Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > P

privrun(1M)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

NAME

privrun — invoke another application with privileges after performing appropriate authorization checks and optionally reauthenticating the user

SYNOPSIS

privrun [-htx] [-a authorization] [-c compartment] [-g [gid|groupname]] [-G [gid|groupname]] [-p privileges] [-u [uid|username]] [-U [uid|username]] [-v [-v]] command [args]

DESCRIPTION

privrun allows a user to run legacy applications with elevated privileges according to the authorizations associated with that user. The user invokes privrun, specifying the legacy application as command line arguments. privrun consults the /etc/rbac/cmd_priv database to determine which authorization is required to run the command with additional privileges. (The authorization is specified as an operation and a target object.) If the user has the necessary authorization, privrun invokes the specified command after changing its UID and/or GID as specified in the cmd_priv database. privrun also allows a command to be run with a specified set of fine-grained privileges, and/or in a specified compartment.

The method to determine whether the user has the necessary authorization is configurable by the system administrator. A module is provided to associate a fixed set of authorizations with the user based on the user's role. See rbac(5) for more information.

Options

privrun recognizes the following options:

-a authorization

Match only those entries requiring the specified authorization. authorization is defined as (operation,object) pairs in the cmd_priv database. The specified authorization must exactly match the authorization present in the cmd_priv file (that is, wildcarding not supported.)

-c compartment

Matches the specified compartment in the cmd_priv database. The specified compartment must exactly match the compartment present in the cmd_priv file.

-g [gid|groupname]

Match only those entries containing the effective group ID (EGID) corresponding to the specified EGID or the EGID associated with the group name.

-G [gid|groupname]

Match only those entries containing the real group ID (RGID) corresponding to the specified RGID or the RGID associated with the group name

-h

Prints privrun usage or help.

-p privileges

Matches the specified privileges to the privileges in the cmd_priv database. When specifying multiple privileges, separate each privilege with a comma. Any privileges specified with -p option, must have a match in the cmd_priv database.

-t

Check to see if the user has the authorization to execute the command and inform the user of the results. The command will not be invoked.

-u [uid|username]

Match only those entries containing the effective user ID (EUID) corresponding to the specified EUID or the EUID associated with the user name.

-U [uid|username]

Match only those entries containing the real user ID (RUID) corresponding to the specified RUID or the RUID associated with the user name.

-v [-v]

Invoke privrun in verbose mode. The verbose level will be increased if two -v options are specified. An increased verbose level will print more information.

-x

If the authorization check fails, the program will still be executed with original caller's privileges only.

Operands

privrun recognizes the following operands:

command [args]

The HP-UX command to run. command must be fully qualified. If it is not, then privrun will use the current working directory and the PATH environment variable to determine the desired command. args specifies any argument that the command recognizes.

The cmd_priv Database

The /etc/rbac/cmd_priv file contains information on which authorizations are required to execute each command binary, or edit each file. It also has the resulting privileges (real, effective UID and GID, fine-grained privileges, compartment) associated with the binary. If the user is required to reauthenticate prior to successful authorization, a PAM service name is specified in this file and indicates how privrun should identify itself to PAM. See pam.conf(4) for more detailed information.

The file contains any number of entries, where each entry is specified on a single line in the following format:

{command|file} : arguments : (operation,object) : ruid/euid/rgid /egid : compartment : privs : pam-service : flags

These fields are defined as follows:

Field

Description

command|file

For privrun, the fully qualified path of the command being wrapped to provide additional privileges.

For privedit, the fully qualified path of a file to edit.

This field may contain wildcards as defined in fnmatch(3C).

arguments

The exact set of arguments (matched as a string) the user must invoke. If this field is empty, the command may not be invoked with any arguments. If this field contains the keyword DFLT, the specified command may be invoked with any arguments. This field is only used by privrun and ignored by privedit.

(operation,object)

The operation the user is required to have on the object specified. Together, the (operation,object) forms the authorization. operation must be fully qualified and cannot contain a wild card (*).

An entry of all in object requires that the user has the specified operation on all objects. (Note: This is satisfied by a specification of (operation,*) in the /etc/rbac/role_auth database if RBAC is in use.)

This field may contain the keyword (DFLT, DFLT) instead of (operation,object), which indicates that no access check is required and the command is invoked with privilege for any user.

ruid/euid/rgid/egid

Real/Effective UID/GID. Part of the privileges granted to the wrapped command (process) if the user has the specified authorization. If any of these fields are specified, privrun calls setresuid or setresgid before invoking the command. These fields can also be specified by name, in which case a conversion will be performed at invocation time. This field is only used by privrun and ignored by privedit.

The UID and GID specifications in this field are optional. No ID present indicates the field is to remain unchanged; however, the slash (/) characters separating the IDs must remain.

compartment

Compartment to invoke application in. A compartment is an attribute associated with a process to compartmentalize different OS processes. If compartments are not enabled on the system, this field should be set to DFLT. An error may occur if this field is left empty. Refer to compartments(5) for more information on compartments. This field is only used by privrun and ignored by privedit.

privs

Fine-grained privileges to be associated with command at invocation. These privileges may be used in lieu of UID=0 to perform specific kernel operations. If the field is set to DFLT, basic privileges will be granted to the process. Refer to privileges(5) for more detailed information. This field is only used by privrun and ignored by privedit.

pam-service

Reauthentication service. If specified, the user will be reauthenticated. The privrun command will identify itself to PAM as the service indicated in this field. This allows the security officer to require an additional set of restrictions for particular commands. See pam.conf(4) for a list of PAM services.

The keyword DFLT must be used to indicate that no reauthorization is required.

flags

This field is used by both privrun and privedit. In privrun, there is only one defined flag. If the flag is set to KEEPENV, then none of the environment variables will be scrubbed. For the flag usage in privedit, please see privedit(1M) for more details. DFLT is expected to appear in this field for the privrun command.

White space between each field and immediately surrounding the colon field separator (:) is optional and ignored by the privrun command.

There can be multiple entries in /etc/rbac/cmd_priv with the same command line, but requiring different authorizations required and resulting in different privileges. privrun evaluates each entry in the order specified in the file, continuing on to the next only if the user does not have the required authorization. If you want to match a particular entry in /etc/rbac/cmd_priv, use privrun command options to specify the set of privileges for the desired entry.

EXTERNAL INFLUENCES

Environment Variables

LC_MESSAGES determines the language in which messages are displayed.

International Code Set Support

Single-byte character code set is supported.

RETURN VALUE

Success

If privrun permitted the user to execute the program, then the return value from privrun will be the return value of the program executed.

Failure

privrun returns a value of 1 and an appropriate error message will be printed to stderr.

EXAMPLES

Example 1

In the following example, the caller invokes privrun to execute the /usr/sbin/useradd command, with userfoo as the argument to the useradd command.

# privrun /usr/sbin/useradd userfoo

privrun examines the /etc/rbac/cmd_priv database for an entry corresponding to the command /usr/sbin/useradd. If this entry is found, then the necessary authorization is retrieved from that entry. privrun invokes the command if the user has the necessary authorization.

In the following example, the caller wants to change the UID of the calling process to 28 (-u 28), change the GID of the calling process to other (-g other), and execute the command /sbin/bar.

# privrun -u 28 -g other /sbin/bar

If an /etc/rbac/cmd_priv entry exists for the command /sbin/bar with the associated EUID set to 28, and the EGID set to the EGID corresponding to the group name other, the usual authorization and invocation process occurs. If this entry does not exist, (even if an entry for /sbin/bar appears with different associated privileges (EUID/EGID)), the privrun command fails and prints an error message.

Example 2

In the following example, the caller wants to execute the command /sbin/bar within compartment testcomp (-c testcomp);

# privrun -c testcomp /sbin/bar

If an /etc/rbac/cmd_priv entry exists for the command /sbin/bar with the compartment specified as testcomp, then the command /sbin/bar will be executed in the testcomp compartment. If this entry does not exist, (even if an entry for /sbin/bar appears with different compartment specification), the privrun command fails and prints an error message.

FILES

/etc/rbac/roles

Database containing valid definitions of all roles.

/etc/rbac/auths

Database containing definitions of all valid authorizations.

/etc/rbac/user_role

Database specifying the roles for each specified user.

/etc/rbac/role_auth

Database defining the authorizations for each role.

/etc/rbac/cmd_priv

Database defining the authorization information needed to execute commands and and edit files under access control.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.