setsecattr Command

Purpose

Sets the security attributes of a command, a device, a privileged file, a process, or a domain-assigned object.

Syntax

setsecattr [-R load_module]{ -c | -d | -p | -f | -o} Attribute = Value [ Attribute = Value ...] Name

Description

The setsecattr command sets the security attributes of the command, device, or process that is specified by the Name parameter. The command interprets the Name parameter as either a command, a device, a privileged file, or a process based on whether the -c (command), -d (device), -f (privileged file), or -p (process) flag is specified.

If you configure the system to one of the following values specified by the Name parameter, the system performs in the order that is specified by the secorder attribute of the corresponding database stanza in the /etc/nscontrol.conf file:

Uses databases from multiple domains
Sets security attributes for a privileged command
Sets security attributes for a privileged device
Sets security attributes for a privileged file
Sets security attributes for a domain-assigned object

Only the first matching entry is modified. Duplicate entries from the remaining domains are not modified. Use the -R flag to modify the entry from a specific domain. If no matching entry is found in any of the domains, a new entry for the Name parameter is created in the first domain. Use the -R flag to add the entry to a specific domain.

To set a value for an attribute, specify the attribute name and the new value with the Attribute=Value parameter. To clear an attribute, specify the Attribute= for the Attribute=Value pair. To make incremental changes to attributes, whose values are lists, specify the Attribute=Value pairs as Attribute=+Value, or Attribute=-Value. If you specify the Attribute=+Value, the value is added onto the existing value for the attribute. If you specify the Attribute=-Value, the value is removed from the existing value for the attribute.

Flags

Item	Description
-c	Specifies that the security attributes of a command on the system are to be set. If the command name that you specified using the Name parameter is not in the privileged command database, a command entry is created in the /etc/security/privcmds privileged command database. If an attribute is being cleared and is the only attribute set for the command, the command is removed from the privileged command database. Modifications made to the privileged command database are not used until the database is sent to the kernel security tables using the setkst command.
-d	Specifies that the security attributes of a device on the system are to be set. If the device name you specify using the Name parameter is not in the privileged device database, a device entry is created in the /etc/security/privdevs privileged device database. If an attribute is being cleared and is the only attribute set for the device, the device is removed from the privileged device database. Modifications made to the privileged device database are not used until the database is sent to the kernel security tables using the setkst command.
-f	Specifies that the security attributes of a privileged file on the system are to be set. Changes requested through the Attribute=Value pairs are made in the /etc/security/privfiles privileged file database. If the specified file is not in the privileged file database, a file entry is created in the database. If an attribute is being cleared and is the only attribute set for the command, the command is removed from the privileged file database.
-o	Specifies that the security attributes of an object on the system are to be set. If the object name that you specified using the Name parameter is not in the domain object database, an object entry is created in the `/etc/security/domobjs` domain object database. If an attribute is being cleared and is the only attribute set for the object, the object entry is removed from the domain object database. Modifications made to the domain object database are not used until the database is sent to the kernel security tables using the setkst command.
-p	Specifies that the numeric process identifier (PID) of an active process on the system are to be set. Changes that you specify with the Attribute=Value pairs immediately affects the state of the specified active process. Modifications are not saved in a database.
-R load_module	Specifies the loadable module to use for security attribute modification.

Parameters

Item	Description
Attribute = Value	Sets the value of a security attribute for the object. The list of valid attribute names are dependent on the object type as specified using the -c, -d, -p, and -o flags. Use the following attributes for the privileged command database (-c) flag: accessauths Specifies access authorizations. Specifies a comma-separated list of authorization names. You can specify a total of sixteen authorization. A user with any of the authorizations that you specified can run the command. This attribute has three special additional values: ALLOW_OWNER, ALLOW_GROUP, and ALLOW_ALL that allows a command owner, a group, or all users to run the command without checking for access authorizations. authprivs Specifies authorized privileges. Specifies a list of authorizations and privilege pairs that grant additional privileges to the process. The authorization and its corresponding privileges are separated by an equal sign (=), individual privileges are separated by a plus sign (+), and authorization or privilege pairs are separated by a comma (,), as shown in the following examples: `auth=priv+priv+...,auth=priv+priv+...,...` You can specify a maximum of sixteen pairs of authorizations or privileges.Specifies roles, the users of which need to be authenticated before command can be executed successfully. Specifies a comma separated list of roles. Each role should be authenticated by different users such as no user can perform the authentication for more than one role at a time. authroles Specifies the user roles that need to be authenticated before the command can run successfully. If listing multiple roles, separate each role with a comma. For example: `authroles=so,isso` Each role must be authenticated by different users. For example, no one user can perform the authentication for more than one role. innateprivs Specifies the innate privileges. Specifies a comma-separated list of privileges that are assigned to the process when the command is run. inheritprivs Specifies inheritable privileges. Specifies a comma-separated list of privileges that are passed to child processes. euid Specifies the effective user ID to assume when the command is run. egid Specifies the effective group ID to assume when the command is run.
	ruid Specifies the real user ID to assume when the command is run. Only valid value is 0. This attribute value will be ignored if the command provides access to all users by specifying the special value ALLOW_ALL in its accessauths attribute. secflags Specifies the file security flags. Specifies a comma-separated list of security flags. Use the following values for this flag: FSF_EPS Causes the maximum privilege set to be loaded into the effective privilege set when the command is run.
	Use the following attributes for the privileged device database (-d) flag: readprivs Specifies a comma-separated list of privileges that a user or a process must have for read access to the device. You can specify a maximum of eight privileges. The user or process must have one of the listed privileges to read from the device. writeprivs Specifies a comma-separated list of privileges that a user or a process must have for write access to the device. You can specify a maximum of eight privileges. The user or process must have one of the listed privileges to write to the device.
	Use the following attributes for the privileged file (-f) flag: readauths Specify the read access authorizations. Specify a comma-separated list of authorization names. A user with any of the authorizations can read the file. writeauths Specify the write access authorizations. Specify a comma-separated list of authorization names. A user with any of the authorizations can read or write the file. Use the following attributes for the privileged process (-p) flag: eprivs Specify the effective privilege set. Specify a comma-separated list of privileges that are to be active for the process. The process might remove the privileges from this set and add the privileges from the maximum privilege set to its effective privilege set. iprivs Specifies the inheritable privilege set. Specifies a comma-separated list of privileges that are passed to child processes' effective and maximum privilege sets. The inheritable privilege set is a subset of the limiting privilege set. mprivs Specify a maximum privilege set. Specify a comma-separated list of privileges that the process can add to its effective privilege set. The maximum privilege set is a superset of the effective privilege set. lprivs Specify the limiting privilege set. Specify a comma-separated list of privileges that make up the maximum possible privilege set for a process. The limiting privilege set is a superset of the maximum privilege set. uprivs Specify the used privilege set. Specify a comma-separated list of privileges that are used during the life of the process. This set is mainly used by the tracepriv command.
	Use the following attributes for the domain-assigned object database (-o) flag: domains Specify a comma-separated list of domains the objects belong to. conflictsets Specify a comma-separated list of domains that are excluded from accessing the object. objtype Specify the type of the object. Valid values are device, netint, netport and file. secflags Specify the security flags for the object. Valid values are: FSF_DOM_ANY: This value specifies that a process can access the object if it has any of the domains given in the domains attribute. FSF_DOM_ALL: Specifies that a process can access the object only if it has all the domains as specified in the domains attribute. This is the default value if no secflags is specified. The FSF_DOM_ANY and FSF_DOM_ALL are mutually exclusive flags.
Name	Specify the object to modify. The Name parameter is interpreted according to the flags that you specify. One name must be indicated for processing at a time.

Security

The setsecattr command is a privileged command. It is owned by the root user and the security group, with the mode set to 755. You must have assume a role with at least one of the following authorizations to run the command successfully. For trusted process, the auditing system will not log any object auditing events for the respective process. However, users can capture events using event auditing.

Item	Description
aix.security.cmd.set	Required to modify the attributes of a command with the -c flag.
aix.security.device.set	Required to modify the attributes of a device with the -d flag.
aix.security.file.set	Required to modify the attributes of a device with the -f flag.
aix.security.proc.set	Required to modify the attributes of a process with the -p flag.
aix.security.dobject.set	Required to modify the attributes of a process with the -o flag.

File Accessed

Item	Description
File	Mode
/etc/security/privcmds	rw
/etc/security/privdevs	rw
/etc/security/privfiles	rw
/etc/security/domobjs	rw

Examples

To set an authorized privilege pair for the /usr/sbin/mount command, enter the following command:
```
setsecattr -c authprivs=aix.fs.manage.mount=PV_FS_MOUNT /usr/sbin/mount
```
To incrementally add the PV_AU_WRITE and PV_DAC_W privileges to the existing set of writing privileges for the /dev/mydev device, enter the following command:
```
setsecattr -d writeprivs=+PV_AU_WRITE,PV_DAC_W /dev/mydev
```
To set a read authorization for the /etc/security/user file, enter the following command:
```
setsecattr -f readauths=aix.security.user.change /etc/security/user
```
To incrementally remove the PV_DAC_R privilege from the effective privilege set of an active process, enter the following command:
```
setsecattr -p eprivs=-PV_DAC_R 35875
```
To set the access authorizations for the /usr/sbin/mount command in LDAP, enter the following command:
```
setsecattr -R LDAP -c accessauths=aix.fs.manage.mount /usr/sbin/mount 
```

To set the domains on the network interface en0, enter the following command:

setsecattr –o domains=INTRANET,APPLICATION conflictsets=INTERNET
objtype=netint secflags=FSF_DOM_ANY en0