adminuser(1M)


adminuser -- display, add, change, delete administrators in the TFM database

Synopsis

adminuser [-n] [-o role[, ...]] [-a cmd:path[:priv[:priv ...]][, ...]] user ...

adminuser [-o role[, ...] [-r cmd[:priv[:priv ...]][, ...]] [-a cmd:path[:priv[:priv ...]][, ...]] user ...

adminuser [-d] user ...

adminuser

Description

The adminuser command allows administrators to display, add, change, and delete administrators in the Trusted Facility Management (TFM) database. The TFM database is the vehicle through which unprivileged user processes run privileged commands.

A user definition contains a list of commands. Each command contains a list of privileges. The tfadmin command uses these privileges to set up its process before invoking this command for the user. In addition to the command definitions, there is a list of roles available to the user, and a default command specification.

The options to the command are:


-n
For every user in the list, create a new user description, and, optionally, create a role list or add a command to that user.

-o
Create the specified role list for every user in the list. Note that order is significant if more than one role is specified, and an individual command is in more than one of the roles. In this case, if the user subsequently invokes such a command via tfadmin, and does not specify a role, the roles will be searched in the order specified here for a matching command definition. The first match found is the one that will be used.

-a
Add a list of commands to the definitions of a given list of users.

-r
Remove the list of commands from the list of users. If the user supplies privileges in the command descriptions, then leave the command but remove the specified privileges.

-d
Delete the given list of users from the TFM database.

No options
Print out the capabilities of the given list of users.

No arguments
Print the capabilities of every user in the database.

The adminuser command takes as its arguments the list of users to which the actions specified by the options applies. The list of users is a list of user login names. Only administrative users, that is administrators to whom access to privileged commands is to be granted, should be added to the TFM database.


WARNING: SCOadmin manager authorizations depend on certain entries in the TFM database that are managed by adminuser. Removing commands from an administrative user or system owner can result in being unable to run a SCOadmin manager.

The argument to the -o option is a comma-separated list of role names. This list will create a new role list for the specified users, replacing any existing role lists.

The argument to the -a or -r option is a comma-separated list of command descriptions. For the -a option, the command description includes the name of the command to be added, the full path at which the command file resides, and the privilege vector, represented by a colon-separated list of privilege names (for example, mount:/etc/mount:macread:mount). There is no limit on the length of the path name; however, / (``root'' or ``slash'') alone may not be specified.

The command description for the -r option is the same as for the -a option except that the full path and the separating colon are not given (for example, mount:macread:mount). If the users get no privileges when they invoke the command, the privilege description may be omitted.

The -n and -r options may not be used together. If -n is specified with -r, an error will occur because incompatible options have been specified.

Files

/etc/security/tfm/users/*
/etc/security/tfm/users/*/default
/etc/security/tfm/users/*/roles
/etc/security/tfm/users/*/cmds/*

Diagnostics

This command exits with a 0 if all requested operations succeeded, 1 if any operation failed.

The following diagnostic messages are printed by adminuser:

References

adminrole(1M), intro(2), tfadmin(1M)
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004