/etc/security/privfiles File

Purpose

Contains the security attributes for privileged files.

Description

The /etc/security/privfiles file is an ASCII stanza file that contains privileged files and their security attributes. Each stanza in the /etc/security/privfiles file is identified by the full path name to the file, followed by a colon (:). Each stanza contains attributes in the Attribute=Value form. The path name must be the absolute path to the file and cannot contain symbolic link directories or be a symbolic link to the file. Each Attribute=Value pair is ended by a newline character, and each stanza is ended by an additional newline character. For an example of a stanza, see Examples.

Modifying and Listing Entries in the privfiles File

Do not edit the /etc/security/privfiles file directly. Instead, use commands and subroutines that are defined for managing privileged file databases. You can use the following commands to modify and list entries in the privfiles file:
setsecattr
Adds or changes a file entry in the /etc/security/privfiles file.
lssecattr
Display the attributes and their values.
rmsecattr
Remove a file from the privfiles file.
To write programs that affect entries in the /etc/security/privfiles file, use one or more of the following subroutines:
  • getpfileattr
  • getpfileattrs
  • putpfileattr
  • putpfileattrs

Attributes

A stanza in this file can contain one or more of the following security attributes:
Attribute Description
readauths Specifies the authorizations required to read from the file as a comma-separated list of authorization names. A user with any of the authorizations can use the /usr/bin/pvi command to read from the privileged file.
writeauths Specifies the authorizations required to write to the file as a comma-separated list of authorization names. A user with any of the authorizations can use the /usr/bin/pvi command to write to the privileged file.

Security

Read and write access is granted to the root user, and read access is granted to members of the security group. Access for other users and groups depends on the security policy for the system.

Examples

The following example for a File displays a typical stanza in the file:

/etc/myconf:
        readauths = aix.security.role.list
        writeauths = aix.security.role.change

This entry indicates that users with the aix.security.role.list authorization can use the pvi command to read the /etc/myconf file. Users with the aix.security.role.change authorization can use the pvi command to write to the /etc/myconf file.