Securing Virtual Partitions with HP-UX Role-Based Access Control

Using HP-UX RBAC

The information in this section explains how to operate HP-UX RBAC by using the privrun command

to run existing legacy applications without modification and with varying privileges based on user

authorizations

Using the privrun Command to Run Applications with Privileges

The privrun command enables a user to run legacy applications with different privileges, according

to the authorizations associated with the invoking user. The user invokes privrun, specifying the

legacy application as command line arguments. Next, privrun consults the /etc/rbac/cmd_priv

database to determine what authorization is required to run the command with additional privileges.

For example, if an Operator logs in to host ntc185 as normal user nnie, he can execute network

commands and virtual partition commands for the local host as shown in the following:

# privrun /sbin/ipfstat -io

empty list for ipfilter(out)

empty list for ipfilter(in)

# privrun /usr/sbin/vparreset_ntc185

vparreset: Warning: Default reset option (-t) used.

Reset virtual partition vpar_ntc185? [n] n

If an Operator attempts to execute any unauthorized virtual partition commands for another host, it will

be rejected, as shown in the following example:

# privrun /sbin/vparreset –p vpar_ntc190

privrun: authorization check failed

The BoxAdmin will log in as root and execute virtual partition commands with full root privileges. There

is no need to prefix each command with privrun for the BoxAdmin.