lssecattr Command

Purpose

Displays the security attributes of a command, a device, a privileged file, a process or, a domain-assigned object.

Syntax

lssecattr [-R load_module] { -c | -d | -p [-h] [-A]| -f | -o } [-C | -F ] [-a List] { ALL | Name [,Name ] …}

Description

The lssecattr command lists the security attributes of one or more commands, devices or processes. The command interprets the Name parameter as either a command, a device, a privileged file, a process, or a domain-assigned object based on whether the -c (command), -d (device), -f (privileged file), -p (process), or -o (domain-assigned object) flag is specified. If the -c flag is specified, the Name parameter must include the full path to the commands. If the -d flag is specified, the Name parameter must include the full path to the devices. If the -f flag is specified, the Name parameter must include the full path to the file. If the -p flag is specified, the Name parameter must be the numeric process identifier (PID) of an active process on the system. If the –o flag is specified, the Name parameter must be the full path if it is a file or device and for port or port ranges it must be prefixed with TCP_ or UDP_. Use the ALL keyword to list the security attributes for all commands, devices, files, or processes. By default, the lssecattr command displays all of the security attributes for the specified object. To view the selected attributes, use the -a List flag.

If the system is configured to use databases from multiple domains, the privileged commands, privileged devices, and privileged files, as specified by the Name parameter, are searched from the domains in the order specified by the secorder attribute of the corresponding database stanza in the /etc/nscontrol.conf file. If duplicate entries exist in multiple domains, only the first entry instance is listed. Use the -R flag to list the objects from a specific domain.

By default, the lssecattr command lists the security attributes on one line. It displays the attribute information as the definitions of Attribute=Value, each separated by a blank space. To list the attributes in stanza format, use the -F flag. To list the attributes as colon-separated records, use the -C flag.

Flags

Item Description
-a List Lists the attributes to display. The List variable requires a blank space between attributes to list multiple attributes. If you specify an empty list, only the object names are displayed. The attributes that can be listed in the List variable are dependent on which one of the -c, -d, and -p flags is specified. For a list of the valid attribute names for each flag, see the setsecattr command.
-A Display the list of authorizations used by a specified process. This flag can only be used with the –p flag.
-c The Name parameter specifies the full paths to one or more commands on the system that have entries in the /etc/security/privcmds privileged command database.
-C Displays the privileged security attributes in colon-separated records as follows:
#name:attribute1:attribute2: ...
name:value1:value2: ...
name:value1:value2: ...
The output is preceded by a comment line that has details about the attribute represented in each colon-separated field. If the -a flag is specified, the order of the attributes matches the order specified in the -a flag. If an object does not have a value for a given attribute, the field is still output but is empty. The last field in each entry is terminated by a newline character rather than a colon.
-d The Name parameter specifies the full paths to one or more devices on the system that have entries in the /etc/security/privdevs privileged device database.
-f The Name parameter specifies the full paths to one or more files on the system that have entries in the /etc/security/privfiles privileged files database.
-F Displays the output in stanza format, with each stanza identified by an object name. Each pair of Attribute=Value is listed on a separate line:
Name:       
       attribute1=value       
       attribute2=value        
       attribute3=value
-h Displays the full hierarchy of privileges for the process. By default, only the highest level of privilege is listed.
-o The Name parameter specifies one of the following entries in the /etc/security/domobjs domain-assigned object database.
  • the full paths to one or more devices/files on the system
  • the port or port ranges prefixed with TCP_ or UDP_
  • the network interfaces
-p The Name parameter specifies the numeric process identifiers (PID) of one or more active processes on the system.
-R load_module Specifies the loadable module to query the Name entry from.

Parameters

Item Description
ALL For all commands, devices or processes.
Name The object to modify. The Name parameter is interpreted according to which one of the -c, -d, -p, and -o flags is specified.

Security

The lssecattr command is a privileged command. It is owned by the root user and the security group, with mode set to 755. You must assume a role with at least one of the following authorizations to run the command successfully.

Item Description
aix.security.cmd.list Required to list the attributes of a command with the -c flag.
aix.security.device.list Required to list the attributes of a device with the -d flag.
aix.security.file.list Required to list the attributes of a file with the -f flag.
aix.security.proc.list Required to list the attributes of a process with the -p flag.
aix.security.dobject.list Required to list the attributes of a domain-assigned object with the -o flag.

File Accessed

Item Description
File Mode
/etc/security/privcmds r
/etc/security/privdevs r
/etc/security/privfiles r
/etc/security/domobjs r

Examples

  1. To display the access authorization and the innate privileges of the /usr/sbin/mount command, enter:
    lssecattr -c -a accessauths innateprivs /usr/sbin/mount
  2. To display all the security attributes of the /dev/mydev device, enter:
    lssecattr -d /dev/mydev
  3. To display all the security attributes of the /dev/mydev device in LDAP, enter:
    lssecattr -R LDAP -d /dev/mydev
  4. To display the privileges for the effective and used privilege sets of two processes in a colon format, enter:
    lssecattr -p -C -a eprivs uprivs 38483,57382
  5. To display the read authorization list of the /etc/security/user file, enter:
    lssecattr -f -a readauths /etc/security/user
  6. To display the used authorizations for a process in a stanza format, enter:
    lssecattr –F –p –A 34890
  7. To display all the domain attributes of the /dev/dev1 device, enter:
    lssecattr -o /dev/dev1
  8. To display all the domain attributes of the network interface en0 device, enter:
    lssecattr -o en0