Purpose
Sets the security attributes of
a command, a device, a privileged file, a process, or a domain-assigned
object.
Description
The setsecattr command
sets the security attributes of the command, device, or process that
is specified by the Name parameter. The command interprets
the Name parameter as either a command, a device, a privileged
file, or a process based on whether the -c (command), -d (device), -f (privileged
file), or -p (process) flag is specified.
If you configure
the system to one of the following values specified by the
Name parameter,
the system performs in the order that is specified by the
secorder attribute
of the corresponding database stanza in the
/etc/nscontrol.conf file:
- Uses databases from multiple domains
- Sets security attributes for a privileged command
- Sets security attributes for a privileged device
- Sets security attributes for a privileged file
- Sets security attributes for a domain-assigned object
Only the first matching entry is modified. Duplicate
entries from the remaining domains are not modified. Use the -R flag
to modify the entry from a specific domain. If no matching entry is
found in any of the domains, a new entry for the Name parameter
is created in the first domain. Use the -R flag to add the
entry to a specific domain.
To set a value for an attribute,
specify the attribute name and the new value with the Attribute=Value parameter.
To clear an attribute, specify the Attribute= for
the Attribute=Value pair. To make incremental changes to attributes,
whose values are lists, specify the Attribute=Value pairs as Attribute=+Value,
or Attribute=-Value. If you specify the Attribute=+Value,
the value is added onto the existing value for the attribute. If you
specify the Attribute=-Value, the value is removed
from the existing value for the attribute.
Flags
Item |
Description |
-c |
Specifies that the security attributes of a command on the
system are to be set. If the command name that you specified using
the Name parameter is not in the privileged
command database, a command entry is created in the /etc/security/privcmds privileged
command database. If an attribute is being cleared and is the only
attribute set for the command, the command is removed from the privileged
command database. Modifications made to the privileged command database
are not used until the database is sent to the kernel security tables
using the setkst command. |
-d |
Specifies that the security attributes of a device on the system
are to be set. If the device name you specify using the Name parameter
is not in the privileged device database, a device entry is created
in the /etc/security/privdevs privileged device database. If
an attribute is being cleared and is the only attribute set for the
device, the device is removed from the privileged device database.
Modifications made to the privileged device database are not used
until the database is sent to the kernel security tables using the setkst command. |
-f |
Specifies that the security attributes of a privileged file
on the system are to be set. Changes requested through the Attribute=Value pairs
are made in the /etc/security/privfiles privileged file database.
If the specified file is not in the privileged file database, a file
entry is created in the database. If an attribute is being cleared
and is the only attribute set for the command, the command is removed
from the privileged file database. |
-o |
Specifies that the security attributes of an
object on the system are to be set. If the object name that you specified
using the Name parameter is not in the domain
object database, an object entry is created in the /etc/security/domobjs domain
object database. If an attribute is being cleared and is the only
attribute set for the object, the object entry is removed from the
domain object database. Modifications made to the domain object database
are not used until the database is sent to the kernel security tables
using the setkst command. |
-p |
Specifies that the numeric process identifier (PID) of an active
process on the system are to be set. Changes that you specify with
the Attribute=Value pairs immediately affects the state of
the specified active process. Modifications are not saved in a database. |
-R load_module |
Specifies the loadable module to use for security
attribute modification. |
Parameters
Item |
Description |
Attribute = Value |
Sets the value of a security attribute for the object. The
list of valid attribute names are dependent on the object type as
specified using the -c, -d, -p, and -o flags. Use
the following attributes for the privileged command database ( -c)
flag: - accessauths
- Specifies access authorizations. Specifies a comma-separated list
of authorization names. You can specify a total of sixteen authorization.
A user with any of the authorizations that you specified can run the
command. This attribute has three special additional values: ALLOW_OWNER,
ALLOW_GROUP, and ALLOW_ALL that allows a command owner, a group, or
all users to run the command without checking for access authorizations.
- authprivs
- Specifies authorized privileges. Specifies a list of authorizations
and privilege pairs that grant additional privileges to the process.
The authorization and its corresponding privileges are separated by
an equal sign (=), individual privileges are separated by a plus sign
(+), and authorization or privilege pairs are separated by a comma
(,), as shown in the following examples:
auth=priv+priv+...,auth=priv+priv+...,...
You
can specify a maximum of sixteen pairs of authorizations or privileges.Specifies
roles, the users of which need to be authenticated before command
can be executed successfully. Specifies a comma separated list of
roles. Each role should be authenticated by different users such as
no user can perform the authentication for more than one role at a
time.
- authroles
- Specifies the user roles that need to be authenticated before
the command can run successfully. If listing multiple roles, separate
each role with a comma. For example:
authroles=so,isso
Each
role must be authenticated by different users. For example, no one
user can perform the authentication for more than one role.
- innateprivs
- Specifies the innate privileges. Specifies a comma-separated list
of privileges that are assigned to the process when the command is
run.
- inheritprivs
- Specifies inheritable privileges. Specifies a comma-separated
list of privileges that are passed to child processes.
- euid
- Specifies the effective user ID to assume when the command is
run.
- egid
- Specifies the effective group ID to assume when the command is
run.
|
|
- ruid
- Specifies the real user ID to assume when the command is run.
Only valid value is 0. This attribute value will be ignored if the
command provides access to all users by specifying the special value
ALLOW_ALL in its accessauths attribute.
- secflags
- Specifies the file security flags. Specifies a comma-separated
list of security flags. Use the following values for this flag:
- FSF_EPS
- Causes the maximum privilege set to be loaded into the effective
privilege set when the command is run.
|
|
Use the following attributes for the privileged
device database ( -d) flag: - readprivs
- Specifies a comma-separated list of privileges that a user or
a process must have for read access to the device. You can specify
a maximum of eight privileges. The user or process must have one of
the listed privileges to read from the device.
- writeprivs
- Specifies a comma-separated list of privileges that a user or
a process must have for write access to the device. You can specify
a maximum of eight privileges. The user or process must have one of
the listed privileges to write to the device.
|
|
Use the following attributes for the privileged
file ( -f) flag: - readauths
- Specify the read access authorizations. Specify a comma-separated
list of authorization names. A user with any of the authorizations
can read the file.
- writeauths
- Specify the write access authorizations. Specify a comma-separated
list of authorization names. A user with any of the authorizations
can read or write the file.
Use the following attributes for the privileged
process ( -p) flag: - eprivs
- Specify the effective privilege set. Specify a comma-separated
list of privileges that are to be active for the process. The process
might remove the privileges from this set and add the privileges from
the maximum privilege set to its effective privilege set.
- iprivs
- Specifies the inheritable privilege set. Specifies a comma-separated
list of privileges that are passed to child processes' effective and
maximum privilege sets. The inheritable privilege set is a subset
of the limiting privilege set.
- mprivs
- Specify a maximum privilege set. Specify a comma-separated list
of privileges that the process can add to its effective privilege
set. The maximum privilege set is a superset of the effective privilege
set.
- lprivs
- Specify the limiting privilege set. Specify a comma-separated
list of privileges that make up the maximum possible privilege set
for a process. The limiting privilege set is a superset of the maximum
privilege set.
- uprivs
- Specify the used privilege set. Specify a comma-separated list
of privileges that are used during the life of the process. This set
is mainly used by the tracepriv command.
|
|
Use the following attributes for the domain-assigned
object database (-o) flag: - domains
- Specify a comma-separated list of domains the objects belong to.
- conflictsets
- Specify a comma-separated list of domains that are excluded from
accessing the object.
- objtype
- Specify the type of the object. Valid values are device, netint,
netport and file.
- secflags
- Specify the security flags for the object. Valid values are:
- FSF_DOM_ANY: This value specifies that a process can access
the object if it has any of the domains given in the domains attribute.
- FSF_DOM_ALL: Specifies that a process can access the object
only if it has all the domains as specified in the domains attribute.
This is the default value if no secflags is specified.
The FSF_DOM_ANY and FSF_DOM_ALL are mutually
exclusive flags.
|
Name |
Specify the object to modify. The Name parameter
is interpreted according to the flags that you specify. One name must
be indicated for processing at a time. |
Security
The setsecattr command
is a privileged command. It is owned by the root user and the security
group, with the mode set to 755. You must have assume a role with
at least one of the following authorizations to run the command successfully.
For trusted process, the auditing system will not log any object auditing
events for the respective process. However, users can capture events
using event auditing.
Item |
Description |
aix.security.cmd.set |
Required to modify the attributes of a command with the -c flag. |
aix.security.device.set |
Required to modify the attributes of a device with the -d flag. |
aix.security.file.set |
Required to modify the attributes of a device
with the -f flag. |
aix.security.proc.set |
Required to modify the attributes of a process with the -p flag. |
aix.security.dobject.set |
Required to modify the attributes of a process
with the -o flag. |
File Accessed
Item |
Description |
File |
Mode |
/etc/security/privcmds |
rw |
/etc/security/privdevs |
rw |
/etc/security/privfiles |
rw |
/etc/security/domobjs |
rw |
Examples
- To set an authorized privilege pair for the /usr/sbin/mount command,
enter the following command:
setsecattr -c authprivs=aix.fs.manage.mount=PV_FS_MOUNT /usr/sbin/mount
- To incrementally add the PV_AU_WRITE and PV_DAC_W privileges to
the existing set of writing privileges for the /dev/mydev device,
enter the following command:
setsecattr -d writeprivs=+PV_AU_WRITE,PV_DAC_W /dev/mydev
- To set a read authorization for the /etc/security/user file,
enter the following command:
setsecattr -f readauths=aix.security.user.change /etc/security/user
- To incrementally remove the PV_DAC_R privilege from the effective
privilege set of an active process, enter the following command:
setsecattr -p eprivs=-PV_DAC_R 35875
- To set the access authorizations for the /usr/sbin/mount command
in LDAP, enter the following command:
setsecattr -R LDAP -c accessauths=aix.fs.manage.mount /usr/sbin/mount
- To set the domains on the network interface en0, enter
the following command:
setsecattr –o domains=INTRANET,APPLICATION conflictsets=INTERNET
objtype=netint secflags=FSF_DOM_ANY en0