HP-UX Whitelisting A.01.02 Administrator Guide (766164-001, March 2014)
Example 2 Backing up policy protected files
HP recommends using wliwrap to backup and restore policy protected files and associated
metadata when restricted mode is in effect. To avoid granting permanent wmd capability to
the backup and restore commands, use wliwrap to enable wmd only for a single execution of a
command.
The user owns key adm1.pvt which was granted administrator authority in Example 1 (page 40).
For this example, /usr/bin/tar is used for both backup and restore. Other HP-UX or vendor
product commands, such as cpio or commands included with Symantec NetBackup, can be
substituted for tar backup and restore operations.
To meet file permission bits requirements (DAC restrictions), the user must have root authority to
modify tar with wlisign. The command is signed with the administrator key:
% su root
# wlisign -a -k adm1.pvt /usr/bin/tar
The wmd capability is not granted to /usr/bin/tar. Only the key authorizing execution of
wliwrap must be granted wmd capability. File permission bits restrictions (DAC permissions) on
/usr/bin/tar must be met for wlisign, therefore the signing was executed by root user.
Signing tar with an administrator key is required because it executes as a child process of
wliwrap. If tar is signed by a WLI key without administrator privilege, wmd capability is not
granted through wliwrap.
The key authorizing wliwrap execution must have wmd capability. The key can be granted wmd
before or after the signing, but must be granted wmd before tar executes as a child process of
wliwrap. To grant wmd to key adm1.pvt:
% wlicert -s -c wli.admin1 -o wmd -k adm1.pvt
In Example 1 (page 40), all capabilities are granted to adm1.pvt, but only the capabilities granted
in the previous command are necessary. The backup can now be generated because wmd is
granted through key adm1.pvt.
% wliwrap -k adm1.pvt -o wmd "/tar -cvf tartest.tar /tmp/tartest"
wliwrap: process capability wmd set
wliwrap: executing command: tar -cvf tartest.tar /tmp/tartest
a ./tartest/tfile1 1 blocks
a ./tartest/tfile2 1 blocks
a ./tartest/tfile3 1 blocks
a ./tartest/.$WLI_POLICY$/tfile1 4 blocks
a ./tartest/.$WLI_POLICY$/tfile2 4 blocks
a ./tartest/.$WLI_POLICY$/tfile3 4 blocks
The wmd capability granted to the executing process overrides any IBAC, allowing tar to read
all files. Granting an IBAC policy to any file to allow the backup to proceed is not necessary.
Protected files and associated metadata files are now stored on the archive tartest.tar. The
metadata storage is either pseudo or the file system is not VxFS 5.0.1 or later. If VxFS named data
streams are used for metadata storage, the .$WLI_POLICY$ directory and its files do not appear.
For details on setting metadata storage type, see wlisys(1M).
The administrator key is used to authorize wliwrap execution and grant wmd capability to the
tar child process in this example. This is done only for convenience because it is likely the same
user would sign the backup command and generate backups. A WLI user key without administrator
authority is sufficient to authorize wliwrap execution.
The tar command is executed with the effective user ID of the login user in this example. The
owner and group IDs of the generated archive matches the login values of owner and group, as
if tar is executed directly.
This preparation for backing up policy protected files can be applied to backing up non ELF binary
executables with associated metadata in .$WLI_SIGNATURE$ directories. A .$WLI_FSPARMS$
file can also be backed up. This procedure can be applied to backing up an entire file system
containing policy protected files and signed executables.
41