-aMatches only those entries requiring the specified authorization. Authorization is defined as (operation, object) pairs in the /etc/rbac/cmd_priv database file. The specified authorization must exactly match the authorization present in the /etc/rbac/cmd_priv file—wildcards are not supported.

-c Matches the specified compartment in the /etc/rbac/cmd_priv database file. The specified compartment must exactly match the compartment present in /etc/rbac/cmd_priv.

-pMatches the specified privileges with the privileges in the /etc/rbac/cmd_priv database file. You can specify more than one privilege. When specifying multiple privileges, separate each privilege with a comma. Be aware when you specify a privilege using the privrun -poption that privrun will match all entries that contain the specified privilege—including groups of privileges and compound privileges that include the -pspecified privilege. The privrun command will execute according to the first match in /etc/rbac/cmd_priv.

-xUses a fall-through mode that modifies the behavior of privrun only when an authorization or authentication check fails. Rather than exiting with an error message, the target command runs, but without any additional privileges. The target command executes as though the user ran the command directly without privrun.

-vInvokes privrun in verbose mode. The verbose level increases if two -voptions are specified. An increased verbose level prints more information.

-hPrints privrun help information.

-tUses a test mode that performs all the normal authorization and authentication checks according to the configuration files to see if the desired privrun invocation will succeed. The only difference is that instead of executing the command, upon success, privrun -tjust returns. Use this to preview whether a given privrun invocation will succeed.

The following is an example of the most basic privrun usage—wrapping a legacy application. In this case, the ipfstat command runs as a privrun command argument in order to run according to the authorizations associated with the invoking user:

# privrun ipfstat

As long as the user logged in has the necessary authorization, defined in /etc/rbac/cmd_priv, the privrun wrapper command will execute the legacy command with the privileges (UID and GID) defined in the /etc/rbac/cmd_priventry.

Multiple entries can exist for the same command, potentially with different required authorizations and different resulting privileges. In this case, privrun iterates sequentially through the /etc/rbac/cmd_priv database, executing the first command the user is authorized for.

In some cases, this may not be ideal. For example, all users may be allowed to run the passwd command to change their own password but if a user administrator runs it, he or she needs the privileges to change other users' passwords. If the entry for all the normal users is listed before the entry for the user administrators, it is executed first, and this might prevent the user administrators from running the more privileged version.

For cases like this, privrun has options that allow users to specify the desired privileges. Only entries matching the specified privileges (for example, UID) are used. If no entries match the desired privileges, privrun returns an error message.

The following is an example invocation of privrun that matches only entries where the effective UID is set to 0:

# privrun -u 0 ipfstat

Using HP-UX RBAC 47

Page 47
Image 47
HP UX 11i Role-based Access Control (RBAC) Software manual # privrun ipfstat