HP-UX RBAC Configuration problem

novi24 — Thu, 21 Dec 2006 09:48:03 GMT

HI all ,
I've need some help ( sorry in addvance for the long post ,but i think that will help more clear the question )

I’ve got the following problem configuring RBAC . I made a script /tmp/test1 with /usr/bin/pwd command in it . Using RBAC command I made a role ScriptsOperator , assigned the role to user3 , added authorization custom.script , used the cmdprivadm to add file /tmp/test1 to /etc/rbac/cmd_priv and finally when I tried to execute the script with the command :
privrun -v /tmp/test1 it sais execution of command failed

Here are the results from my terminal

root@saruman:/tmp# ll /tmp/test1
-rwxrwxrwx 1 root sys 4 Dec 21 15:37 /tmp/test1
root@saruman:/tmp#
root@saruman:/tmp# more /tmp/test1
/usr/bin/pwd
root@saruman:/tmp#
root@saruman:/tmp# roleadm list
root:Administrator
user1:FileSystemOperator
user2:MailOperator
user3:ScriptsOperator
root@saruman:/tmp#
root@saruman:/tmp# authadm list
Administrator: (hpux.*, *)
MailOperator: (hpux.network.service.stop, *) (hpux.network.service.start, *)
FileSystemOperator: (hpux.fs.unmount, *) (hpux.fs.mount, *)
ScriptsOperator: (custom.script, *)
root@saruman:/tmp#
root@saruman:/tmp#

I added the authorization with :
root@saruman:/tmp# cmdprivadm add file=/tmp/test1 op=custom.script object='*' ruid=0 euid=0 rgid=0 egid=0 flags=edit
/tmp/test1::(custom.script,*):0/0/0/0::::edit
cmdprivadm added the entry to /etc/rbac/cmd_priv

root@saruman:/tmp# su user3
root@saruman:/tmp# whoami
user3
root@saruman:/tmp#
root@saruman:/tmp# /tmp/test1
/tmp

root@saruman:/tmp# privrun -v /tmp/test1
privrun: user user3 intends to execute command /tmp/test1
privrun: input entry: '/tmp/test1:dflt:(,):///:dflt:dflt::'
privrun: found matching entry: '/tmp/test1:dflt:(custom.script,*):0/0/0/0:dflt:dflt::edit'
privrun: passed authorization check

privrun: attempting to set ruid/euid/rgid/egid to 0/0/0/0
privrun: current settings for ruid/euid/rgid/egid are 0/0/0/0
privrun: executing: /tmp/test1
privrun: execution of command failed

Re: HP-UX RBAC Configuration problem

Ivan Krastev — Thu, 21 Dec 2006 10:07:49 GMT

Instead of "cmdprivadm add file=/tmp/test1 "

use :

cmdprivadm add cmd=/tmp/test1

regards,
ivan

Re: HP-UX RBAC Configuration problem

novi24 — Thu, 21 Dec 2006 10:32:12 GMT

Hi made it but the result is the same

root@saruman:/tmp# cmdprivadm add cmd=/tmp/test1 op=custom.script object='*' ruid=0 euid=0 rgid=0 egid=0 flags=edit
/tmp/test1::(custom.script,*):0/0/0/0::::edit
cmdprivadm added the entry to /etc/rbac/cmd_priv
root@saruman:/tmp#
root@saruman:/tmp#
root@saruman:/tmp# rbacdbchk
root@saruman:/tmp# roleadm list
root:Administrator
user1:FileSystemOperator
user2:MailOperator
user3:ScriptsOperator
root@saruman:/tmp#
root@saruman:/tmp#
root@saruman:/tmp# authadm list
Administrator: (hpux.*, *)
MailOperator: (hpux.network.service.stop, *) (hpux.network.service.start, *)
FileSystemOperator: (hpux.fs.unmount, *) (hpux.fs.mount, *)
ScriptsOperator: (custom.script, *)
root@saruman:/tmp#
root@saruman:/tmp#
root@saruman:/tmp# su user3
root@saruman:/tmp# more test1
/usr/bin/pwd
root@saruman:/tmp# /tmp/test1
/tmp
root@saruman:/tmp# privrun -v /tmp/test1
privrun: user user3 intends to execute command /tmp/test1
privrun: input entry: '/tmp/test1:dflt:(,):///:dflt:dflt::'
privrun: found matching entry: '/tmp/test1:dflt:(custom.script,*):0/0/0/0:dflt:dflt::edit'
privrun: passed authorization check

privrun: attempting to set ruid/euid/rgid/egid to 0/0/0/0
privrun: current settings for ruid/euid/rgid/egid are 0/0/0/0
privrun: executing: /tmp/test1
privrun: execution of command failed

Re: HP-UX RBAC Configuration problem

Ivan Krastev — Thu, 21 Dec 2006 10:38:09 GMT

Specify the -v option multiple times for additional levels of verbose output.

ivan

Re: HP-UX RBAC Configuration problem

novi24 — Thu, 21 Dec 2006 11:14:55 GMT

Hi ,

root@saruman:/tmp# privrun -v -v /tmp/test1
privrun: user user3 intends to execute command /tmp/test1
privrun: input entry: '/tmp/test1:dflt:(,):///:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/setboot:dflt:(hpux.admin.boot.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/mkboot:dflt:(hpux.admin.boot.make,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/rmboot:dflt:(hpux.admin.boot.remove,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/kcalarm:dflt:(hpux.admin.kernel.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/kconfig:dflt:(hpux.admin.kernel.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/kcmodule:dflt:(hpux.admin.kernel.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/kctune:dflt:(hpux.admin.kernel.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/mk_kernel:dflt:(hpux.admin.kernel.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/savecrash:dflt:(hpux.admin.kernel.crash.save,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/crashconf:dflt:(hpux.admin.kernel.crash.set,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/krs_flush:dflt:(hpux.admin.kernel.flushreg,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/killall:dflt:(hpux.admin.kernel.killproc,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/bin/kill:dflt:(hpux.admin.kernel.killproc,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/kl:dflt:(hpux.admin.kernel.logging,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/dmesg:dflt:(hpux.admin.log.read,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/catman:dflt:(hpux.admin.manuals.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/fixman:dflt:(hpux.admin.manuals.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/killall:dflt:(hpux.admin.process.kill,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/renice:dflt:(hpux.admin.process.nice,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/psrset:dflt:(hpux.admin.pset.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/reboot:dflt:(hpux.admin.reboot,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/ioinit:dflt:(hpux.admin.runlevel.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init:dflt:(hpux.admin.runlevel.set,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/ch_rc:dflt:(hpux.admin.service.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/auditing:start:(hpux.admin.service.start,auditing):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/cron:start:(hpux.admin.service.start,cron):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/envd:start:(hpux.admin.service.start,envd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/hub:start:(hpux.admin.service.start,hub):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/kl:start:(hpux.admin.service.start,kl):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/lp:start:(hpux.admin.service.start,lp):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/ptydaemon:start:(hpux.admin.service.start,ptydaemon):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/pwgr:start:(hpux.admin.service.start,pwgr):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/swagentd:start:(hpux.admin.service.start,swagentd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/syncer:start:(hpux.admin.service.start,syncer):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/syslogd:start:(hpux.admin.service.start,syslogd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/utmpd:start:(hpux.admin.service.start,utmpd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/auditing:stop:(hpux.admin.service.stop,auditing):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/cron:stop:(hpux.admin.service.stop,cron):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/envd:stop:(hpux.admin.service.stop,envd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/hub:stop:(hpux.admin.service.stop,hub):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/kl:stop:(hpux.admin.service.stop,kl):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/lp:stop:(hpux.admin.service.stop,lp):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/ptydaemon:stop:(hpux.admin.service.stop,ptydaemon):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/pwgr:stop:(hpux.admin.service.stop,pwgr):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/swagentd:stop:(hpux.admin.service.stop,swagentd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/syncer:stop:(hpux.admin.service.stop,syncer):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/syslogd:stop:(hpux.admin.service.stop,syslogd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/utmpd:stop:(hpux.admin.service.stop,utmpd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/set_parms:date_time:(hpux.admin.setdate,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/set_parms:timezone:(hpux.admin.setdate,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/date:dflt:(hpux.admin.setdate,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/ntpdate:dflt:(hpux.admin.setdate,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/setuname:dflt:(hpux.admin.setuname,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/swagentd:dflt:(hpux.admin.software.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/insf:dflt:(hpux.device.install,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/mkboot:dflt:(hpux.device.mkboot,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/ioscan:dflt:(hpux.device.read,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/rmsf:dflt:(hpux.device.remove,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/scsictl:dflt:(hpux.device.scsi.control,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/backup:dflt:(hpux.fs.backup,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/fbackup:dflt:(hpux.fs.backup,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/tunefs:dflt:(hpux.fs.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/fsclean:dflt:(hpux.fs.getinfo,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/fstyp:dflt:(hpux.fs.getinfo,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/dumpfs:dflt:(hpux.fs.getinfo,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/mountall:dflt:(hpux.fs.mount,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/automount:dflt:(hpux.fs.mount,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/idisk:dflt:(hpux.fs.partition.admin,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/frecover:dflt:(hpux.fs.recover,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/frecover:dflt:(hpux.fs.restore,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/convertfs:dflt:(hpux.fs.specialop,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/umount:dflt:(hpux.fs.unmount,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/umountall:dflt:(hpux.fs.unmount,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/set_parms:addl_netwrk:(hpux.network.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/set_parms:ip_address:(hpux.network.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/ifconfig:dflt:(hpux.network.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/lanadmin:dflt:(hpux.network.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/route:dflt:(hpux.network.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/ipnat:dflt:(hpux.network.filter.admin,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/ipf:dflt:(hpux.network.filter.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/ipfs:dflt:(hpux.network.filter.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/ipfstat:dflt:(hpux.network.filter.readstat,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/exportfs:dflt:(hpux.network.nfs.export,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/gdc:dflt:(hpux.network.service.config,gated):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/bootpd:dflt:(hpux.network.service.start,bootpd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/dhcpclient:dflt:(hpux.network.service.start,dhcpclient):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/dtlogin.rc:start:(hpux.network.service.start,dtlogin):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/fingerd:dflt:(hpux.network.service.start,fingerd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/gated:start:(hpux.network.service.start,gated):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/identd:dflt:(hpux.network.service.start,identd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/inetd:start:(hpux.network.service.start,inetd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/mrouted:start:(hpux.network.service.start,mrouted):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/named:start:(hpux.network.service.start,named):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nettl:start:(hpux.network.service.start,nettl):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nfs.client:start:(hpux.network.service.start,nfsclient):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nfs.core:start:(hpux.network.service.start,nfscore):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nfs.server:start:(hpux.network.service.start,nfsserver):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nis.client:start:(hpux.network.service.start,nisclient):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nisplus.client:start:(hpux.network.service.start,nisplusclient):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nisplus.server:start:(hpux.network.service.start,nisplusserver):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nis.server:start:(hpux.network.service.start,nisserver):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/ntalkd:dflt:(hpux.network.service.start,ntalkd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/rarpd:start:(hpux.network.service.start,rarpd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/rdpd:start:(hpux.network.service.start,rdpd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/rwhod:start:(hpux.network.service.start,rwhod):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/sendmail:start:(hpux.network.service.start,sendmail):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/tcpd:dflt:(hpux.network.service.start,tcpd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/tftpd:dflt:(hpux.network.service.start,tftpd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/xfs:start:(hpux.network.service.start,xfs):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/xntpd:start:(hpux.network.service.start,xntpd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/dtlogin.rc:stop:(hpux.network.service.stop,dtlogin):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/gated:stop:(hpux.network.service.stop,gated):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/inetd:stop:(hpux.network.service.stop,inetd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/mrouted:stop:(hpux.network.service.stop,mrouted):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/named:stop:(hpux.network.service.stop,named):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nettl:stop:(hpux.network.service.stop,nettl):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nfs.client:stop:(hpux.network.service.stop,nfsclient):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nfs.core:stop:(hpux.network.service.stop,nfscore):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nfs.server:stop:(hpux.network.service.stop,nfsserver):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nis.client:stop:(hpux.network.service.stop,nisclient):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nisplus.client:stop:(hpux.network.service.stop,nisplusclient):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nisplus.server:stop:(hpux.network.service.stop,nisplusserver):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/nis.server:stop:(hpux.network.service.stop,nisserver):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/rarpd:stop:(hpux.network.service.stop,rarpd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/rdpd:stop:(hpux.network.service.stop,rdpd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/rwhod:stop:(hpux.network.service.stop,rwhod):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/sendmail:stop:(hpux.network.service.stop,sendmail):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/xfs:stop:(hpux.network.service.stop,xfs):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/init.d/xntpd:stop:(hpux.network.service.stop,xntpd):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/set_parms:hostname:(hpux.network.sethostname,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/uname:dflt:(hpux.network.sethostname,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/nettl:dflt:(hpux.network.trace.admin,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/nettlconf:dflt:(hpux.network.trace.admin,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/nettl:-start:(hpux.network.trace.start,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/nettl:-stop:(hpux.network.trace.stop,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/audomon:dflt:(hpux.security.audit.admin,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/audsys:dflt:(hpux.security.audit.admin,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/audevent:dflt:(hpux.security.audit.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/audusr:dflt:(hpux.security.audit.config,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/audisp:dflt:(hpux.security.audit.read,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/pwck:dflt:(hpux.security.check,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/pwconv:dflt:(hpux.security.shadow.convert,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/pwunconv:dflt:(hpux.security.shadow.unconvert,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/ttsyncd:dflt:(hpux.security.trusted.admin,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/authck:dflt:(hpux.security.trusted.check,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/tsconvert:dflt:(hpux.security.trusted.convert,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/getprdef:dflt:(hpux.security.trusted.get,prdef):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/getprdev:dflt:(hpux.security.trusted.get,prdev):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/getprpw:dflt:(hpux.security.trusted.get,prpw):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/getprterm:dflt:(hpux.security.trusted.get,prterm):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/modprdef:dflt:(hpux.security.trusted.modify,prdef):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/modprdev:dflt:(hpux.security.trusted.modify,prdev):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/modprpw:dflt:(hpux.security.trusted.modify,prpw):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/lbin/modprterm:dflt:(hpux.security.trusted.modify,prterm):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/pwgrd:dflt:(hpux.user.cache.admin,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/userdel:dflt:(hpux.user.delete,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/usr/sbin/groupdel:dflt:(hpux.user.group.delete,*):0/0//:dflt:dflt::'
privrun: non-matching entry: '/sbin/mount:dflt:(hpux.fs.mount,*):0/0//:dflt:dflt::'
privrun: found matching entry: '/tmp/test1:dflt:(custom.script,*):0/0/0/0:dflt:dflt::edit'
privrun: passed authorization check

privrun: attempting to set ruid/euid/rgid/egid to 0/0/0/0
privrun: current settings for ruid/euid/rgid/egid are 0/0/0/0
privrun: executing: /tmp/test1
privrun: execution of command failed
root@saruman:/tmp#

As you see - privrun : passed authorization check

the problem is when it try to execute the script

Regards,

Re: HP-UX RBAC Configuration problem

Ron Luman_1 — Wed, 03 Jan 2007 18:19:38 GMT

Hi,

I think your issue here is that the 'script' doesn't include an interpretor, e.g. something like '#!/usr/bin/ksh' on the first line. Just generally, this is required, otherwise you don't really have a script, just an text file with the executable bit set.

This isn't a privrun specific thing, and will happen with any exec'ing application that doesn't have additional logic to assume an interpretor. (What happens is that ksh is 'lax', and will automagically run a 'script' without an explicit interpretor. Not all shells do this, so in general, it's a bad idea.)

Cheers,

--Ron

Re: HP-UX RBAC Configuration problem

Shah Sahib — Thu, 15 Nov 2007 09:17:39 GMT

hey assign points ah

topic Re: HP-UX RBAC Configuration problem in Operating System - HP-UX

HP-UX RBAC Configuration problem

Re: HP-UX RBAC Configuration problem

Re: HP-UX RBAC Configuration problem

Re: HP-UX RBAC Configuration problem

Re: HP-UX RBAC Configuration problem

Re: HP-UX RBAC Configuration problem

Re: HP-UX RBAC Configuration problem