Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
131132133134135136137138139140
TIP: HP recommends you use HP-UX RBAC to configure applications that require variable
privileges to run.
NOTE: Some of the fine-grained privileges are divided into more granularity. If the
HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system,
the PRIV_SYSATTR , PRIV_MOUNT, and PRIV_DEVOPS privileges are each divided
into two privileges. By using the new privileges, a process can now allow a subset of
the operations while disallowing the other. See privileges(5) and “Compatibility
Information for Divided Privileges” (page 135).
To configure security attributes for a privilege-aware application, use the setfilexsec
command as follows:
# setfilexsec [options] filename
The setfilexsec command is meant to assign privileges to binaries on a local file
system. Binaries that are obtained from a network file systems (NFS) should not be
assigned privileges because if the file is modified by a different system (directly on the
NFS server), the extended attributes set by setfilexsec are not removed.
The options for setfilexsec are as follows:
-d Deletes any security information for this file from the configuration file and the kernel.
-D Deletes any security information for this file from the configuration file only. Used
to clear security information for a deleted file.
-r Add or change minimum retained privileges.
-R Add or change maximum retained privileges.
-p Add or change minimum permitted privileges.
-P Add or change maximum permitted privileges.
-f Sets the security attribute flags.
The getfilexsec command displays the extended attributes of a binary file, set with
the setfilexsec command.
# getfilexsec filename
7.4 Configuring Applications with Fine-Grained Privileges 137