rolerpt Command

Purpose

Reports the security capabilities of roles.

Syntax

rolerpt [-R <load_module> ] [-C ] [-c | -f ] { "ALL" | role1, role2, ..... | -a }

rolerpt [-R <load_module> ] [-C ] [ -u ] { "ALL" | role1, role2, ... }

Description

The rolerpt command reports capability information of roles such as privileged commands, privileged files, and user information.

Either of –c, -f , or –u flags can be specified. When the -c flag is specified, the privileged commands present in the /etc/security/privcmds database that can be executed by virtue of the roles is listed. When the –f flag is specified, the list of privileged files present in the /etc/security/privfiles database that can be accessed by users assigned the roles is displayed. When the –u flag is specified, the list of users having the roles is displayed. The –u flag can be used only by a root user or a privileged user authorized for the rolerpt command. Only root user or the authorized user with aix.security.role.list authorization can view reports that display capabilities for roles not held by them. When no flag is specified, all the capability information such as commands, privileged files, and user information for the role is displayed. The –a flag specifies that only the capabilities of the current active roles are displayed. The –u flag can not be used with the –a flag. The root user or the authorized user can specify the ALL keyword to display capabilities for all the roles on the system.

For input this command takes an –a flag specifying the active roles, the ALL keyword, or an comma separated list of role names. When no role name is specified, all the capability information such as commands, privileged files, and user information associated with the roles of the invoker is displayed.

Flags

Item Description
-c Specifies that a report of privileged commands executable by the roles is to be obtained.
-f Specifies that a report of privileged file information accessible to the roles is to be obtained.
-u Specifies that a report of authorized user information assigned to the roles is to be obtained.
-a Specifies that report on only capabilities of active roles is to be obtained.
-R Specifies the loadable module to obtain the report of roles capabilities from.
-C Displays the role attributes in colon-separated records, as displayed in the following example:
#role:attribute1:attribute2: ...
role1:value1:value2: ...
role2:value1:value2: ...

Exit status

Item Description
0 Successful completion.
>0 An error occurred.

Security

Access Control: This command should grant execute (x) access to all users. The –u flag can only be used by the root user or authorized users with aix.security.role.list authorization or aix.security.user.list authorization. Only root or the authorized user with aix.security.role.list authorization can specify the ALL keyword and view reports of capabilities of roles not held by them.

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations For more information about authorizations and privileges, review the Privileged Command Database topic. For a list of privileges and the authorizations associated with this command, review the lssecattr command or the getcmdattr subcommand.

Files:
  • /etc/security/roles
  • /etc/security/authorizations
  • /etc/security/privcmds
  • /etc/security/privfiles

Examples

  1. To report the commands associated with the role ManageAllUsers run the following command:
    rolerpt –c ManageAllUsers
  2. To report capabilities of active roles i.e the authorization, command and privileged file information run the following command:
     rolerpt –a 
  3. To report all capabilities of role ManageAllUsers in a colon separated format run the following command:
    rolerpt –C ManageAllUsers
    Information similar to the following appears:
       #role:commands:privfiles:users
          ManageAllUsers:/usr/bin/lsuser,/usr/bin/mkuser:/var/adm/sulog:Bob,Simon