“Values in effect currently:” |
| |
write lock | protection (IBAC): | enabled |
protection | mode: | restricted |
If either of the above settings are not in effect, IBAC policy enforcement can be enabled with:
%wlisyspolicyAccess to all other executables is denied:
%/usr/bin/more /tmp/secret/tmp/secret: Permission denied
%/usr/bin/head /tmp/secret/tmp/secret: Permission denied
Any user with read permission on /tmp/secret can read it:
%cat /tmp/secrethi there
C.4.4 Disabling an IBAC policy
After reboot of the system, the final task for WLI configuration, WLI is in the highest security state. To disable IBAC policy enforcement:
1.The administrator removes
%wlisyspolicy
The wlisyspolicy command returns a message indicating a reboot is necessary for the security downgrade to be in effect if the downgrade attribute has value deferred.
2.The administrator removes key /home/usr1/usr.pub authorization:
% wlicert
C.4.5 Removing an IBAC policy
To remove an IBAC policy as user:
%wlipolicyTo remove an IBAC policy as administrator:
%wlipolicy56 Quick setup examples