cmdprivadm.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

cmdprivadm(1M) cmdprivadm(1M)

NAME

cmdprivadm - noninteractive editing of a command’s authorization and privilege information in the

privrun database

SYNOPSIS

cmdprivadm add option =value [option

=value]...

cmdprivadm delete option =value [option=

value]...

DESCRIPTION

cmdprivadm is a noninteractive command that allows user with appropriate permission to add or delete

a command and its privileges in the Role-Base Access Control (RBAC) database,

/etc/rbac/cmd_priv

. See privrun (1M) for more details on this ﬁle.

When adding a line to the database,

cmdprivadm sets ﬁelds that are not speciﬁed a default value.

When deleting a line, the lines matching all the given option

=value pairs will be deleted. That is, if all

ﬁelds speciﬁed match, the entry will be deleted.

cmdprivadm add option =value [option=

value]...

Appends a line as speciﬁed in option

=value pairs in the /etc/rbac/cmd_priv

ﬁle.

cmdprivadm delete option =value [option=value]...

Deletes a line as speciﬁed in option

=value pairs from /etc/rbac/cmd_priv

ﬁle.

HP recommends that only the

authadm, cmdprivadm, and roleadm commands be used to edit and

view the RBAC databases; do not edit the RBAC ﬁles directly.

See rbac (5) for information on the RBAC databases.

Options

The following options are valid option =value pairs for cmdprivadm.

cmd=command command should include the full path name of the command. There can be one or

more arguments following the command.

file=filename ﬁlename should specify the full path name of a ﬁle name.

op=operation Speciﬁes the operation.

object=object Speciﬁes the object.

ruid=ruid Speciﬁes the real user ID (ruid).

euid=euid Speciﬁes the effective user ID (euid).

rgid=rgid Speciﬁes the real group ID (rgid).

egid=egid Speciﬁes the effective group ID (egid).

compartment=compartment_label

Speciﬁes the compartment.

privs=comma_separated_privilege_list

Speciﬁes the privileges.

re-auth=pam_service

Speciﬁes the PAM service name to reauthenticate under. See pam.conf (4) for a list

of PAM services.

flags=comma_separated_flags_list

Speciﬁes the ﬂags.

Note : You must enclose values that contain the space character, or any characters that may be inter-

preted by the shell, with single quotes. For example, if the

cmd has one or more arguments, enclose them

with single quotes:

cmd=’mount -a’

Authorizations:

In order to invoke cmdprivadm, the user must either be root, (running with effective UID of 0), or have

the appropriate authorizations. The following is a list of the required authorizations for running

cmdprivadm with particular options:

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (2 pages)

PAGE 1
cmdprivadm(1M) cmdprivadm(1M) NAME cmdprivadm - noninteractive editing of a command’s authorization and privilege information in the privrun database SYNOPSIS cmdprivadm add option =value [option =value]... cmdprivadm delete option =value [option =value]... DESCRIPTION cmdprivadm is a noninteractive command that allows user with appropriate permission to add or delete a command and its privileges in the Role-Base Access Control (RBAC) database, /etc/rbac/cmd_priv.
PAGE 2
cmdprivadm(1M) cmdprivadm(1M) hpux.security.access.privrun.add,* Allows user to run cmdprivadm with add options. hpux.security.access.privrun.delete,* Allows user to run cmdprivadm with delete options. EXTERNAL INFLUENCES Environment Variables LC_MESSAGES determines the language in which messages are displayed. International Code Set Support Single-byte character code set is supported. A cA RETURN VALUE Upon completion, cmdprivadm returns one of the following values: 0 Success. 1 Failure.