Securing Virtual Partitions with HP-UX Role-Based Access Control
10
Step 2: Configuring Authorizations
Configuring authorizations is similar to creating and assigning roles. However, authorizations contain
two elements: an operation and an object. Use the authadm command to edit authorization
information in the HP-UX RBAC databases.
The following examples show the creation and assignment of the authorizations identified in the
planning sections:
# authadm add hpux.vpar.admin local
authadm added auth: (hpux.vpar.admin,local)
# authadm assign BoxAdmin “hpux.*”
authadm added 1 auth for role BoxAdmin
# authadm assign Operator hpux.vpar.admin local
authadm added 1 auth for role Operator
# authadm assign Operator “hpux.network.*”
authadm added 1 auth for role Operator
Use the authadm list command to verify the authorizations were assigned correctly, for example:
# authadm list
BoxAdmin: (hpux.*, *)
Operator: (hpux.network.*, *) (hpux.vpar.admin, local)
Step 3: Configuring Additional Command Authorizations and Privileges
The final step in configuring the system for use with HP-UX RBAC is to define any additional commands
that are not provided in the /etc/rbac/cmd_priv default configuration. Use the cmdprivadm
command to edit a command’s authorization and privilege information. The cmdprivadm command
works in a similar fashion to roleadm and authadm.
The following examples associate the vparreset command with the (hpux.vpar.admin, local)
authorization. We assume vpar_ntc185 is the name for the local virtual partition in the following
examples.
# cmdprivadm add cmd="/sbin/vparreset -p vpar_ntc185" \
op=hpux.vpar.admin object=local \
ruid=0 euid=0
/sbin/vparreset:-p vpar_ntc185:(hpux.vpar.admin,local):0/0/-1/-1::::
cmdprivadm added the entry to /etc/rbac/cmd_priv
However, if you want to allow Operators to run the command /sbin/vparreset –p
vpar_ntc185 with other arguments, such as –t or –h, you must individually add
/sbin/vparreset –p vpar_ntc185 –t and /sbin/vparreset –p vpar_ntc185 –h to the
/etc/rbac/cmd_priv database using cmdprivadm.
Rather than adding each separate command individually, a simpler approach is to write a shell script
that specifies the local virtual partition name and allows any other command argument combinations.
For example,
# more /usr/sbin/vparreset_ntc185
#!/usr/bin/ksh
echo "/usr/sbin/vparreset -p vpar_ntc185" $*
/usr/sbin/vparreset -p vpar_ntc185 $*
You can then add vparrest_nt185 to the /etc/rbac/cmd_priv database, for example:
# cmdprivadm add cmd=/usr/sbin/vparreset_ntc185 \
op=hpux.vpar.admin object=local \
ruid=0 euid=0
/usr/sbin/vparreset_ntc185::(hpux.vpar.admin,local):0/0/-1/-1::::
cmdprivadm added the entry to /etc/rbac/cmd_priv