/etc/security/privcmds File

Purpose

Contains security attributes for privileged commands.

Description

The /etc/security/privcmds file is an ASCII stanza file that contains privileged commands and their security attributes. Each stanza in the /etc/security/privcmds file is identified by the full path name to the command, followed by a colon (:). Each stanza contains attributes in the Attribute=Value form. The path name must be the absolute path to the command and cannot contain symbolic link directories or be a symbolic link to the command. Each Attribute=Value pair is ended by a newline character, and each stanza is ended by an additional newline character. For an example of a stanza, see Examples.

Changes made to the privcmds file do not impact security considerations until the entire privileged command database is sent to the Kernel Security Tables through the setkst command or until the system is rebooted.

Modifying and Listing Entries in the privcmds File

Do not directly edit the /etc/security/privcmds file. Use the following commands and subroutines to manipulate the privileged commands database:
setsecattr
Adds a command entry to, or changes a command entry in, the /etc/security/privcmds file.
lssecattr
Displays attributes and their values.
rmsecattr
Removes a command from the privcmds file.
To write programs that affect entries in the /etc/security/privcmds file, use one or more of the following subroutines:
  • getcmdattr
  • getcmdattrs
  • putcmdattr
  • putcmdattrs

Attributes

A stanza in this file contains one or more of the following security attributes:

Item Description
accessauths

Specifies the access authorizations as a comma-separated list of authorization names. A user whose current session has one of the authorizations in the list is allowed to run the command. You can specify a maximum of 16 authorizations.

This attribute also allows three special values:
ALLOW_OWNER
Allows the Role Based Access Control (RBAC) framework to be used for the command owner. If the accessauths attribute is specified, when the command owner runs the command, the RBAC framework governs the privileges assigned to the process. If the accessauths attribute is not specified or the user running the command does not have an authorization in the accessauths attribute, DAC controls the execution and the RBAC framework grants no additional privileges.
ALLOW_GROUP
Allows the RBAC framework to be used for the group. If the accessauths attribute is specified, when the group runs the command, the RBAC framework governs the privileges assigned to the process. If the accessauths attribute is not specified or the user running the command does not have an authorization in the accessauths attribute, DAC controls the execution and the RBAC framework grants no additional privileges.
ALLOW_ALL
Allows the RBAC framework to be used for everyone. If the accessauths attribute is specified, when anyone runs the command, the RBAC framework governs the privileges assigned to the process. If the accessauths attribute is not specified or the user running the command does not have an authorization in the accessauths attribute, DAC controls the execution and the RBAC framework grants no additional privileges.
authprivs Specifies the authorized privileges that are assigned to the process on a specific authorization basis. The user running the command must gain access to the command through the accessauths attribute to enable the authprivs attribute. For each authorization in the list that is processed, the associated set of privileges is granted. The maximum number of authorization and privileges pairs is 16. The authorization and its corresponding privileges are separated by an equal sign (=), individual privileges are separated by a plus sign (+), and the authorization and privileges pairs are separated by a comma, as shown in the following line:

auth=priv+priv...,auth=priv+priv...,...

This attribute also supports three special authorization values: ALLOW_OWNER, ALLOW_GROUP, and ALLOW_ALL, to specify the additional privileges granted to the command owner, group or everyone, respectively.
authroles The role or list of roles. Users having these have to be authenticated to allow execution of the command. A maximum of sixteen roles can be specified.
innateprivs Specifies the file name of the message catalog that contains the one-line description of the authorization. The value is a character string.
msgset Specifies a comma-separated list of privileges assigned to the process during the running of the command. The specified privileges are assigned to the process only if the command invocation is authorized through the access authorizations.
inheritprivs Specifies a comma-separated list of privileges that is passed to child processes.
euid Specifies the effective user ID to assume during the running of the command.
egid Specifies the effective group ID to assume during the running of the command.
ruid Specifies the real user ID to assume during the running of the command.
secflags Specifies a comma-separated list of file security flags. The following value is valid:
FSF_EPS
Loads the process maximum privilege set into the effective privilege set upon execution.

Security

The root user and the security group own this file. Read and write access is granted to the root user. Access for other users and groups depends on the security policy for the system.

Examples

The following example for a Command displays a typical stanza in the file:
/usr/bin/myprog:
        accessauths = aix.security.user.create,aix.security.user.change
        authprivs = aix.ras.audit=PV_AU_ADMIN
        innateprivs = PV_DAC_R,PV_DAC_W
        secflags = FSF_EPS
This entry indicates that the user running this command must be in a role session that has one of the authorizations listed in the accessauths attribute to run the command. If this condition is true, the privileges listed in the innateprivs attribute are granted to the resulting process. Also, if the user running this command has one of the privileged authorizations listed in the authprivs attribute, the process is granted the additional associated privileges.