Simpler Navigation for Servers and Operating Systems
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
Showing results for 
Search instead for 
Did you mean: 

RBAC Implementaion

Go to solution
Respected Contributor

RBAC Implementaion

Hi Friends,


I m facing n issues while implementing the RBAC, pls find belwo error.


$ privrun /usr/sbin/useradd new_user
privrun: authorization check failed


Is there any permission issue, do we need to provide the rbac dir.


Pls help to resolve






You should deserve before U desire!!!!

Re: RBAC Implementaion

Does the user you are running the command as have the correct authorization?


1st check what roles the user has:


# roleadm list user=foo


Then check what authorizations those roles have:


# authadm list role=userAdmins
userAdmins: (hpux.user.add, *)


To run the useradd command (via privrun) the user must have the hpux.user.add authorization  AND you must uncomment the useradd entry in the /etc/rbac/cmd_priv file:


# grep useradd /etc/rbac/cmd_priv
#/usr/sbin/useradd :dflt :(hpux.user.add,*) :0/0// :dflt :dflt :dflt :


The reason that this  is commented out is because if you allow a user to run useradd they can create a user with a uidnumber of 0 and they now have a root account on the system.


In the cmd_priv file:


# The following entries are known to be equivalent to granting
# unconstrained root. Specifically, the commands may be used
# to obtain an account with uid=0.
#/usr/sbin/useradd :dflt :(hpux.user.add,*)
:0/0// :dflt :dflt :dflt :




Respected Contributor

Re: RBAC Implementaion

use correct path thats sbin instead of bin, Problem resolved.

You should deserve before U desire!!!!