Changes user-defined authorization attributes.
The chauth command modifies attributes for the authorization that is identified by the Name parameter. The command only modifies existing user-defined authorizations in the authorization database. System-defined authorizations cannot be modified with the chauth command. To change an attribute of a user-defined authorization, specify the attribute name and the new value with the Attribute = Value parameter. If any specified attribute or attribute value is not valid, the chauth command does not modify the authorization.
Important: Modifying the ID of an authorization can affect the system security because the current value of the ID might be used by some processes, files, and so on. In general, use the id attribute to modify the ID of an authorization when you are sure that the authorization is not used. The chauth command only allows the ID to be set to an unused value greater than 10 000. IDs less than 10 000 are reserved for system-defined authorizations.
If the system is configured to use multiple domains for the authorization database, authorization modification is performed according to the order specified by the secorder attribute of the authorizations database stanza in the /etc/nscontrol.conf file. Only the first matching authorization is modified. Duplicate authorizations from the remaining domains are not modified. Use the -R flag to modify the authorization from a specific domain.
When the system is operating in enhanced Role Based Access Control (RBAC) mode, modifications made to the authorization database are not used for security considerations until the database is sent to the kernel security tables through the setkst command.
| Item | Description |
|---|---|
| -R load_module | Specifies the loadable module to use for the authorization modification. |
| Item | Description |
|---|---|
| id | Specifies a unique integer that is used to identify the authorization. The value is a decimal integer ranging from 10 001 through 32 768. |
| dfltmsg | Specifies the default description to use if message catalogs are not in use. The value is a string. |
| msgcat | Specifies the message catalog file name containing the description of the authorization. If the msgcat attribute is specified, the msgset and msgnum attributes must also be specified. The value is a string. If the specified string contains a leading forward slash (/), the value is assumed to be an absolute path name. Otherwise, the user environment defines the directory search path as specified by the catopen routine. |
| msgset | Specifies the message set number in the file name to retrieve the message number. The file name is specified by the msgcat attribute, and the message number is specified by the msgnum attribute. The value is a decimal integer. |
| msgnum | Specifies the message number for the description of the authorization in the file and the set. The authorization is specified by the msgcat attribute, and the set number is specified by the msgset attribute. The value is a decimal integer. |
| Item | Description |
|---|---|
| Name | Specifies the authorization to modify. |
| Item | Description |
|---|---|
| aix.security.auth.change | Required to run the command. |
Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
| Item | Description |
|---|---|
| File | Mode |
| /etc/security/authorizations | rw |
chauth msgcat="custom_auths.cat" customchauth msgset=5 msgnum=24 custom.testchauth -R LDAP msgset=5 custom.test