tfadmin -t [role:] cmd[:priv[:priv. . .]]
role is a role name defined in the administrative database for Trusted Facility Management.
cmd can be either a command defined in the TFM database or it can be the full pathname of a command. The executable file associated with cmd will be executed only if the user has been defined as an administrator and has access to cmd.
If cmd is a full pathname, the last component of the pathname (the basename) will be searched for in the TFM database. If role was specified, the search will be limited to the definition for the specified role. If not, each role assigned to the user will be searched, in the order that the roles were assigned to the user (see adminuser(1M)). Finally, any individual commands, outside any assigned roles, assigned to the user, will be searched.
If cmd or the basename does not exist in the user definition, tfadmin issues an error and exits with an error code. If the path associated with cmd in the administrative database is not equal to the full pathname specified for cmd, tfadmin issues a diagnostic message.
args are a set of command arguments to be passed to the program indicated by cmd.
priv is the name of a process privilege. (See intro(2) for a complete list of process privileges.)
In addition, if the -t option is used, a privilege vector, consisting of one or more privilege names separated by colons (e.g., macread:mount) may be appended to the role-command pair, separated from it by a colon (for example, SSA:mount:macread:mount). This privilege list is meaningful only when the -t option is used, because it is used to test whether the given command can be executed by the invoking user with the specified privileges.
The tfadmin command takes the following options:
The following diagnostic messages are printed by tfadmin:
cannot execute program file: ``
path''
undefined command name ``
cmd''
user not allowed
cannot set up maximum privilege set
full path to TFM database must be specified
TFM database does not exist
improper command name: ``
string''
invalid process privilege: ``
string''
unrecognized privilege number: ``
number''