HP-UX Reference (11i v3 07/02) - 1M System Administration Commands N-Z (vol 4)
p
privrun(1M) privrun(1M)
NAME
privrun - invoke another application with privileges after performing appropriate authorization checks and
optionally reauthenticating the user
SYNOPSIS
privrun [-htx][-a
authorization][-c
compartment][-g [gid|groupname]] [-G [gid|groupname]]
[
-p privileges][-u
[uid|username]] [-U [uid|username]] [-v
[-v]] command [args]
DESCRIPTION
privrun allows a user to run legacy applications with elevated privileges according to the authorizations
associated with that user. The user invokes privrun
, specifying the legacy application as command line
arguments.
privrun consults the /etc/rbac/cmd_priv
database to determine which authorization
is required to run the command with additional privileges. (The authorization is specified as an operation
and a target object.) If the user has the necessary authorization,
privrun
invokes the specified command
after changing its UID and/or GID as specified in the
cmd_priv database. privrun also allows a com-
mand to be run with a specified set of fine-grained privileges, and/or in a specified compartment.
The method to determine whether the user has the necessary authorization is configurable by the system
administrator. A module is provided to associate a fixed set of authorizations with the user based on the
user’s role. See rbac(5) for more information.
Options
privrun recognizes the following options:
-a authorization
Match only those entries requiring the specified authorization. authorization is defined as
(operation,object) pairs in the cmd_priv database. The specified authorization must exactly
match the authorization present in the
cmd_priv file (that is, wildcarding not supported.)
-c compartment
Matches the specified compartment in the cmd_priv database. The specified compartment must
exactly match the compartment present in the cmd_priv file.
-g [gid|groupname]
Match only those entries containing the effective group ID (EGID) corresponding to the specified
EGID or the EGID associated with the group name.
-G [gid|groupname]
Match only those entries containing the real group ID (RGID) corresponding to the specified RGID or
the RGID associated with the group name
-h Prints privrun usage or help.
-p privileges
Matches the specified privileges to the privileges in the cmd_priv database. When specifying multi-
ple privileges, separate each privilege with a comma. Any privileges specified with -p option, must
have a match in the
cmd_priv database.
-t Check to see if the user has the authorization to execute the command and inform the user of the
results. The command will not be invoked.
-u [uid|username]
Match only those entries containing the effective user ID (EUID) corresponding to the specified EUID
or the EUID associated with the user name.
-U [uid|username]
Match only those entries containing the real user ID (RUID) corresponding to the specified RUID or
the RUID associated with the user name.
-v [-v]
Invoke privrun in verbose mode. The verbose level will be increased if two -v options are
specified. An increased verbose level will print more information.
-x If the authorization check fails, the program will still be executed with original caller’s privileges only.
Operands
privrun recognizes the following operands:
HP-UX 11i Version 3: February 2007 − 1 − Hewlett-Packard Company 163