|
» |
|
|
|
NAMEprivrun — invoke another application with privileges after performing appropriate authorization checks and optionally reauthenticating the user SYNOPSISprivrun
[-htx]
[-a
authorization]
[-c
compartment]
[-g
[gid|groupname]]
[-G
[gid|groupname]]
[-p
privileges]
[-u
[uid|username]]
[-U
[uid|username]]
[-v
[-v]]
command
[args] DESCRIPTIONprivrun
allows a user to run legacy applications with elevated privileges
according to the authorizations associated with that user.
The user invokes
privrun,
specifying the legacy application as command line arguments.
privrun
consults the
/etc/rbac/cmd_priv
database to determine which authorization is required to run the command with
additional privileges.
(The authorization is specified as an operation and a target
object.)
If the user has the necessary authorization,
privrun
invokes the specified command after changing its UID and/or GID
as specified in the
cmd_priv
database.
privrun
also allows a command to be run with a specified set of fine-grained privileges, and/or in a specified compartment. The method to determine whether the user has the necessary
authorization is configurable by the system administrator.
A module is provided to associate a fixed set of authorizations with
the user based on the user's role.
See
rbac(5)
for more information. Optionsprivrun
recognizes the following options:
- -a authorization
Match only those entries requiring the specified authorization.
authorization
is defined as
(operation,object)
pairs
in the
cmd_priv
database.
The specified authorization must exactly match the authorization
present in the
cmd_priv
file (that is, wildcarding not supported.) - -c compartment
Matches the specified compartment in the
cmd_priv
database.
The specified compartment must exactly match the compartment
present in the
cmd_priv
file. - -g [gid|groupname]
Match only those entries containing the effective group ID (EGID)
corresponding to the specified EGID or the EGID associated with the group name. - -G [gid|groupname]
Match only those entries containing the real group ID (RGID)
corresponding to the specified RGID or the RGID associated with the group name - -h
Prints
privrun
usage or help. - -p privileges
Matches the specified privileges to the privileges in the
cmd_priv
database.
When specifying multiple privileges, separate each privilege with a comma.
Any privileges specified with
-p
option, must have a match in the
cmd_priv
database. - -t
Check to see if the user has the authorization to execute the
command and inform the user of the results.
The command will not be invoked. - -u [uid|username]
Match only those entries containing the effective user ID (EUID) corresponding
to the specified EUID or the EUID associated with the user name. - -U [uid|username]
Match only those entries containing the real user ID (RUID) corresponding
to the specified RUID or the RUID associated with the user name. - -v [-v]
Invoke
privrun
in verbose mode.
The verbose level will be increased if two
-v
options are specified.
An increased verbose level will print more information. - -x
If the authorization check fails, the program will still be
executed with original caller's privileges only.
Operandsprivrun
recognizes the following operands:
- command [args]
The HP-UX command to run.
command
must be fully qualified.
If it is not, then
privrun
will use the current working directory and the
PATH
environment variable to determine the desired command.
args
specifies any argument that the
command
recognizes.
The cmd_priv DatabaseThe
/etc/rbac/cmd_priv
file contains information on which authorizations are required to execute
each command binary, or edit each file.
It also has the resulting privileges (real, effective UID and GID, fine-grained privileges, compartment)
associated with the binary.
If the user is required to reauthenticate prior to successful authorization,
a PAM service name is specified in this file and indicates how
privrun
should identify itself to PAM.
See
pam.conf(4)
for more detailed information. The file contains any number of entries, where each entry is specified
on a single line in the following format:
{command|file}
: arguments
:
(operation,object)
: ruid/euid/rgid
/egid
: compartment
: privs
: pam-service
: flags These fields are defined as follows:
- Field
Description - command|file
For
privrun,
the fully qualified path of the command being wrapped to
provide additional privileges. For
privedit,
the fully qualified path of a file to edit. This field may contain wildcards as defined in
fnmatch(3C). - arguments
The exact set of arguments (matched as a string) the user must
invoke.
If this field is empty, the command may not be invoked
with any arguments.
If this field contains the keyword
DFLT,
the specified command may be invoked with any arguments.
This field is only used by
privrun
and ignored by
privedit. - (operation,object)
The operation the user is required to have on the object specified.
Together, the
(operation,object)
forms the authorization.
operation
must be fully qualified and cannot contain a wild card
(*). An entry of
all
in
object
requires that the user has the specified operation on all objects.
(Note:
This is satisfied
by a specification of
(operation,*)
in the
/etc/rbac/role_auth
database if RBAC is in use.) This field may contain the keyword
(DFLT,
DFLT)
instead of
(operation,object),
which indicates that no access check is required and the command is invoked
with privilege for any user. - ruid/euid/rgid/egid
Real/Effective UID/GID.
Part of the privileges granted
to the wrapped command (process) if the user has the specified
authorization.
If any of these fields are specified,
privrun
calls
setresuid
or
setresgid
before invoking the command.
These fields can also be specified by
name, in which case a conversion will be performed at invocation time.
This field is only used by
privrun
and ignored by
privedit. The UID and GID specifications in this field are optional.
No ID present indicates the field is to remain unchanged;
however, the slash
(/)
characters separating the IDs must remain. - compartment
Compartment to invoke application in.
A compartment is an attribute
associated with a process to compartmentalize different OS processes.
If compartments are not enabled on the system,
this field should be set to
DFLT.
An error may occur if this field is left empty.
Refer to
compartments(5)
for more
information on compartments.
This field is only used by
privrun
and ignored by
privedit. - privs
Fine-grained privileges to be associated with
command
at invocation.
These privileges may be used in lieu of
UID=0
to perform specific kernel operations.
If the field is set to
DFLT,
basic privileges
will be granted to the process.
Refer to
privileges(5)
for more detailed information.
This field is only used by
privrun
and ignored by
privedit. - pam-service
Reauthentication service.
If specified, the user will be reauthenticated.
The
privrun
command will identify itself to PAM as the service indicated in this field.
This allows the security officer to require an additional set of restrictions
for particular commands.
See
pam.conf(4)
for a list of PAM services. The keyword
DFLT
must be used to indicate that no reauthorization is required. - flags
This field is used by both
privrun
and
privedit.
In
privrun,
there is only one defined flag.
If the flag is set to
KEEPENV,
then none of the environment variables will be scrubbed.
For the flag usage in
privedit,
please see
privedit(1M)
for more details.
DFLT
is expected to appear in this field for the
privrun
command.
White space between each field and immediately surrounding
the colon field separator
(:)
is optional and ignored by the
privrun
command. There can be multiple entries in
/etc/rbac/cmd_priv
with the same command line, but requiring different authorizations
required and resulting in different privileges.
privrun
evaluates each entry in the order specified in the file, continuing
on to the next only if the user does not have the required authorization.
If you want to match a particular entry in
/etc/rbac/cmd_priv,
use
privrun
command options to specify the set of privileges for the desired entry. EXTERNAL INFLUENCESEnvironment VariablesLC_MESSAGES
determines the language in which messages are displayed. International Code Set SupportSingle-byte character code set is supported. RETURN VALUE- Success
If
privrun
permitted the user to execute the program, then the return value from
privrun
will be the return value of the program executed. - Failure
privrun
returns a value of
1
and an appropriate error message will be printed to stderr.
EXAMPLESExample 1In the following example, the caller invokes
privrun
to execute the
/usr/sbin/useradd
command, with
userfoo
as the argument to the
useradd
command.
# privrun /usr/sbin/useradd userfoo privrun
examines the
/etc/rbac/cmd_priv
database for an entry corresponding to the command
/usr/sbin/useradd.
If this entry is found, then the necessary authorization is retrieved
from that entry.
privrun
invokes the command if the user has the necessary authorization. In the following example, the caller wants to change the UID of the
calling process to 28
(-u 28),
change the GID of the calling process to other
(-g other),
and execute the command
/sbin/bar.
# privrun -u 28 -g other /sbin/bar If an
/etc/rbac/cmd_priv
entry exists for the command
/sbin/bar
with the associated EUID set to 28, and the EGID set to the EGID
corresponding to the group name
other,
the usual authorization and invocation process occurs.
If this entry does not exist, (even if an entry for
/sbin/bar
appears with different associated privileges (EUID/EGID)), the
privrun
command fails and prints an error message. Example 2In the following example, the caller wants to execute the command
/sbin/bar
within compartment
testcomp
(-c testcomp);
# privrun -c testcomp /sbin/bar If an
/etc/rbac/cmd_priv
entry exists for the command
/sbin/bar
with the compartment specified as
testcomp,
then the command
/sbin/bar
will be executed in the
testcomp
compartment.
If this entry does not exist, (even if an entry for
/sbin/bar
appears with different compartment specification), the
privrun
command fails and prints an error message. FILES- /etc/rbac/roles
Database containing valid definitions of all roles. - /etc/rbac/auths
Database containing definitions of all valid authorizations. - /etc/rbac/user_role
Database specifying the roles for each specified user. - /etc/rbac/role_auth
Database defining the authorizations for each role. - /etc/rbac/cmd_priv
Database defining the authorization information needed to execute commands
and and edit files under access control.
|