privrun.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

privrun(1M) privrun(1M)

pam-service Reauthentication service. If speciﬁed, the user will be reauthenticated. The

privrun command will identify itself to PAM as the service indicated in this

ﬁeld. This allows the security ofﬁcer to require an additional set of restrictions

for particular commands. See pam.conf (4) for a list of PAM services.

The keyword

DFLT must be used to indicate that no reauthorization is required.

flags This ﬁeld is used by both

privrun and privedit.Inprivrun, there is only

one deﬁned ﬂag. If the ﬂag is set to

KEEPENV, then none of the environment

variables will be scrubbed. For the ﬂag usage in

privedit, please see

privedit (1M) for more details.

DFLT is expected to appear in this ﬁeld for the

privrun command.

White space between each ﬁeld and immediately surrounding the colon ﬁeld separator (

:) is optional and

ignored by the

privrun command.

There can be multiple entries in

/etc/rbac/cmd_priv

with the same command line, but requiring

different authorizations required and resulting in different privileges.

privrun evaluates each entry in

the order speciﬁed in the ﬁle, continuing on to the next only if the user does not have the required author-

ization. If you want to match a particular entry in

/etc/rbac/cmd_priv

, use privrun command

options to specify the set of privileges for the desired entry.

EXTERNAL INFLUENCES

Environment Variables

LC_MESSAGES determines the language in which messages are displayed.

International Code Set Support

Single-byte character code set is supported.

RETURN VALUE

Success If privrun permitted the user to execute the program, then the return value from

privrun

will be the return value of the program executed.

Failure

privrun returns a value of 1 and an appropriate error message will be printed to stderr.

EXAMPLES

Example 1

In the following example, the caller invokes

privrun to execute the /usr/sbin/useradd

command,

with

userfoo as the argument to the useradd command.

# privrun /usr/sbin/useradd userfoo

privrun examines the /etc/rbac/cmd_priv

database for an entry corresponding to the command

/usr/sbin/useradd

. If this entry is found, then the necessary authorization is retrieved from that

entry.

privrun invokes the command if the user has the necessary authorization.

In the following example, the caller wants to change the UID of the calling process to 28 (

-u 28), change

the GID of the calling process to other (

-g other), and execute the command /sbin/bar.

# privrun -u 28 -g other /sbin/bar

If an /etc/rbac/cmd_priv entry exists for the command /sbin/bar with the associated EUID set

to 28, and the EGID set to the EGID corresponding to the group name other, the usual authorization

and invocation process occurs. If this entry does not exist, (even if an entry for /sbin/bar appears with

different associated privileges (EUID/EGID)), the privrun command fails and prints an error message.

Example 2

In the following example, the caller wants to execute the command

/sbin/bar within compartment

testcomp (-c testcomp);

# privrun -c testcomp /sbin/bar

If an /etc/rbac/cmd_priv entry exists for the command /sbin/bar with the compartment

speciﬁed as testcomp, then the command /sbin/bar will be executed in the testcomp compart-

ment. If this entry does not exist, (even if an entry for /sbin/bar appears with different compartment

speciﬁcation), the privrun command fails and prints an error message.

FILES

/etc/rbac/roles Database containing valid deﬁnitions of all roles.

HP-UX 11i Version 3: September 2010 − 3 − Hewlett-Packard Company 3