Displays the security attributes of a command, a device, a privileged file, a process or, a domain-assigned object.
lssecattr [-R load_module] { -c | -d | -p [-h] [-A]| -f | -o } [-C | -F ] [-a List] { ALL | Name [,Name ] …}
The lssecattr command lists the security attributes of one or more commands, devices or processes. The command interprets the Name parameter as either a command, a device, a privileged file, a process, or a domain-assigned object based on whether the -c (command), -d (device), -f (privileged file), -p (process), or -o (domain-assigned object) flag is specified. If the -c flag is specified, the Name parameter must include the full path to the commands. If the -d flag is specified, the Name parameter must include the full path to the devices. If the -f flag is specified, the Name parameter must include the full path to the file. If the -p flag is specified, the Name parameter must be the numeric process identifier (PID) of an active process on the system. If the –o flag is specified, the Name parameter must be the full path if it is a file or device and for port or port ranges it must be prefixed with TCP_ or UDP_. Use the ALL keyword to list the security attributes for all commands, devices, files, or processes. By default, the lssecattr command displays all of the security attributes for the specified object. To view the selected attributes, use the -a List flag.
If the system is configured to use databases from multiple domains, the privileged commands, privileged devices, and privileged files, as specified by the Name parameter, are searched from the domains in the order specified by the secorder attribute of the corresponding database stanza in the /etc/nscontrol.conf file. If duplicate entries exist in multiple domains, only the first entry instance is listed. Use the -R flag to list the objects from a specific domain.
By default, the lssecattr command lists the security attributes on one line. It displays the attribute information as the definitions of Attribute=Value, each separated by a blank space. To list the attributes in stanza format, use the -F flag. To list the attributes as colon-separated records, use the -C flag.
Item | Description |
---|---|
-a List | Lists the attributes to display. The List variable requires a blank space between attributes to list multiple attributes. If you specify an empty list, only the object names are displayed. The attributes that can be listed in the List variable are dependent on which one of the -c, -d, and -p flags is specified. For a list of the valid attribute names for each flag, see the setsecattr command. |
-A | Display the list of authorizations used by a specified process. This flag can only be used with the –p flag. |
-c | The Name parameter specifies the full paths to one or more commands on the system that have entries in the /etc/security/privcmds privileged command database. |
-C | Displays the privileged security attributes in colon-separated
records as follows:
The output is preceded by a comment
line that has details about the attribute represented in each colon-separated
field. If the -a flag is specified, the order of the attributes
matches the order specified in the -a flag. If an object does
not have a value for a given attribute, the field is still output
but is empty. The last field in each entry is terminated by a newline
character rather than a colon. |
-d | The Name parameter specifies the full paths to one or more devices on the system that have entries in the /etc/security/privdevs privileged device database. |
-f | The Name parameter specifies the full paths to one or more files on the system that have entries in the /etc/security/privfiles privileged files database. |
-F | Displays the output in stanza format, with each stanza identified
by an object name. Each pair of Attribute=Value is
listed on a separate line:
|
-h | Displays the full hierarchy of privileges for the process. By default, only the highest level of privilege is listed. |
-o | The Name parameter specifies one of the
following entries in the /etc/security/domobjs domain-assigned
object database.
|
-p | The Name parameter specifies the numeric process identifiers (PID) of one or more active processes on the system. |
-R load_module | Specifies the loadable module to query the Name entry from. |
Item | Description |
---|---|
ALL | For all commands, devices or processes. |
Name | The object to modify. The Name parameter is interpreted according to which one of the -c, -d, -p, and -o flags is specified. |
The lssecattr command is a privileged command. It is owned by the root user and the security group, with mode set to 755. You must assume a role with at least one of the following authorizations to run the command successfully.
Item | Description |
---|---|
aix.security.cmd.list | Required to list the attributes of a command with the -c flag. |
aix.security.device.list | Required to list the attributes of a device with the -d flag. |
aix.security.file.list | Required to list the attributes of a file with the -f flag. |
aix.security.proc.list | Required to list the attributes of a process with the -p flag. |
aix.security.dobject.list | Required to list the attributes of a domain-assigned object with the -o flag. |
Item | Description |
---|---|
File | Mode |
/etc/security/privcmds | r |
/etc/security/privdevs | r |
/etc/security/privfiles | r |
/etc/security/domobjs | r |
lssecattr -c -a accessauths innateprivs /usr/sbin/mount
lssecattr -d /dev/mydev
lssecattr -R LDAP -d /dev/mydev
lssecattr -p -C -a eprivs uprivs 38483,57382
lssecattr -f -a readauths /etc/security/user
lssecattr –F –p –A 34890
lssecattr -o /dev/dev1
lssecattr -o en0