HP-UX Reference (11i v2 07/12) - 5 Miscellaneous (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

341

342

343

344

345

346

347

348

349

350

rbac(5) rbac(5)

object The object the user can access. If

* is speciﬁed, all objects can be accessed by the opera-

tion.

The following line speciﬁes auditing the role of

SecurityOfficer

with authorization of

(

hpux.passwd , /etc/passwd ). The PrinterAdm

role with authorization to perform

hpux.printer.add

on all objects is also speciﬁed for auditing.

SecurityOfficer, hpux.passwd, /etc/passwd

PrinterAdm, hpux.printer.add, *

EXAMPLES

The following example shows how a root user uses the RBAC administrative commands to allow non-root

user John to execute the

/usr/sbin/useradd

command.

1. Add a role named UserAdmin to the roles database:

# /usr/sbin/roleadm add UserAdmin

The above command adds the UserAdmin role to the /etc/rbac/roles

database.

2. List deﬁned authorizations in the system to determine what authorizations are available.

# /usr/sbin/authadm list sys

3. Add an authorization named (hpux.admin.useradd,*) to the auths database. The operation is

"hpux.admin.useradd" and the object is "*".

# /usr/sbin/authadm add hpux.admin.useradd

In the above example, the object is not speciﬁed and therefore defaults to "*", which means that the

operation applies to ALL objects. The "(hpux,admin.useradd,*)" is added to the

/etc/rbac/auths

database.

4. Assign the authorization, (hpux.admin.useradd,*), to the UserAdmin role.

# /usr/sbin/authadm assign UserAdmin hpux.admin.useradd

The above command adds the following entry to the /etc/rbac/role_auth

database:

"UserAdmin:(hpux.admin.useradd,*)"

5. Assign the role UserAdmin to user John:

# /usr/sbin/roleadm assign John UserAdmin

The above command adds the following entry in the /etc/rbac/user_role

database: "John:

UserAdmin"

6. Add the command

/usr/sbin/useradd

to the cmd_priv database:

# /usr/sbin/cmdprivadm add cmd=/usr/sbin/useradd

op=hpux.admin.useradd ruid=0 euid=0

The above command adds the following entry to the /etc/rbac/cmd_priv

database:

/usr/sbin/useradd:dflt:(hpux.admin.useradd,*):0/0//:dflt:dflt:dflt:

7. Check to see if syntax and entries in the RBAC database are valid:

# /usr/sbin/rbacdbchk

8. Now non-root user John has been associated with the UserAdmin role. The UserAdmin role has been

assigned an authorization named (hpux.admin.useradd, *) which is the needed authorization for exe-

cuting /usr/sbin/useradd as per the entry added in the cmd_priv database. Non-root user

John can now run /usr/sbin/useradd using privrun to add regular users to the system as fol-

lows:

# /usr/bin/privrun /usr/bin/useradd new_user

AUDITING

privrun, roleadm, authadm, and cmdprivadm all generate audit records. The audit records

include a caller’s username, UID, role, authorizations, object, time of the event, success or failure of the

event, etc.

348 Hewlett-Packard Company − 5 − HP-UX 11i Version 2: December 2007 Update