Manuals / HP / Computer Equipment / Software

HP UX 11i Role-based Access Control (RBAC) Software Configuring HP-UX Rbac with Compartments

Models: UX 11i Role-based Access Control (RBAC) Software

1 84
Download 84 pages 13.76 Kb
Page 43
Image 43

fine-grained privilege and without UID=0 if the user has the (hpux.adm.mount, *) authorization.

As described in “Using the privrun Command to Run Applications with Privileges”, the privrun -pcommand option matches only the entries in the /etc/rbac/cmd_priv database file that have the privileges specified by the -poption. Be aware when you specify a privilege using the privrun -poption that privrun will match all entries that contain the specified privilege—including groups of privileges and compound privileges that include the -pspecified privilege. The privrun command will execute according to the first match in /etc/rbac/cmd_priv. For example, the following is an example privrun -pcommand and a list of entries the command will match in /etc/rbac/cmd_priv:

The command:

# privrun -p MOUNT /etc/mount

matches the following /etc/rbac/cmd_priv entries:

#---------------------------------------------------------------------------------------------------------------

 

 

 

 

 

 

# Command

: Args

:Authorizations

:U/GID :Cmpt

:Privs

:Auth

:Flags

#----------------

:--------

:-------------------

:------

:------

:---------------------------------------

:-----

:-----

/etc/mount

:dflt

:(hpux.adm.mount,*)

:///

:dflt

:PRIV_CHOWN, MOUNT

:dflt

:

/etc/mount

:dflt

:(hpux.*,nfs)

:///

:dflt

:MOUNT, PRIV_RTPRIO, PRIV_MLOCK

:dflt

:

/etc/mount

:dflt

:(hpux.adm.*,*)

:///

:dflt

:BASICROOT

:dflt

:

NOTE: The privrun -p MOUNT /etc/mount command matches the BASICROOT privilege because the MOUNT simple privilege is part of the predefined BASICROOT compound privilege. Refer to the privileges(5) manpage for more information about simple and compound privileges.

IMPORTANT: The sequence of the entries in /etc/rbac/cmd_priv is important because privrun will execute according to the first explicit match it finds. In the preceding example, while all three entries are considered matches to the privrun command, privrun would execute the first entry. Keep the sequence of the entries in mind when configuring commands and authorizations. The cmdprivadm tool adds entries to the bottom of the /etc/rbac/cmd_priv file.

NOTE: Use only the cmdprivadm command to configure fine-grained privileges for commands—do not edit the /etc/rbac/cmd_priv database file without using cmdprivadm.

To modify an existing entry in the /etc/rbac/cmd_priv file, you must first delete the entry and then add the updated version back in. When you use cmdprivadm to delete entries, arguments act as filters. For example, specifying the cmdprivadm delete op=foo command removes all entries in which the operation is foo. As a result of this, when you use cmdprivadm to delete entries, be careful to ensure that you specify sufficient arguments to uniquely identify the entries to be removed.

Configuring HP-UX RBAC with Compartments

NOTE: HP-UX RBAC version B.11.23.01 does not support the Compartments component of the HP-UX 11i Security Containment feature.

HP-UX RBAC can also use the Compartments component of the HP-UX 11i Security Containment feature to configure applications to run in a particular compartment. With the Compartments component you can logically partition a system into compartments so that a process cannot communicate or access resources outside of its compartment (unless a compartment rule is set up to allow this).

Configuring HP-UX RBAC 43

Page 42 Page 44
Page 43
Image 43
HP UX 11i Role-based Access Control (RBAC) Software manual Configuring HP-UX Rbac with Compartments, Command
Page 42 Page 44