-a authorization
-v-h-t
-x

NOTE: When you use privedit to invoke an editor to edit a file, the editor does not run with any elevated privileges. Because the editor privedit invokes does not run with elevated privileges, any attempted actions, such as shell escapes, run with the user's typical (non-elevated) privilege set.

You can specify which editor privedit uses to edit the file by setting the EDITOR environment variable. If you do not set the EDITOR variable, privedit uses the default editor, vi. You cannot pass arguments to the editor via the privedit command line. However, the editor recognizes and supports editor-specific environment variables if you set them before invoking privedit.

Use a fully qualified file name as a privedit argument to identify which file to edit. If you do not use a fully qualified file name, privedit adds the current working directory to the beginning of the file name you specify. Regardless of how you specify the file to edit, all file names are fully qualified after you invoke privedit. The privedit command also recognizes and supports files that are symbolic links.

The privedit command can edit only one file at a time. If you specify multiple file names as privedit arguments, privedit edits the first file specified and ignores the subsequent file names. The following shows the privedit command syntax:

privedit [option] fully-qualified-file-name [-a (operation, object)]

[-v] [-h] [-t] [-x]

The following is a list and brief description of the privedit command options:

Match only the /etc/rbac/cmd_priv file entries with that have the specified authorization.

Invokes privedit in verbose mode. Prints privedit help information.

Checks if the user has the required authorization to edit the file and reports the results.

If the authorization check fails, the file will be edited with the caller's original privileges.

The following is an example of using a privedit command to edit the /etc/default/security file with the specific authorization of (hpux.sec.edit, secfile):

# privedit -a "(hpux.sec.edit, secfile)" /etc/default/security

NOTE: Remember that the flag values for each entry in the cmd_priv database dictate whether

or not privedit can edit a file. Refer to “Step 3: Configuring Additional Command Authorizations and Privileges” and the privedit(1m) manpage for more information about flags and using the privedit command.

Customizing privrun and privedit Using the ACPS

The HP-UX RBAC feature provides the ability to customize how privedit and privrun check user authorizations. The ACPS module is a customizeable interface that provides responses to applications that must make authorization decisions. The ACPS configuration file, /etc/acps.conf, controls the following aspects of the ACPS:

which modules are consulted for making access decisions

the sequence in which the modules are consulted

the rules for combining module responses to return results to applications

Using HP-UX RBAC 49

Page 48 Page 50
Page 49
Image 49
HP UX 11i Role-based Access Control (RBAC) Software manual Customizing privrun and privedit Using the Acps
Page 48 Page 50
Top Page Image Contents