, commands,
and manpages. You can use these components to configure and administer fine-grained privileges.
Commands
Table 4-1 “Fine-Grained Privileges Commands” briefly describes the fine-grained privileges
commands.
Table 4-1 Fine-Grained Privileges Commands
DescriptionCommands
Sets various security attributes of binary files. The attributes currently include
retained privileges, permitted privileges, compartment, and privilege
awareness flag.
setfilexsec
Displays security attributes associated with binary executable files. The
attributes include retained privileges, permitted privileges, compartment,
and privilege awareness flag.
getfilexsec
Displays security attributes of processes. The attributes currently include
effective privileges, retained privileges, permitted privileges, and
compartment.
getprocxsec
Overview 51