Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 9 HP-UX Role-Based Access Control

Using HP-UX RBAC
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

This section explains how to run the privrun and privedit commands to operate HP-UX RBAC.

Using the privrun Command to Run Applications with Privileges

The privrun command enables a user to run legacy applications with different privileges, according to the authorizations associated with the invoking user. The user invokes privrun, specifying the legacy application as command line arguments. Next, privrun consults the /etc/rbac/cmd_priv database to determine what authorization is required to run the command with additional privileges. If the user has the necessary authorization, privrun invokes the specified command after changing its UID and or GID as specified in the /etc/rbac/cmd_priv database.

The following is the privrun command syntax:

privrun [options] command [args] | [-u eUID|username] | [-g eGID|groupname] | [-U rUID|username] | [-G rGID|groupname] | [-a (operation, object)] | [-c compartment] | [-p privilege[,privilege,privilege...]] | [-x] | [-v [-v]] | [-h] | [-t]

The following list explains each of the privrun command options:

-u

Matches only those entries containing the effective user ID (EUID) corresponding to the specified EUID or the EUID associated with the username.

-g

Matches only those entries containing the effective group ID (EGID) corresponding to the specified EGID or the EGID associated with the group name.

-U

Matches only those entries containing the real user ID (RUID) corresponding to the specified RUID or the RUID associated with the username.

-G

Matches only those entries containing the real group ID (RGID) corresponding to the specified RGID or the RGID associated with the group name.

-a

Matches only those entries requiring the specified authorization. Authorization is defined as (operation, object) pairs in the /etc/rbac/cmd_priv database file. The specified authorization must exactly match the authorization present in the /etc/rbac/cmd_priv file—wildcards are not supported.

-c

Matches the specified compartment in the /etc/rbac/cmd_priv database file. The specified compartment must exactly match the compartment present in /etc/rbac/cmd_priv.

-p

Matches the specified privileges with the privileges in the /etc/rbac/cmd_priv database file. You can specify more than one privilege. When specifying multiple privileges, separate each privilege with a comma. Be aware when you specify a privilege using the privrun -p option that privrun will match all entries that contain the specified privilege—including groups of privileges and compound privileges that include the -p specified privilege. The privrun command will execute according to the first match in /etc/rbac/cmd_priv.

-x

Uses a fall-through mode that modifies the behavior of privrun only when an authorization or authentication check fails. Rather than exiting with an error message, the target command runs, but without any additional privileges. The target command executes as though the user ran the command directly without privrun.

-v

Invokes privrun in verbose mode. The verbose level increases if two -v options are specified. An increased verbose level prints more information.

-h

Prints privrun help information.

-t

Uses a test mode that performs all the normal authorization and authentication checks according to the configuration files to see if the desired privrun invocation will succeed. The only difference is that instead of executing the command, upon success, privrun -t just returns. Use this to preview whether a given privrun invocation will succeed.

The following is an example of the most basic privrun usage—wrapping a legacy application. In this case, the ipfstat command runs as a privrun command argument in order to run according to the authorizations associated with the invoking user:

# privrun ipfstat

As long as the user logged in has the necessary authorization, defined in /etc/rbac/cmd_priv, the privrun wrapper command will execute the legacy command with the privileges (UID and GID) defined in the /etc/rbac/cmd_priv entry.

Multiple entries can exist for the same command, potentially with different required authorizations and different resulting privileges. In this case, privrun iterates sequentially through the /etc/rbac/cmd_priv database, executing the first command the user is authorized for.

In some cases, this may not be ideal. For example, all users may be allowed to run the passwd command to change their own password but if a user administrator runs it, they need the privileges to change other users' passwords. If the entry for all the normal users is listed before the entry for the user administrators, it is executed first, and this might prevent the user administrators from running the more privileged version.

For cases like this, privrun has options that allow users to specify the desired privileges. Only entries matching the specified privileges (for example, UID) are used. If no entries match the desired privileges, privrun returns an error message.

The following is an example invocation of privrun that matches only entries where the effective UID is set to 0:

# privrun -u 0 ipfstat
NOTE: See the privrun(1M) and rbac(5) manpages for more about using the privrun command.

HP-UX RBAC in Serviceguard Clusters

Serviceguard does not support the use of HP-UX RBAC and privrun to grant access to Serviceguard commands. Serviceguard version A.11.16 implemented its own Role-Based Access Control by specifying Access Control Policies through package and cluster configuration files, providing cluster-aware policies for Serviceguard operations. The Serviceguard mechanism must be used for Role Based Access Control of Serviceguard operations. See the latest Managing Serviceguard document for additional details on Serviceguard Access Control Policies.

HP-UX RBAC can be used with non-Serviceguard commands in a Serviceguard cluster. The same HP-UX RBAC rules should be applied to all nodes in the cluster.

Using the privedit Command to Edit Files Under Access Control

The privedit command allows authorized users to edit files they usually would not be able to edit because of file permissions or ACLs. After you invoke the command and identify the file you want to edit as an argument, privedit checks the /etc/rbac/cmd_priv database, just as privrun does, to determine the authorization required to edit the specified file. If the invoking user is authorized to edit the file, privedit invokes an editor on a copy of the file.

NOTE: When you use privedit to invoke an editor to edit a file, the editor does not run with any elevated privileges. Because the editor privedit invokes does not run with elevated privileges, any attempted actions, such as shell escapes, run with the user's typical (non-elevated) privilege set.

You can specify which editor privedit uses to edit the file by setting the EDITOR environment variable. If you do not set the EDITOR variable, privedit uses the default editor, vi. You cannot pass arguments to the editor via the privedit command line. However, the editor recognizes and supports editor-specific environment variables if you set them before invoking privedit.

Use a fully qualified file name as a privedit argument to identify which file to edit. If you do not use a fully qualified file name, privedit adds the current working directory to the beginning of the file name you specify. Regardless of how you specify the file to edit, all file names are fully qualified after you invoke privedit. The privedit command also recognizes and supports files that are symbolic links.

The privedit command can edit only one file at a time. If you specify multiple file names as privedit arguments, privedit edits the first file specified and ignores the subsequent file names. The following shows the privedit command syntax:

privedit [option] fully-qualified-file-name | [-a (operation, object)] | [-v] | [-h] | [-t] | [-x]

The following is a list and brief description of the privedit command options:

-a authorization

Match only the /etc/rbac/cmd_priv file entries with that have the specified authorization.

-v

Invokes privedit in verbose mode.

-h

Prints privedit help information.

-t

Checks if the user has the required authorization to edit the file and reports the results.

-x

If the authorization check fails, the file will be edited with the caller's original privileges.

The following is an example of using a privedit command to edit the /etc/default/security file with the specific authorization of (hpux.sec.edit, secfile):

# privedit -a "(hpux.sec.edit, secfile)" /etc/default/security
NOTE: Remember that the flag values for each entry in the cmd_priv database dictate whether or not privedit can edit a file. See “Configuring Additional Command Authorizations and Privileges” and the privedit(1M) manpage for more information about flags and using the privedit command.

Customizing privrun and privedit Using the ACPS

The HP-UX RBAC feature provides the ability to customize how privedit and privrun check user authorizations. The ACPS module is a customizeable interface that provides responses to applications that must make authorization decisions. The ACPS configuration file, /etc/acps.conf, controls the following aspects of the ACPS:

  • which modules are consulted for making access decisions

  • the sequence in which the modules are consulted

  • the rules for combining module responses to return results to applications

See Section , and acps.conf(4), acps(3), and rbac(5) for more information about the ACPS.



Configuring HP-UX RBAC
  		 


Troubleshooting HP-UX RBAC  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.