Following is a list of the primary HP-UX RBAC components:
- privrun wrapper command
Based on authorizations
associated with a user, privrun invokes existing
legacy applications with privileges after performing authorization
checks and optionally re-authenticating the user and without modifying
- privedit command
Based on the authorizations
associated with a user, privedit allows users to edit files they usually would not be able to edit
because of file permissions or Access Control Lists (ACLs).
- Access Control Policy
Determines whether a subject
is authorized to perform an operation on an object.
- Access Control Policy
Evaluates HP-UX RBAC databases
files and applies mapping policies to service access control requests.
- management commands
Edits and validates HP-UX
RBAC database files.
The following sections discuss the HP-UX RBAC components in
HP-UX RBAC Access Control Policy Switch
The HP-UX RBAC Access Control Policy Switch is
a customizeable interface between applications that must make access
control decisions and the access control policy modules that provide
decision responses after interpreting policy information in RBAC databases.
As shown in Figure 9-1, from its
location in the HP-UX RBAC architecture, the ACPS provides an interface
between the access control policy modules and the applications that
make access control decisions.
The ACPS has the following interfaces, described
in detail in their respective manpages:
ACPS application programming
ACPS service provider interface
The administrative interface for the ACPS is the /etc/acps.conf configuration file. The /etc/acps.conf configuration file determines which policy modules the ACPS consults,
the sequence in which the modules are consulted, and the rules for
combining the module's responses to deliver a result to the applications
that need access control decisions. This ACPS implementation allows
you to create a module to enforce custom policy without modifying
existing role-based access control applications.
HP-UX RBAC Configuration Files
Table 9-3 lists
and briefly describes the HP-UX RBAC files.
Table 9-3 HP-UX RBAC Configuration Files
Database file containing
all valid authorizations.
privrun database file containing command and file authorizations and privileges.
Database file defining the
authorizations for each role.
Database file defining all
Database file defining the
roles for each user.
Configuration file for the
Audit filter file identifying
specific HP-UX RBAC roles, operations, and objects to audit.
HP-UX RBAC Commands
Table 9-4 lists
and briefly describes the HP-UX RBAC commands.
Table 9-4 HP-UX RBAC Commands
Invokes legacy application
with privileges after performing authorization checks and optionally
re-authenticating the user.
Allows authorized users to
edit files that are under access control.
Edits of role information
in the /etc/rbac/user_role, /etc/rbac/role_auth, and /etc/rbac/roles files.
Edits authorization information
in the /etc/rbac/role_auth and /etc/rbac/roles files.
Edits command authorizations
and privileges in the /etc/rbac/cmd_priv database.
Verifies authorizations and
syntax in the HP-UX RBAC and privrun database files.
HP-UX RBAC Manpages
Table 9-5 lists
and briefly describes the HP-UX RBAC manpages.
Table 9-5 HP-UX RBAC Manpages
Describes the HP-UX RBAC
Describes the ACPS and its interfaces.
Describes the ACPS configuration file and
Describes the ACPS Application
Describes the ACPS Service
Describes privrun functionality and syntax.
Describes privedit functionality and syntax.
Describes roleadm functionality and syntax.
Describes authadm functionality and syntax.
Describes cmdprivadm functionality and syntax.
Describes rbacdbchk functionality and syntax.
HP-UX RBAC Architecture
The primary component of HP-UX RBAC is the privrun command, which invokes existing commands, applications,
and scripts. The privrun command uses the ACPS
subsystem to make access control requests. An access request is granted
or denied based on a set of configuration files that define user-to-role
and role-to-authorization mappings.
If the access request is granted, privrun invokes the target command with additional privileges, which can
include one or more of either a UID, GID, fine-grained privileges,
and compartments. The privileges are configured to enable the target
command to run successfully.
Figure 9-1 shows
the HP-UX RBAC architecture.
Figure 9-1 HP-UX RBAC Architecture
HP-UX RBAC Example Usage and Operation
Figure 9-2 and
the subsequent footnotes show a sample invocation of privrun and the configuration files that privrun uses
to determine whether a user is allowed to invoke a command.
Figure 9-2 Example Operation After Invoking privrun
A process, specifically
a shell, associated with the user executes privrun with the goal of executing a target command with elevated privilege.
The target command line
(command and arguments) is explicitly passed to privrun, and the UID of the invoking user is implicitly passed by the process
privrun attempts to find a match (or set of matches) within the /etc/rbac/cmd_priv database for the specified command line.
Each matching entry also specifies a required authorization (operation,
object pair) and the resulting privileges if the user has the specified
privrun makes a call (for each matching /etc/rbac/cmd_priv entry) to the ACPS. The HP-UX RBAC back end of the ACPS consults
the /etc/rbac/user_role and /etc/rbac/role_auth databases to determine whether the user has the specified authorization,
and passes this result back to privrun.
Assuming that the user associated
with the process has the required authorization specified in the /etc/rbac/cmd_priv database for the requested command, privrun will drop all privileges except those specified
in the /etc/rbac/cmd_priv entry and execute the
requested command. The privrun command is set to UID=0 and starts with all necessary privileges.