HP-UX Reference (11i v3 07/02) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

161

162

163

164

165

166

167

168

169

170

privedit(1M) privedit(1M)

Field Description

command | file For privedit, the fully qualiﬁed path of a ﬁle to edit. This ﬁeld may contain wild-

cards as deﬁned in fnmatch(3C).

For

privrun, the fully qualiﬁed path of the command that is being wrapped to pro-

vide additional privilege.

arguments Ignored. (Used only by privrun.)

(operation,object) The operation the user is required to have on the object speciﬁed. Together, the

(operation,object) forms the authorization. operation must be fully qualiﬁed and

cannot contain a wild card (

*).

all in object requires that the user has the speciﬁed operation on all objects. (Note:

this is satisﬁed by a speciﬁcation of

(operation,*) in the /etc/rbac/role_auth

database if RBAC is in use.)

This ﬁeld may contain the keyword

dflt instead of (operation,object), which indi-

cates that no access check is required and the ﬁle can be edited with privilege by any

user.

ruid

/euid/rgid/egid

Ignored. (Used only by privrun.)

compartment Ignored. (Used only by privrun.)

privs Ignored. (Used only by privrun for privileges .)

pam-service Reauthentication service. If speciﬁed, the user is required to reauthenticate. The

privedit command identiﬁes itself to PAM as the service indicated in this ﬁeld.

This allows the security ofﬁcer to require an additional set of authentication/account

management restrictions for particular ﬁles for editing. See pam.conf(4) for a list of

PAM services.

The keyword dflt must be used to indicate that no reauthorization is required.

flags Flag values can be speciﬁed to indicate whether or not privedit can edit a ﬁle.

Additional ﬂag values can be speciﬁed to indicate whether privrun can execute a

command. The speciﬁc values allowed are as follows:

flag=empty or any other token

The ﬁle is a command that can be executed only. It cannot be edited.

flag=edit The ﬁle can be both edited and executed. This is mainly intended for

scripts.

flag=noexec

The ﬁle cannot be executed. It can only be edited with privedit.

The Authorization ﬁeld can contain the keyword

dflt instead of (operation,object), which indicates that

no access check is required and the command is invoked with privilege for any user. The UID and GID

entry in ﬁeld 4 is ignored by

privedit, but the slash character (/

) separating the IDs must remain. The

pam service name in ﬁeld 7 may also be

dflt, which indicates reauthentication is not required.

White space between each ﬁeld (immediately surrounding the ﬁeld separator :) in this database is optional

and ignored by privedit.

There may be multiple entries with the same ﬁle line (but different authorization required). privedit

evaluates each entry in the order speciﬁed in the ﬁle, continuing on to the next only if the user does not

have the required authorization. The privedit -a command option described above allows users to

identify a speciﬁc authorization to match or ﬁnd when multiple entries for the same ﬁle exist in the

cmd_priv database.

EXTERNAL INFLUENCES

Environment Variables

EDITOR speciﬁes the default editor.

LC_MESSAGES determines the language in which messages are displayed.

HP-UX 11i Version 3: February 2007 − 2 − Hewlett-Packard Company 161