To meet file permission bits requirements (DAC restrictions), the user must have root authority to modify tar with wlisign. The command is signed with the administrator key:

%su root

#wlisign -a -k adm1.pvt /usr/bin/tar

The wmd capability is not granted to /usr/bin/tar. Only the key authorizing execution of wliwrap must be granted wmd capability. File permission bits restrictions (DAC permissions) on /usr/bin/tar must be met for wlisign, therefore the signing was executed by root user.

Signing tar with an administrator key is required because it executes as a child process of wliwrap. If tar is signed by a WLI key without administrator privilege, wmd capability is not granted through wliwrap.

The key authorizing wliwrap execution must have wmd capability. The key can be granted wmd before or after the signing, but must be granted wmd before tar executes as a child process of wliwrap. To grant wmd to key adm1.pvt:

%wlicert -s -c wli.admin1 -o wmd -k adm1.pvt

In Example B-1 (page 49), all capabilities are granted to adm1.pvt, but only the capabilities granted in the previous command are necessary. The backup can now be generated because wmd is granted through key adm1.pvt.

%wliwrap -k adm1.pvt -o wmd "/tar -cvf tartest.tar /tmp/tartest"

wliwrap: process capability wmd set

wliwrap: executing command: tar -cvf tartest.tar /tmp/tartest a ./tartest/tfile1 1 blocks

a ./tartest/tfile2 1 blocks a ./tartest/tfile3 1 blocks

a ./tartest/.$WLI_POLICY$/tfile1 4 blocks a ./tartest/.$WLI_POLICY$/tfile2 4 blocks a ./tartest/.$WLI_POLICY$/tfile3 4 blocks

The wmd capability granted to the executing process overrides any IBAC, allowing tar to read all files. Granting an IBAC policy to any file to allow the backup to proceed is not necessary.

Protected files and associated metadata files are now stored on the archive tartest.tar. The metadata storage is either pseudo or the file system is not VxFS 5.0.1 or later. If VxFS named data streams are used for metadata storage, the .$WLI_POLICY$ directory and its files do not appear. For details on setting metadata storage type, see wlisys(1M).

The administrator key is used to authorize wliwrap execution and grant wmd capability to the tar child process in this example. This is done only for convenience because it is likely the same user would sign the backup command and generate backups. A WLI user key without administrator authority is sufficient to authorize wliwrap execution.

The tar command is executed with the effective user ID of the login user in this example. The owner and group IDs of the generated archive matches the login values of owner and group, as if tar is executed directly.

This preparation for backing up policy protected files can be applied to backing up non ELF binary executables with associated metadata in .$WLI_SIGNATURE$ directories. A

.$WLI_FSPARMS$ file can also be backed up. This procedure can be applied to backing up an entire file system containing policy protected files and signed executables.

Example B-3 Restoring policy protected files

HP recommends using wliwrap to backup and restore policy protected files and associated metadata. Granting permanent wmd capability to a command with wliwrap is not necessary, as demonstrated in Example B-2 (page 49).

This example demonstrates how to restore the backup archive generated in Example B-2 (page 49). As with the generation of the archive, the WLI security mode is restricted so all WLI file access policies are enforced. Guidelines for the server do not allow security to be downgraded at any time.

50 Administration examples