HP UX 11i Role-based Access Control (RBAC) Software manual Fine-Grained Privileges, Commands

4 Fine-Grained Privileges

This chapter describes the fine-grained privileges feature of HP-UX 11i Security Containment. This chapter addresses the following topics:

•“Overview”

•“Fine-Grained Privileges Components”

•“Available Privileges”

•“Configuring Applications with Fine-Grained Privileges”

•“Security Implications of Fine-Grained Privileges”

•“Fine-Grained Privileges in HP Serviceguard Clusters”

•“Troubleshooting Fine-Grained Privileges”

Overview

The UNIX operating system traditionally uses an "all or nothing" privilege model, in which superusers (those with effective UID=0, such as the root user) have virtually unlimited power, and other users have few or no special privileges.

HP-UX provides several legacy methods of delegating limited powers, including restricted sam(1M), the privilege groups described in privgrp(4), the shutdown.allow file described in shutdown(1M), and the cron.allow file described in crontab(1).

These legacy methods are replaced by the security containment model, including the use of fine-grained privileges and the HP-UX RBAC access control framework.

The HP-UX fine-grained privilege model splits the powers of superusers into a set of privileges. Fine-grained privileges are granted to processes. Each privilege grants a process that possesses that privilege the right to a certain set of restricted services provided by the kernel.

Refer to privileges(5) for more information.

Fine-Grained Privileges Components

The fine-grained privileges feature of HP-UX 11i Security Containment includes files, commands, and manpages. You can use these components to configure and administer fine-grained privileges.

Commands

Table 4-1“Fine-Grained Privileges Commands” briefly describes the fine-grained privileges commands.

Table 4-1 Fine-Grained Privileges Commands

Overview 51