HP-UX Reference (11i v3 07/02) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

351

352

353

354

355

356

357

358

359

360

setﬁlexsec(1M) setﬁlexsec(1M)

NAME

setﬁlexsec - set extended security attributes on a binary ﬁle

SYNOPSIS

setfilexsec -d ﬁlename

setfilexsec -D absolutepath

setfilexsec [-c compartmentname][

-f ﬂags][

-p privs][-P privs][-r privs][

-R privs]

ﬁlename

DESCRIPTION

setfilexsec sets various extended security attributes of binary ﬁles. The attributes currently include

retained privileges, permitted privileges, compartment, and the privilege start ﬂag. See privileges(5) and

execve(2) for a description of these attributes. The security attributes are stored in a conﬁguration ﬁle and

maintain persistence across reboot. The attributes are stored in a conﬁguration ﬁle and loaded when the

system reboots.

Options

setfilexsec recognizes the following options:

-c Sets the compartment name for the binary executable ﬁle.

-d Deletes any security information for the ﬁle from the conﬁguration ﬁle and the kernel.

-D Delete any security information for the ﬁle given by absolutepath from the conﬁguration ﬁle

only. This is used to clear attributes of a deleted ﬁle.

-f Sets the security attribute ﬂags. The only deﬁned ﬂag is the privilege start ﬂag.

The privilege_start ﬂag must be either

start_full or start_nil. If the value is

start_full , when the binary is executed, the process’ effective privileges are set to the newly

computed permitted privilege set. If the value is start_nil, when the binary ﬁle is executed,

the process’ effective privileges are set to nil

(no privileges). If this option is not speciﬁed and

the process start ﬂag is not already set for the binary ﬁle, the ﬂag is set to

start_nil.

-p Adds or changes the minimum permitted privileges. This must be a subset of the maximum per-

mitted privileges.

-P Adds or changes the maximum permitted privileges. This must be equal to or a superset of the

minimum permitted privileges, minimum retained privileges, and maximum retained privileges.

-r Adds or changes the minimum retained privileges. This must be a subset of the maximum

retained privileges as well as minimum permitted privileges.

-R Adds or changes the maximum retained privileges. This must be equal to or a superset of the

minimum retained privileges. This set must also be a subset of the maximum permitted

privileges.

For the third form of the command, if any of the options are not speciﬁed,

setfilexsec takes the follow-

ing action:

• If the binary’s extended attributes are already set (e.g., through a previous invocation of the

set-

filexsec

command), the previous value for the option is used.

• If the binary’s extended attributes are not set, they default to null (i.e., empty sets for privileges

and empty value for compartment).

Option Arguments

privs This is a list of privileges seperated by comma (,). See the desciption of priv_list

argument in priv_str_to_set(3).

compartmentname This must be a valid compartment on the system or an empty string (""). If it is

an an empty string, the compartment part of the security attributes are cleared.

Operands

setfilexsec recognizes the following operands:

filename A binary executable. Extended attributes set on executable scripts are ignored by the

kernel.

HP-UX 11i Version 3: February 2007 − 1 − Hewlett-Packard Company 357