United States-English |
|
|
HP-UX Reference > Pprivedit(1M)HP-UX 11i Version 3: February 2007 |
|
NAMEprivedit — let authorized users edit files that are under access control DESCRIPTIONprivedit allows authorized users to edit files that are otherwise restricted by permissions or access control lists. Identify which file to edit by specifying the file name as an argument to the privedit command. After you invoke the command, privedit checks the /etc/rbac/cmd_priv database to determine the authorization required to edit the file. If you have the necessary authorization, privedit invokes the specified editor to edit the file. You can specify which editor privedit uses to edit the file by setting the EDITOR environment variable. If you do not set the EDITOR variable, privedit uses the default editor, vi. You cannot pass arguments to the editor via the privedit command line. However, the editor recognizes and supports editor-specific environment variables if you set them before invoking privedit. You can use a fully qualified file name as a privedit argument to identify which file to edit. If you do not use a fully qualified file name, privedit adds the current working directory to the beginning of the file name you specify. Regardless of how you specify the file to edit, all file names are fully qualified after invoking privedit. The privedit command also recognizes and supports files that are symbolic links. privedit can edit only one file at a time. If you specify multiple file names as privedit arguments, privedit edits the first file specified and ignores the subsequent file names. The HP-UX RBAC feature also provides the ability to customize how privedit and privrun check user authorizations. (See privrun(1M).) The Access Control Policy Switch (ACPS) module of HP-UX RBAC provides responses to applications that must make authorization decisions. The ACPS configuration file, acps.conf, controls which modules are consulted for making access decisions, the sequence in which the modules are consulted, and the rules for combining module responses to return results to applications. See acps.conf(4), acps(3) and rbac(5) for more information. Optionsprivedit recognizes the following options:
The cmd_priv DatabaseAs described in privrun(1M), the /etc/rbac/cmd_priv file contains information indicating which authorizations are required to execute commands or edit files. You can also specify a PAM service name in /etc/rbac/cmd_priv to indicate how privedit should identify itself to PAM if a user must be reauthenticated. The file contains any number of entries, where each entry is specified on a single line in the following format: {command|file} : arguments : (operation,object) : ruid/euid/rgid /egid : compartment : privs : pam-service : flags These fields are defined as follows:
The Authorization field can contain the keyword dflt instead of (operation,object), which indicates that no access check is required and the command is invoked with privilege for any user. The UID and GID entry in field 4 is ignored by privedit, but the slash character (/) separating the IDs must remain. The pam service name in field 7 may also be dflt, which indicates reauthentication is not required. White space between each field (immediately surrounding the field separator :) in this database is optional and ignored by privedit. There may be multiple entries with the same file line (but different authorization required). privedit evaluates each entry in the order specified in the file, continuing on to the next only if the user does not have the required authorization. The privedit -a command option described above allows users to identify a specific authorization to match or find when multiple entries for the same file exist in the cmd_priv database. EXTERNAL INFLUENCESRETURN VALUE
EXAMPLESExample 1In the following example, the caller invokes privedit to edit /etc/fstab. # privedit /etc/fstab The /etc/rbac/cmd_priv database is examined for an entry corresponding to the file /etc/fstab. If this entry is found, then the necessary authorization is retrieved from that entry. privedit then determines whether the user has the necessary authorization and whether the file is allowed to be edited as determined by the value in the flag field. privedit then invokes the editor to edit a copy of /etc/fstab; as the original file is never edited directly. The EDITOR environment variable determines which editor privedit invokes. If a user does not set the EDITOR environment variable, privedit uses the default editor, vi. After the user exits the editor, the edited file replaces the original file. The editor is always invoked as the regular user so that there are no additional privileges given to the user while the file is being edited. Example 2In the next example, the caller wants to edit the file /etc/default/security with a specific authorization of (hpux.sec.edit,secfile). # privedit -a "(hpux.sec.edit,secfile)" /etc/default/security If a /etc/rbac/cmd_priv entry exists for the file /etc/default/security with the associated authorization (hpux.sec.edit,secfile) and editing is allowed per the flag field, then the usual authorization/edit process takes place. If this entry does not exist, (even if an entry for /etc/default/security appears with different associated authorization (operation,object)), then privedit fails and prints an error message. FILES
|
Printable version | ||
|