privedit.1m (2011 03)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

privedit(1M) privedit(1M)

NAME

privedit - let authorized users edit ﬁles that are under access control

SYNOPSIS

privedit [-htxv][-a

authorization] ﬁle

DESCRIPTION

privedit allows authorized users to edit ﬁles that are otherwise restricted by permissions or access

control lists. Identify which ﬁle to edit by specifying the ﬁle name as an argument to the

privedit com-

mand. After you invoke the command,

privedit checks the

/etc/rbac/cmd_priv

database to

determine the authorization required to edit the ﬁle. If you have the necessary authorization,

privedit

invokes the speciﬁed editor to edit the ﬁle.

You can specify which editor

privedit

uses to edit the ﬁle by setting the EDITOR environment vari-

able. If you do not set the

EDITOR

variable, privedit uses the default editor, vi. You cannot pass

arguments to the editor via the

privedit

command line. However, the editor recognizes and supports

editor-speciﬁc environment variables if you set them before invoking privedit.

You can use a fully qualiﬁed ﬁle name as a

privedit argument to identify which ﬁle to edit. If you do

not use a fully qualiﬁed ﬁle name,

privedit adds the current working directory to the beginning of the

ﬁle name you specify. Regardless of how you specify the ﬁle to edit, all ﬁle names are fully qualiﬁed after

invoking

privedit. The privedit command also recognizes and supports ﬁles that are symbolic

links.

privedit can edit only one ﬁle at a time. If you specify multiple ﬁle names as

privedit arguments,

privedit edits the ﬁrst ﬁle speciﬁed and ignores the subsequent ﬁle names.

The HP-UX RBAC feature also provides the ability to customize how

privedit and privrun check

user authorizations. (See privrun (1M).) The Access Control Policy Switch (ACPS) module of HP-UX

RBAC provides responses to applications that must make authorization decisions. The ACPS

conﬁguration ﬁle,

acps.conf, controls which modules are consulted for making access decisions, the

sequence in which the modules are consulted, and the rules for combining module responses to return

results to applications. See acps.conf (4), acps (3) and rbac (5) for more information.

Options

privedit recognizes the following options:

-a authorization Match only those entries requiring the speciﬁed authorization. The speciﬁed

authorization must exactly match the authorization present in the

cmd_priv data-

base (that is, no wildcards allowed).

-h Print privedit usage or help.

-t Check to see if the user has the authorization to edit the ﬁle and inform the user of

the results.

-x If the authorization check fails, edit the ﬁle with the caller’s original privileges.

-v Invoke privedit in verbose mode.

Operands

privedit recognizes the following operands:

file File to edit.

The cmd_priv Database

As described in privrun (1M), the /etc/rbac/cmd_priv ﬁle contains information indicating which

authorizations are required to execute commands or edit ﬁles. You can also specify a PAM service name

in /etc/rbac/cmd_priv to indicate how privedit should identify itself to PAM if a user must be

reauthenticated.

The ﬁle contains any number of entries, where each entry is speciﬁed on a single line in the following for-

mat:

{command|ﬁle}

: arguments :(operation ,object ):ruid/euid/rgid/egid : compartment : privs :

pam-service : ﬂags

These ﬁelds are deﬁned as follows:

HP-UX 11i Version 3: March 2011 − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
privedit(1M) privedit(1M) NAME privedit - let authorized users edit files that are under access control SYNOPSIS privedit [-htxv] [-a authorization] file DESCRIPTION privedit allows authorized users to edit files that are otherwise restricted by permissions or access control lists. Identify which file to edit by specifying the file name as an argument to the privedit command.
PAGE 2
privedit(1M) privedit(1M) Field Description command | file For privedit, the fully qualified path of a file to edit. This field may contain wildcards as defined in fnmatch (3C). arguments Ignored. (Used only by privrun.) (operation ,object ) The operation the user is required to have on the object specified. Together, the (operation ,object ) forms the authorization. operation must be fully qualified and cannot contain a wild card (*).
PAGE 3
privedit(1M) privedit(1M) RETURN VALUE Success If privedit permitted the user to edit the file, then the return value from privedit is the return value of the editor used to edit the file. Failure privedit returns a value of 1 and an appropriate error message is printed to standard error. EXAMPLES Example 1 In the following example, the caller invokes privedit to edit /etc/fstab. # privedit /etc/fstab The /etc/rbac/cmd_priv database is examined for an entry corresponding to the file /etc/fstab.
PAGE 4
(Notes) A (Notes) pA 4 Hewlett-Packard Company −1− HP-UX 11i Version 3: March 2011