lslpcmd Command

Purpose

Lists information about the least-privilege (LP) resources on one or more nodes in a domain.

Syntax

To display LP resource information:
  • On the local node:

    lslpcmd [ –A | resource_name1 [ , resource_name2 , … ] | –R RunCmdName1 [ , RunCmdName2 , … ] ] [-h] [-TV]

  • On all nodes in a domain:

    lslpcmd -a [ –A | resource_name1 [ , resource_name2 , … ] | –R RunCmdName1 [ , RunCmdName2 , … ] ] [-h] [-TV]

  • On a subset of nodes in a domain:

    lslpcmd -n host1 [,host2,…] [ –A | resource_name1 [ , resource_name2 , … ] | –R RunCmdName1 [ , RunCmdName2 , … ] ] [-h] [-TV]

Description

The lslpcmd command displays information about LP resources on one or more nodes in a domain. LP resources are root commands or scripts to which users are granted access based on permissions in the LP access control lists (ACLs). Use this command to display the attributes of one or more LP commands by specifying the resource_name1,[resource_name2,…] parameter. If you omit this parameter, the lslpcmd command lists the names of all of the LP commands. Use the –A flag to list all of the LP commands and all of their attributes and values. Use the –R flag to list one or more LP resources that have a particular RunCmdName value.

The lslpcmd command lists the following information about defined LP resources:
Field Description
Name The name of the LP resource.
CommandPath The fully-qualified path of the LP resource.
Description A description of the LP resource.
Lock The lock setting. Valid values are: 0 (the lock is not set) and 1 (the lock is set).
CheckSum The CheckSum value of the LP resource to which CommandPath points. The LP resource manager assigns a value of 0 if the LP resource does not exist or if the user did not update the CheckSum value after the LP resource was made available.
RunCmdName The LP resource name that is used as a parameter with the runlpcmd command.
FilterScript The path to the filter script.
FilterArg The list of arguments to pass to FilterScript.

This command runs on any node. If you want this command to run on all of the nodes in a domain, use the -a flag. If you want this command to run on a subset of nodes in a domain, use the -n flag. Otherwise, this command runs on the local node.

Flags

-a
Displays information about one or more LP resources on all nodes in the domain. The CT_MANAGEMENT_SCOPE environment variable's setting determines the cluster scope. If CT_MANAGEMENT_SCOPE is not set, the LP resource manager uses scope settings in this order:
  1. The management domain, if it exists
  2. The peer domain, if it exists
  3. Local scope
The lslpcmd command runs once for the first valid scope that the LP resource manager finds. For example, suppose a management domain and a peer domain exist and the CT_MANAGEMENT_SCOPE environment variable is not set. In this case, lslpcmd –a runs in the management domain. To run lslpcmd –a in the peer domain, you must set CT_MANAGEMENT_SCOPE to 2.
-n host1[,host2,…]
Specifies the node or nodes in the domain on which the LP resource is to be listed. By default, the LP resource is changed on the local node. The –n flag is valid only in a management or peer domain. If the CT_MANAGEMENT_SCOPE variable is not set, the LP resource manager uses scope settings in this order:
  1. The management domain, if it exists
  2. The peer domain, if it exists
  3. Local scope

The lslpcmd command runs once for the first valid scope that the LP resource manager finds.

–A
Displays all of the LP resources with their attributes and values.
–R
Display all attributes of the LP resources that have the same RunCmdName value.
-h
Writes the command's usage statement to standard output.
-T
Writes the command's trace messages to standard error.
-V
Writes the command's verbose messages to standard output.

Parameters

resource_name1[,resource_name2,...]
Specifies one or more LP resources for which you want to display information.

Security

To run the lslpcmd command, you need:
  • read permission in the Class ACL of the IBM.LPCommands resource class.
  • read permission in the Resource ACL.

    As an alternative, the Resource ACL can direct the use of the Resource Shared ACL if this permission exists in the Resource Shared ACL.

Permissions are specified in the LP ACLs on the contacted system. See the lpacl file for general information about LP ACLs and the RSCT Administration Guide for information about modifying them.

Exit Status

0
The command has run successfully.
1
An error occurred with RMC.
2
An error occurred with the command-line interface (CLI) script.
3
An incorrect flag was specified on the command line.
4
An incorrect parameter was specified on the command line.
5
An error occurred with RMC that was based on incorrect command-line input.
6
The resource was not found.

Environment Variables

CT_CONTACT
Determines the system that is used for the session with the RMC daemon. When CT_CONTACT is set to a host name or IP address, the command contacts the RMC daemon on the specified host. If CT_CONTACT is not set, the command contacts the RMC daemon on the local system where the command is being run. The target of the RMC daemon session and the management scope determine the LP resources that are processed.
CT_MANAGEMENT_SCOPE
Determines the management scope that is used for the session with the RMC daemon to process the LP resources. The management scope determines the set of possible target nodes where the resources can be processed. The valid values are:
0
Specifies local scope.
1
Specifies local scope.
2
Specifies peer domain scope.
3
Specifies management domain scope.

If this environment variable is not set, local scope is used.

Implementation Specifics

This command is part of the Reliable Scalable Cluster Technology (RSCT) fileset for AIX®.

Standard Output

When the -h flag is specified, this command's usage statement is written to standard output. When the -V flag is specified, this command's verbose messages are written to standard output.

Standard Error

All trace messages are written to standard error.

Examples

  1. To list the names of all LP resources on the local node, enter: 
    lslpcmd
    The output will look like this: 
    lpcommand1
lpcommand2
  2. To list the names and attributes of all LP resources on the local node, enter: 
    lslpcmd -A
    The output will look like this: 
    Name=lpcommand1
CommandPath=/tmp/my_command
Description=
Lock=1
CheckSum=112
RunCmdName=lpcommand1
FilterScript=
FilterArg=
----------------------------------
Name=lpcommand2
CommandPath=/tmp/cmds/this_command
Description=
Lock=0
CheckSum=0
RunCmdName=lpcommand2
FilterScript=
FilterArg=
----------------------------------
  3. To list the attributes of the LP resource lpcommand1 on the local node, enter: 
    lslpcmd lpcommand1
    The output will look like this: 
    Name=lpcommand1
CommandPath=/tmp/my_command
Description=
Lock=1
CheckSum=100
RunCmdName=lpcommand1
FilterScript=
FilterArg=
  4. To list the attributes of LP resources that have a RunCmdName value of rpower on the local node, enter: 
    lslpcmd -R rpower
    The output will look like this: 
    Name=lpcommand1
CommandPath=/opt/csm/bin/rpower
Description=
Lock=1
CheckSum=112
RunCmdName=rpower
FilterScript=/tmp/test1
FilterArg=node1,node2,node3
-------------------------------
Name=lpcommand2
CommandPath=/opt/csm/bin/rpower
Description=
Lock=0
CheckSum=112
RunCmdName=rpower
FilterScript=/tmp/test1
FilterArg=node4,node5,node6
-------------------------------
⋮

Location

/usr/sbin/rsct/bin/lslpcmd
Contains the lslpcmd command