usrrpt Command

Purpose

Reports the security capabilities of users.

Syntax

usrrpt [-R <load_module>] [-C] [-a | -c | -f ] user_list

Description

The usrrpt command reports security capability information of users such as privileged commands executable by them, privileged files that can be accessed, and also the authorizations associated with the user.

Either of –a, -c, -f flags can be specified. When the –a option is specified, the list of authorizations associated with the user is displayed. When the -c option is specified, the privileged commands present in the /etc/security/privcmds database that can be executed by that user is listed. When the –f option is specified, the list of privileged files present in the /etc/security/privfiles database that can be accessed by the authorized user is listed.

The command takes a list of comma separated user names as input. When no option is specified, all the capability information such as authorizations, commands and privileged files information associated with the user is listed.

Flags

Item Description
-a Specify that a report of authorizations associated with the users is to be obtained.
-c Specify that a report of privileged commands executable by the users is to be obtained.
-f Specify that a report of privileged files accessible by the user is to be obtained.
-R Specifies the loadable module to obtain the report of authorization capabilities from.
-C Displays the authorization attributes in colon-separated records, as follows:

#user:attribute1:attribute2: ...
user1:value1:value2: ...
user2:value1:value2: ...

Exit status

Item Description
0 Successful completion.
>0 An error occurred.

Security

Access Control: This command should grant execute (x) access to the root user.

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in AIX Version 7.1 Security. For a list of privileges and the authorizations associated with this command, see the lssecattr Command or the getcmdattr Subcommand.

Examples

  1. To report the commands associated with user Bob:
    usrrpt –c Bob
  2. To report all capabilities of user Simon:
    usrrpt Simon
  3. To report all capabilities of user Simon in colon separated format
    usrrpt –C Simon
Information similar to the following appears:
#user:authorizations:commands:privfiles
Simon:aix.security.user:/usr/bin/mkuser,/usr/bin/chuser:/etc/csh.cshrc,/etc/csh.login

Files

/etc/security/roles
/etc/security/authorizations
/etc/security/privcmds
/etc/security/privfiles