Also be aware that circular role definitions are not allowed. For example, assigning RoleA to RoleB, RoleB to RoleC, and RoleC to RoleA, is not allowed. The authadm command will detect an attempt to perform such a circular definition and will report an error.
Configuring HP-UX RBAC with Fine-Grained Privileges
NOTE: HP-UX RBAC Version B.11.23.01 does not support the Fine-Grained Privileges component of the HP-UX 11i Security Containment feature.
Applications communicate with the system's resources using system calls, as this allows the operating system access to the system's resources. Certain system calls require special, elevated privileges for the application to access the operating system and system hardware. Before the release of the HP-UX 11i Security Containment feature—and specifically the Fine-Grained Privileges component of the HP-UX 11i Security Containment feature—UID=0would satisfy as a special, elevated privilege for certain system calls. If the UID was not 0, the system call was denied and an application error returned.
HP-UX RBAC—and specifically the privrun wrapper command—provide the means for non-root users to acquire the level of special privileges or UID=0 required for running certain applications. In addition to providing UID=0 to a non-root user in certain circumstances to run a particular application, HP-UX RBAC can also use the Fine-Grained Privileges component of the HP-UX 11i Security Containment feature to run applications with additional privileges—but without UID=0.
If the Fine-Grained Privileges component is installed and enabled on the system, you can use HP-UX RBAC to configure commands to run with only a select set of privileges and with different sets of privileges for different users, all without UID=0. For example, an administrator might need to run the foobar command with several privileges, and a normal user might need far fewer privileges to run foobar.
Think of fine-grained privileges as "system call access control check keys." Rather than checking for UID=0, the system call checks for a particular privilege. These fine-grained privileges provide the ability to "lock" system calls and to control application access to the operating system and hardware resources. Also, by splitting privileges into finely-grained privileges, applications do not require all privileges to run—only a specific privilege or set or privileges. Should an application process running with a particular set of privileges be compromised, the potential damage is far less than it would be if the process was running with UID=0.
NOTE: Refer to privileges(5) for more information on the Fine-Grained Privileges component of the HP-UX 11i Security Containment feature.
Use the cmdprivadm command and the privs option to configure commands for privrun to wrap and run only with the specified privileges. The following is an example cmdprivadm command that configures the /usr/bin/ksh command to run with the BASICROOT compound privilege and that requires the (hpux.adm.mount, *) authorization:
# cmdprivadm add cmd=/etc/mount op=hpux.adm.mount object='*' privs=BASICROOT
The preceding cmdprivadm command creates an entry in the /etc/rbac/cmd_priv file as follows:
#-------------------------------------------------------------------------------------------------------- | | | | | | |
# Command | : Args | :Authorizations | :U/GID | :Cmpt | :Privs | :Auth | :Flags |
#---------------- | :-------- | :--------------------- | :------ | :------- | :---------- | :------ | :------------------- |
/etc/mount | :dflt | :(hpux.adm.mount,*) | :/// | :dflt | :BASICROOT | :dflt | : |
After you create the entry using cmdprivadm and using privrun to wrap the
command,/etc/mount will run with the elevated privilege of the BASICROOT compound
