<pubkey> Public key being authorized
For example, user adm uses administrator key /home/adm/adm.pvt to authorize /home/usr1/ usr.pub as a WLI user key:
%wlicert
C.3 FLAC policies
A FLAC policy prevents a regular file or directory from being modified, deleted, or renamed. It also prevents change of ownership and permission bits, modification time, and other persistent information associated with the file. These restrictions apply to all users including root user. A file is locked when it has a FLAC policy actively being enforced by WLI. A user must own a file to assign it a FLAC policy.
C.3.1 Creating a FLAC policy
In this example, the file /tmp/passwd is locked. The administrator private key is /home/adm/ adm.pvt. The user private key file is /home/usr1/usr.pvt. The user public key file is /home/ usr1/usr.pub. To generate the FLAC policy:
%wlipolicy
A prompt appears for the passphrase for /home/usr1/usr.pvt.
C.3.2 Enabling a FLAC policy
If /home/usr1/usr.pvt is authorized as a WLI user key, as in the example in Section C.2.2 (page 53), no further action is necessary. The key can be authorized after policy generation with the identical command:
%wlicert
A prompt appears for the passphrase for /home/adm/adm.pvt.
C.3.3 Testing a FLAC policy
For example, the FLAC created and enabled in the previous example is tested. Verify that
%wlisyspolicy -g
The returned messages must include:
“Values in effect currently:” |
| |
write lock | protection (FLAC): | enabled |
protection | mode: | restricted |
If either or both of the above settings are not in effect,
%wlisyspolicy
Any user, including root, cannot modify, rename, or delete /tmp/passwd:
%mv /tmp/passwd /tmp/x
mv: /tmp/x: rename: Permission denied
%rm /tmp/passwd
/tmp/passwd: 666 mode ? (y/n) y
rm: /tmp/passwd not removed. Permission denied
%echo hello >> /tmp/passwd
ksh: /tmp/passwd: cannot create
Any user with read permission on the file can still read its content:
%cat /tmp/passwd
hi there
54 Quick setup examples