Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > P

privedit(1M)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

NAME

privedit — let authorized users edit files that are under access control

SYNOPSIS

privedit [-htxv] [-a authorization] file

DESCRIPTION

privedit allows authorized users to edit files that are otherwise restricted by permissions or access control lists. Identify which file to edit by specifying the file name as an argument to the privedit command. After you invoke the command, privedit checks the /etc/rbac/cmd_priv database to determine the authorization required to edit the file. If you have the necessary authorization, privedit invokes the specified editor to edit the file.

You can specify which editor privedit uses to edit the file by setting the EDITOR environment variable. If you do not set the EDITOR variable, privedit uses the default editor, vi. You cannot pass arguments to the editor via the privedit command line. However, the editor recognizes and supports editor-specific environment variables if you set them before invoking privedit.

You can use a fully qualified file name as a privedit argument to identify which file to edit. If you do not use a fully qualified file name, privedit adds the current working directory to the beginning of the file name you specify. Regardless of how you specify the file to edit, all file names are fully qualified after invoking privedit. The privedit command also recognizes and supports files that are symbolic links.

privedit can edit only one file at a time. If you specify multiple file names as privedit arguments, privedit edits the first file specified and ignores the subsequent file names.

The HP-UX RBAC feature also provides the ability to customize how privedit and privrun check user authorizations. (See privrun(1M).) The Access Control Policy Switch (ACPS) module of HP-UX RBAC provides responses to applications that must make authorization decisions. The ACPS configuration file, acps.conf, controls which modules are consulted for making access decisions, the sequence in which the modules are consulted, and the rules for combining module responses to return results to applications. See acps.conf(4), acps(3) and rbac(5) for more information.

Options

privedit recognizes the following options:

-a authorization

Match only those entries requiring the specified authorization. The specified authorization must exactly match the authorization present in the cmd_priv database (that is, no wildcards allowed).

-h

Print privedit usage or help.

-t

Check to see if the user has the authorization to edit the file and inform the user of the results.

-x

If the authorization check fails, edit the file with the caller's original privileges.

-v

Invoke privedit in verbose mode.

Operands

privedit recognizes the following operands:

file

File to edit.

The cmd_priv Database

As described in privrun(1M), the /etc/rbac/cmd_priv file contains information indicating which authorizations are required to execute commands or edit files. You can also specify a PAM service name in /etc/rbac/cmd_priv to indicate how privedit should identify itself to PAM if a user must be reauthenticated.

The file contains any number of entries, where each entry is specified on a single line in the following format:

{command|file} : arguments : (operation,object) : ruid/euid/rgid /egid : compartment : privs : pam-service : flags

These fields are defined as follows:

Field

Description

command | file

For privedit, the fully qualified path of a file to edit. This field may contain wildcards as defined in fnmatch(3C).

For privrun, the fully qualified path of the command that is being wrapped to provide additional privilege.

arguments

Ignored. (Used only by privrun.)

(operation,object)

The operation the user is required to have on the object specified. Together, the (operation,object) forms the authorization. operation must be fully qualified and cannot contain a wild card (*).

all in object requires that the user has the specified operation on all objects. (Note: this is satisfied by a specification of (operation,*) in the /etc/rbac/role_auth database if RBAC is in use.)

This field may contain the keyword dflt instead of (operation,object), which indicates that no access check is required and the file can be edited with privilege by any user.

ruid/euid/rgid/egid

Ignored. (Used only by privrun.)

compartment

Ignored. (Used only by privrun.)

privs

Ignored. (Used only by privrun for privileges .)

pam-service

Reauthentication service. If specified, the user is required to reauthenticate. The privedit command identifies itself to PAM as the service indicated in this field. This allows the security officer to require an additional set of authentication/account management restrictions for particular files for editing. See pam.conf(4) for a list of PAM services.

The keyword dflt must be used to indicate that no reauthorization is required.

flags

Flag values can be specified to indicate whether or not privedit can edit a file. Additional flag values can be specified to indicate whether privrun can execute a command. The specific values allowed are as follows:

flag=empty or any other token

The file is a command that can be executed only. It cannot be edited.

flag=edit

The file can be both edited and executed. This is mainly intended for scripts.

flag=noexec

The file cannot be executed. It can only be edited with privedit.

The Authorization field can contain the keyword dflt instead of (operation,object), which indicates that no access check is required and the command is invoked with privilege for any user. The UID and GID entry in field 4 is ignored by privedit, but the slash character (/) separating the IDs must remain. The pam service name in field 7 may also be dflt, which indicates reauthentication is not required.

White space between each field (immediately surrounding the field separator :) in this database is optional and ignored by privedit.

There may be multiple entries with the same file line (but different authorization required). privedit evaluates each entry in the order specified in the file, continuing on to the next only if the user does not have the required authorization. The privedit -a command option described above allows users to identify a specific authorization to match or find when multiple entries for the same file exist in the cmd_priv database.

EXTERNAL INFLUENCES

Environment Variables

EDITOR specifies the default editor.

LC_MESSAGES determines the language in which messages are displayed.

International Code Set Support

Single-byte character code set is supported.

RETURN VALUE

Success

If privedit permitted the user to edit the file, then the return value from privedit is the return value of the editor used to edit the file.

Failure

privedit returns a value of 1 and an appropiate error message is printed to standard error.

EXAMPLES

Example 1

In the following example, the caller invokes privedit to edit /etc/fstab.

# privedit /etc/fstab

The /etc/rbac/cmd_priv database is examined for an entry corresponding to the file /etc/fstab. If this entry is found, then the necessary authorization is retrieved from that entry. privedit then determines whether the user has the necessary authorization and whether the file is allowed to be edited as determined by the value in the flag field. privedit then invokes the editor to edit a copy of /etc/fstab; as the original file is never edited directly.

The EDITOR environment variable determines which editor privedit invokes. If a user does not set the EDITOR environment variable, privedit uses the default editor, vi. After the user exits the editor, the edited file replaces the original file. The editor is always invoked as the regular user so that there are no additional privileges given to the user while the file is being edited.

Example 2

In the next example, the caller wants to edit the file /etc/default/security with a specific authorization of (hpux.sec.edit,secfile).

# privedit -a "(hpux.sec.edit,secfile)" /etc/default/security

If a /etc/rbac/cmd_priv entry exists for the file /etc/default/security with the associated authorization (hpux.sec.edit,secfile) and editing is allowed per the flag field, then the usual authorization/edit process takes place. If this entry does not exist, (even if an entry for /etc/default/security appears with different associated authorization (operation,object)), then privedit fails and prints an error message.

FILES

/etc/rbac/roles

Database containing valid definitions of all roles.

/etc/rbac/auths

Database containing definitions of all valid authorizations.

/etc/rbac/user_role

Database specifying the roles for each specified user.

/etc/rbac/role_auth

Database defining the authorizations for each role.

/etc/rbac/cmd_priv

Database that contains the authorization to execute or edit specified commands or files, and the privileges to alter UID and GID for command execution.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.