HP-UX Reference (11i v2 07/12) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

331

332

333

334

335

336

337

338

339

340

setﬁlexsec(1M) setﬁlexsec(1M)

NAME

setﬁlexsec - set binary executable ﬁle security attributes

SYNOPSIS

setfilexsec -d ﬁlename

setfilexsec -D absolutepath

setfilexsec [-c compartmentname][

-f ﬂags][

-p privs][-P privs][-r privs][

-R privs]

ﬁlename

DESCRIPTION

setfilexsec sets various security attributes of binary ﬁles. The attributes currently include retained

privileges, permitted privileges, compartment, and the privilege start ﬂag. See privileges(5) and execve(2)

for a description of these attributes. The security attributes are persistent across reboot. The attributes

are stored in a conﬁguration ﬁle and loaded when the system reboots.

Options

setfilexsec recognizes the following options:

-c Sets the compartment name for the binary executable ﬁle.

-d Deletes any security information for the ﬁle from the conﬁguration ﬁle and the kernel.

-D Delete any security information for the ﬁle given by absolutepath from the conﬁguration ﬁle

only. This is used to clear attributes of a deleted ﬁle.

-f Sets the security attribute ﬂags. The only deﬁned ﬂag is the privilege start ﬂag.

The privilege_start ﬂag must be either

start_full or start_nil . If the value is

start_full , when the binary is executed, the process’ effective privileges are set to the

newly computed permitted privilege set. If the value is start_nil, when the binary ﬁle

is executed, the process’ effective privileges are set to

nil (no privileges). If this option is

not speciﬁed and the process start ﬂag is not already set for the binary ﬁle, the ﬂag is set to

start_nil.

-p Adds or changes the minimum permitted privileges. This must be a subset of the max-

imum retained privileges.

-P Adds or changes the maximum permitted privileges. This must be equal to or a superset of

the minimum retained privileges.

-r Adds or changes the minimum retained privileges. This must be a subset of the maximum

retained privileges as well as minimum permitted privileges.

-R Adds or changes the maximum retained privileges. This must be equal to or a superset of

the minimum retained privileges.

For the third form of the command, if any of the options are not speciﬁed,

setfilexsec takes the follow-

ing action:

• The security attribute acted upon by that option is set to NULL if this is a new entry in security

attributes.

• The security attribute acted upon by that option is not modiﬁed if the attribute is an existing entry

in security attributes.

The privs argument is any string that is acceptable to the priv_list argument to the

priv_str_to_set()

function where the delimiter is a comma (

,). See priv_str_to_set(3).

Operands

setfilexsec recognizes the following operands:

filename A binary executable. Extended attributes set on executable scripts are ignored by the ker-

nel.

Security Restrictions

The caller must have the following authorization:

hpux.security.xsec.filexsec.unrestricted

—or—

332 Hewlett-Packard Company − 1 − HP-UX 11i Version 2: December 2007 Update