mklpcmd Command

Purpose

Defines a new least-privilege (LP) resource to the resource monitoring and control (RMC) subsystem and specifies user permissions.

Syntax

mklpcmd [-n host] [-l] [ -c 0123 ] [–R RunCmdName] [-s FilterScript] [-A FilterArg] [-h] [-TV] resource_name command_path [ ID perm ] …

Description

The mklpcmd command defines a new LP resource to the resource monitoring and control (RMC) subsystem subsystem. An LP resource is a root command or script to which users are granted access based on permissions in the LP access control lists (ACLs). Specify the LP resource using the resource_name parameter. The command_path parameter specifies the command or script that could be run with LP access. Specify the complete path name of the command or the script. If command_path exists when a resource is created, the LP resource manager calculates the CheckSum and assigns the CheckSum attribute value. If command_path does not exist, the LP resource manager assigns 0 as the CheckSum attribute value.

Use the -l flag to lock the LP resource. The resource must be unlocked before it can be deleted. Use the -c flag to specify the control settings of the resource.

You can also use the mklpcmd command to specify permissions for users when you are creating a resource. To do this, you need to have administrator permission on the resources. Administrator permission gives you the ability to set and edit permissions. You can specify multiple user IDs and permissions with this command. See the Examples section for more information.

This command runs on any node. In a management domain or a peer domain, use the -n flag to define the LP resource on the node that is specified by host. Otherwise, this command runs on the local node.

Flags

-n host
Specifies the node in the domain on which the LP resource is to be defined. By default, the LP resource is defined on the local node. The –n flag is valid only in a management or peer domain. If the CT_MANAGEMENT_SCOPE variable is not set, the LP resource manager uses scope settings in this order:
  1. The management domain, if it exists
  2. The peer domain, if it exists
  3. Local scope

The mklpcmd command runs once for the first valid scope that the LP resource manager finds.

-l
Defines the new LP resource as locked so that it cannot be changed accidentally. The resource cannot be removed from the RMC subsystem until the Lock attribute is unset.

If you do not specify this flag, the new resource is not locked. This is the default.

-c 0 1 2 3
Sets the ControlFlags attribute, which is used to specify the control features for an LP command. If ControlFlags is not specified, it is set to 1 by default. Use this flag to specify one of these values:
0
Does not validate the CheckSum value.
1
Does not validate the CheckSum value. This is the default.
2
Validates the CheckSum value.
3
Validates the CheckSum value.

When an attempt is made to run the LP resource using the runlpcmd command, the value of the ControlFlags attribute determines which checks are performed before running the command represented by the resource.

In this release of RSCT, the ControlFlags attribute value specifies whether the CheckSum value is to be validated.

In previous releases of RSCT, the ControlFlags attribute value also specified whether the presence of certain characters in the input arguments to runlpcmd were to be disallowed. Checking for these characters is no longer necessary.

To maintain compatibility with LP resources that were defined in previous releases of RSCT, the ControlFlags attribute values, with respect to validating the CheckSum value, have remained the same. Consequently, values 0 and 1 indicate that the CheckSum value is not to be validated, and values 2 and 3 indicate that the CheckSum value is to be validated.

-R RunCmdName
Specifies the RunCmdName value for this resource, which will be used as a parameter of the runlpcmd command.
-s script_path
Specifies the fully-qualified path of the filter script.
-A argument
Specifies a string of arguments to be passed to the filter script.
-h
Writes the command's usage statement to standard output.
-T
Writes the command's trace messages to standard error.
-V
Writes the command's verbose messages to standard output.

Parameters

resource_name
Is the name or identifier of the LP resource that is to be defined to the RMC subsystem.
command_path
Is the complete, fully-qualified path name of the command or script.
ID perm
Specifies permissions for users when you are creating a resource. This parameter is optional.
ID
Specifies the user identity for the ACL entry. See the User identities section of the lpacl information for the valid forms of this parameter.
perm
Specifies the user permissions for the ACL entry. This parameter can consist of a combination of any of the following values:
r
Read permission (consists of the q, l, e, and v permissions)
w
Write permission (consists of the d, c, s, and o permissions)
a
Administrator permission
x
Execute permission
q
Query permission
l
Enumerate permission
e
Event permission
v
Validate permission
d
Define and undefine permission
c
Refresh permission
s
Set permission
o
Online, offline, and reset permission
0
No permission
See the User permissions section of the lpacl information for descriptions of these permissions.

Security

  • To run the mklpcmd command with one or more ID:perm parameters, you need:
    • read and write permission in the Class ACL of the IBM.LPCommands resource class.
    • read and administrator permission in the Resource Initial ACL.

      As an alternative, the Resource Initial ACL can direct the use of the Resource Shared ACL if these permissions exist in the Resource Shared ACL.

  • To run the mklpcmd command with no ID:perm parameters, you need write permission in the Class ACL of the IBM.LPCommands resource class.
Permissions are specified in the LP ACLs on the contacted system. See the lpacl file for general information about LP ACLs and the RSCT Administration Guide for information about modifying them.

Exit Status

0
The command has run successfully.
1
An error occurred with RMC.
2
An error occurred with the command-line interface (CLI) script.
3
An incorrect flag was specified on the command line.
4
An incorrect parameter was specified on the command line.
5
An error occurred with RMC that was based on incorrect command-line input.
6
The resource was not found.

Environment Variables

CT_CONTACT
Determines the system that is used for the session with the RMC daemon. When CT_CONTACT is set to a host name or IP address, the command contacts the RMC daemon on the specified host. If CT_CONTACT is not set, the command contacts the RMC daemon on the local system where the command is being run. The target of the RMC daemon session and the management scope determine the LP resources that are processed.
CT_MANAGEMENT_SCOPE
Determines the management scope that is used for the session with the RMC daemon to process the LP resource. The management scope determines the set of possible target nodes where the resource can be processed. The valid values are:
0
Specifies local scope.
1
Specifies local scope.
2
Specifies peer domain scope.
3
Specifies management domain scope.

If this environment variable is not set, local scope is used.

Implementation Specifics

This command is part of the Reliable Scalable Cluster Technology (RSCT) fileset for AIX®.

Standard Output

When the -h flag is specified, this command's usage statement is written to standard output. When the -V flag is specified, this command's verbose messages are written to standard output.

Standard Error

All trace messages are written to standard error.

Examples

  1. To create an LP resource called LP1 that points to a command called /tmp/user1/lpcmd1 on the local node, enter:
    mklpcmd LP1 /tmp/user1/lpcmd1 
  2. To create an LP resource called LP2 that points to a command called /tmp/my_command1 on nodeB in the management domain, enter:
    mklpcmd -n nodeB LP2 /tmp/my_command1 
  3. To create an LP resource called lp3 with ControlFlags set to 3 (which means verify the CheckSum value), enter:
    mklpcmd -c 3 LP3 /tmp/cmd_lp3 
  4. To create an LP resource called lp4 that points to /tmp/testscript, has a RunCmdName value of test, a FilterScript value of /tmp/filterscr, and filter arguments node1 and node2, enter:
    mklpcmd -R test -f /tmp/filterscr -A "node1,node2" lp4 /tmp/testscript
  5. To create an LP resource called lp5 that points to /usr/bin/mkrsrc and gives users user1@LOCALHOST and user2@LOCALHOST read, write, and execute permission, enter:
    mklpcmd lp5 /usr/bin/mkrsrc user1@LOCALHOST rwx  user2@LOCALHOST rwx

Location

/usr/sbin/rsct/bin/mklpcmd
Contains the mklpcmd command