Manualshelf

HP-UX Reference (11i v2 07/12) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals
331332333334335336337338339340
s
setfilexsec(1M) setfilexsec(1M)
hpux.security.xsec.filexsec.restricted
RETURN VALUE
setfilexsec returns the following values:
0 Successful completion. The security attributes are updated successfully.
>0 An error occurs. An error can be caused by an invalid option, an invalid argument, or
insufficient permissions for the user to perform the operation.
EXAMPLES
Example 1
Add a security attributes entry for the binary executable
/web/java for the first time:
setfilexsec -r cmptread,cmptwrite \
-R policy,!dacwrite -p cmptread \
-P policy -f start_nil -c web /web/java
The Example 1 command has the following effect:
Supposing that a process does an
exec() of the binary /web/java , the process’s attributes are
modified as follows:
The retained privilege set includes at least cmptread and cmptwrite.
The retained privilege set does not include dacwrite.
The permitted privilege set includes at least cmptread.
The permitted privilege set is equal to the policy privilege set (depends on the inheritable set
before the exec()).
The process changes its compartment to web.
Since the process is privilege-aware, the effective privilege set is empty (and the application
/web/java may raise the privileges in the permitted privilege set at run time).
Example 2
Modify the minimum retained privilege set and flags for the same binary:
setfilexsec -r cmptwrite -f start_full /web/java
Because the start_full flag is specified, the effective privilege set is equal to the permitted privilege set
(the application presumably does not manipulate the privileges at run time).
Example 3
Delete all extended security attributes entry for the same binary:
setfilexsec -d /web/jar
WARNINGS
If a binary file that has privilege attributes set is modified or replaced, the attributes no longer apply to
that file, but are still present in system tables. These system tables are re-loaded into the kernel if the sys-
tem is rebooted (that is, the attributes are applied after the reboot). To permanently remove the privilege
attributes, run setfilexsec -d. When replacing a binary, in order to retain the privileges on the
binary without rebooting, run setfilexsec -d first to remove the prior privilege attributes, replace
the binary, and then run setfilexsec to re-assign attributes.
SEE ALSO
getfilexsec(1M), exec(2), priv_str_to_set(3), privileges(5).
HP-UX 11i Version 2: December 2007 Update 2 Hewlett-Packard Company 333