Manuals / HP / Computer Equipment / Software

HP UX 11i Role-based Access Control (RBAC) Software manual Troubleshooting HP-UX Rbac

Models: UX 11i Role-based Access Control (RBAC) Software

1 84
Download 84 pages 13.76 Kb
Page 50
Image 50

Refer to “HP-UX RBAC Access Control Policy Switch”, and acps.conf(4), acps(3), and rbac(5) for more information about the ACPS.

Troubleshooting HP-UX RBAC

The following is a list of the primary mechanisms used to troubleshoot and debug HP-UX RBAC:

The rbacdbchk utility verifies HP-UX RBAC database syntax.

The privrun -vcommand reports additional and relevant information.

The rbacdbchk Database Syntax Tool

The most common bugs are caused by manual editing of the HP-UX RBAC databases, resulting in syntactically invalid configurations or in configurations that are inconsistent between databases (for example, a role in /etc/rbac/user_role that is not defined in /etc/rbac/roles). To assist in diagnosing these common mistakes, HP-UX RBAC includes an rbacdbchk command. This command reads through the HP-UX RBAC databases and prints warnings where incorrect or inconsistent configuration entries are found:

# rbacdbchk

[/etc/rbac/user_role] chandrika: UserOperator invalid user

The value 'chandrika' for the Username field is bad.

[/etc/rbac/cmd_priv] /opt/cmd:dflt:(newop,*):0/0//:dflt:dflt:dflt:

invalid command: Not found in the system

The value '/opt/cmd' for the Command field is bad.

[Role in role_auth DB with no assigned user in user_role DB] Rebooter:(hpux.admin.*, *)

[Invalid Role in user_role DB. Role 'UserOperator' assigned to user 'chandrika' does not exist in the roles DB]

On a correctly configured system, the rbacdbchk command produces no output, indicating no errors are present.

privrun -v Information

The second method for detecting issues is to run the privrun command with the -voption (verbose mode). In verbose mode, privrun provides additional information about the entries that the input command matched and the status of the authorization checking, as well as other relevant data. In many cases, this output clarifies the issue causing privrun to fail. Specify the -voption multiple times for additional levels of verbose output. The following is an example of the privrun -voutput with the ipfstat command:

# privrun -v /sbin/ipfstat

privrun: user root intends to execute command /sbin/ipfstat

privrun: input entry: '/sbin/ipfstat:dflt:(,):///:dflt:dflt::'

privrun: found matching entry: '/sbin/ipfstat:dflt:(hpux.network.filter.readstat,*):0/0//:dflt:dflt::'

privrun: passed authorization check

privrun: attempting to set ruid/euid/rgid/egid to 0/0/-1/-1

privrun: current settings for ruid/euid/rgid/egid are 0/0/3/3

privrun: executing: /sbin/ipfstat

50 HP-UX Role-Based Access Control

Page 49 Page 51
Page 50
Image 50
HP UX 11i Role-based Access Control (RBAC) Software manual Troubleshooting HP-UX Rbac, Rbacdbchk Database Syntax Tool
Page 49 Page 51