Purpose
Defines a new least-privilege (LP)
resource to the resource monitoring and control (RMC) subsystem and
specifies user permissions.
Syntax
mklpcmd [-n host]
[-l] [ -c 0 │ 1 │ 2 │ 3 ]
[–R RunCmdName]
[-s FilterScript]
[-A FilterArg] [-h]
[-TV] resource_name command_path [ ID
perm ] …
Description
The mklpcmd command
defines a new LP resource to the resource monitoring and control
(RMC) subsystem subsystem. An LP resource is a root command
or script to which users are granted access based on permissions
in the LP access control lists (ACLs). Specify the LP resource
using the resource_name parameter. The command_path parameter
specifies the command or script that could be run with LP access.
Specify the complete path name of the command or the script. If command_path exists
when a resource is created, the LP resource manager calculates the
CheckSum and assigns the CheckSum attribute
value. If command_path does not exist,
the LP resource manager assigns 0 as the CheckSum attribute
value.
Use the -l flag to lock the
LP resource. The resource must be unlocked before it can be deleted.
Use the -c flag to specify the control
settings of the resource.
You can also use the mklpcmd command
to specify permissions for users when you are creating a resource.
To do this, you need to have administrator permission on the resources.
Administrator permission gives you the ability to set and edit permissions.
You can specify multiple user IDs and permissions with this command.
See the Examples section for more information.
This
command runs on any node. In a management domain or a peer domain,
use the -n flag to define the LP resource
on the node that is specified by host.
Otherwise, this command runs on the local node.
Flags
- -n host
- Specifies the node in the domain on which the LP resource is to
be defined. By default, the LP resource is defined on the local node.
The –n flag is valid only in a management
or peer domain. If the CT_MANAGEMENT_SCOPE variable is not set, the
LP resource manager uses scope settings in this order:
- The management domain, if it exists
- The peer domain, if it exists
- Local scope
The mklpcmd command runs once for
the first valid scope that the LP resource manager finds.
- -l
- Defines the new LP resource as locked so that it cannot be changed
accidentally. The resource cannot be removed from the RMC subsystem
until the Lock attribute is unset.
If
you do not specify this flag, the new resource is not locked. This
is the default.
- -c 0 │ 1 │ 2 │ 3
- Sets the ControlFlags attribute, which
is used to specify the control features for an LP command. If ControlFlags is
not specified, it is set to 1 by default.
Use this flag to specify one of these values:
- 0
- Does not validate the CheckSum value.
- 1
- Does not validate the CheckSum value.
This is the default.
- 2
- Validates the CheckSum value.
- 3
- Validates the CheckSum value.
When an attempt is made to run the LP resource
using the runlpcmd command, the value of
the ControlFlags attribute determines which
checks are performed before running the command represented by the
resource.
In this release of RSCT, the ControlFlags attribute
value specifies whether the CheckSum value
is to be validated.
In previous releases of RSCT, the ControlFlags attribute
value also specified whether the presence of certain characters in
the input arguments to runlpcmd were to
be disallowed. Checking for these characters is no longer necessary.
To
maintain compatibility with LP resources that were defined in previous
releases of RSCT, the ControlFlags attribute
values, with respect to validating the CheckSum value,
have remained the same. Consequently, values 0 and 1 indicate
that the CheckSum value is not to be validated,
and values 2 and 3 indicate
that the CheckSum value is to be validated.
- -R RunCmdName
- Specifies the RunCmdName value for this
resource, which will be used as a parameter of the runlpcmd command.
- -s script_path
- Specifies the fully-qualified path of the filter script.
- -A argument
- Specifies a string of arguments to be passed to the filter script.
- -h
- Writes the command's usage statement to standard output.
- -T
- Writes the command's trace messages to standard error.
- -V
- Writes the command's verbose messages to standard output.
Parameters
- resource_name
- Is the name or identifier of the LP resource that is to be defined
to the RMC subsystem.
- command_path
- Is the complete, fully-qualified path name of the command or script.
- ID perm …
- Specifies permissions for users when you are creating a resource.
This parameter is optional.
- ID
- Specifies the user identity for the ACL entry. See
the User identities section of the lpacl information
for the valid forms of this parameter.
- perm
- Specifies the user permissions for the ACL entry. This parameter
can consist of a combination of any of the following values:
- r
- Read permission (consists of the q, l, e,
and v permissions)
- w
- Write permission (consists of the d, c, s,
and o permissions)
- a
- Administrator permission
- x
- Execute permission
- q
- Query permission
- l
- Enumerate permission
- e
- Event permission
- v
- Validate permission
- d
- Define and undefine permission
- c
- Refresh permission
- s
- Set permission
- o
- Online, offline, and reset permission
- 0
- No permission
See the User permissions section
of the lpacl information for descriptions
of these permissions.
Security
- To run the mklpcmd command with one
or more ID:perm parameters,
you need:
- To run the mklpcmd command with no ID:perm parameters,
you need write permission in the Class ACL of the IBM.LPCommands resource
class.
Permissions are specified in the
LP ACLs on the contacted
system. See
the lpacl file for
general information about LP ACLs and the
RSCT Administration
Guide for information about modifying
them.
Exit Status
- 0
- The command has run successfully.
- 1
- An error occurred with RMC.
- 2
- An error occurred with the command-line interface (CLI) script.
- 3
- An incorrect flag was specified on the command line.
- 4
- An incorrect parameter was specified on the command line.
- 5
- An error occurred with RMC that was based on incorrect command-line
input.
- 6
- The resource was not found.
Environment Variables
- CT_CONTACT
- Determines the system that is used for the session with the RMC
daemon. When CT_CONTACT is set to a host
name or IP address, the command contacts the RMC daemon on the specified
host. If CT_CONTACT is not set, the command
contacts the RMC daemon on the local system where the command is being
run. The target of the RMC daemon session and the management scope
determine the LP resources that are processed.
- CT_MANAGEMENT_SCOPE
- Determines the management scope that is used for the session with
the RMC daemon to process the LP resource. The management scope determines
the set of possible target nodes where the resource can be processed.
The valid values are:
- 0
- Specifies local scope.
- 1
- Specifies local scope.
- 2
- Specifies peer domain scope.
- 3
- Specifies management domain scope.
If this environment variable is not set, local scope
is used.
Implementation Specifics
This command is
part of the Reliable Scalable Cluster Technology (RSCT) fileset for AIX®.
Standard Output
When the -h flag
is specified, this command's usage statement is written to standard
output. When the -V flag is specified,
this command's verbose messages are written to standard output.
Standard Error
All trace messages are written
to standard error.
Examples
- To create an LP resource called LP1 that
points to a command called /tmp/user1/lpcmd1 on
the local node, enter:
mklpcmd LP1 /tmp/user1/lpcmd1
- To create an LP resource called LP2 that
points to a command called /tmp/my_command1
on nodeB in the management domain, enter:
mklpcmd -n nodeB LP2 /tmp/my_command1
- To create an LP resource called lp3 with ControlFlags set
to 3 (which means verify the CheckSum value),
enter:
mklpcmd -c 3 LP3 /tmp/cmd_lp3
- To create an LP resource called lp4 that
points to /tmp/testscript, has a RunCmdName value
of test, a FilterScript value
of /tmp/filterscr, and filter arguments node1 and node2,
enter:
mklpcmd -R test -f /tmp/filterscr -A "node1,node2" lp4 /tmp/testscript
- To create an LP resource called lp5 that
points to /usr/bin/mkrsrc and gives users user1@LOCALHOST and user2@LOCALHOST read,
write, and execute permission, enter:
mklpcmd lp5 /usr/bin/mkrsrc user1@LOCALHOST rwx user2@LOCALHOST rwx
Location
- /usr/sbin/rsct/bin/mklpcmd
- Contains the mklpcmd command