setfilexsec man page on HP-UX

Man page or keyword search:  
man Server   10987 pages
apropos Keyword Search (all sections)
Output format
HP-UX logo
[printable version]

setfilexsec(1M)						       setfilexsec(1M)

NAME
       setfilexsec - set extended security attributes on a binary file

SYNOPSIS
       filename

       absolutepath

       compartmentname] flags] privs] privs] privs] privs] filename

DESCRIPTION
       The  command sets various extended security attributes of binary files.
       The attributes currently include retained privileges, permitted	privi‐
       leges,  compartment,  and  the privilege start flag.  See privileges(5)
       and execve(2) for a description	of  these  attributes.	 The  security
       attributes  are stored in a configuration file and maintain persistence
       across reboot.  The attributes are stored in a configuration  file  and
       loaded when the system reboots.

   Options
       The command recognizes the following options:

	      Sets the compartment name for the binary executable file.

	      Deletes  any security information for the file from the configu‐
	      ration file and
		   the kernel.

	      Deletes any security information for the file given by
		   absolutepath from the configuration	file  only.   This  is
		   used to clear attributes of a deleted file.

	      Sets the security attribute flags.
		   The only defined flag is the privilege start flag.

		   The	privilege_start flag must be either or If the value is
		   when the binary is executed, the process' effective	privi‐
		   leges  are  set  to	the newly computed permitted privilege
		   set.	 If the value is when the binary file is executed, the
		   process'  effective	privileges are set to (no privileges).
		   If this option is not specified and the process start  flag
		   is not already set for the binary file, the flag is set to

	      Adds or changes the minimum permitted privileges.
		   This must be a subset of the maximum permitted privileges.

	      Adds or changes the maximum permitted privileges.
		   This	 must be equal to or a superset of the minimum permit‐
		   ted privileges, minimum retained  privileges,  and  maximum
		   retained privileges.

	      Adds or changes the minimum retained privileges.
		   This must be a subset of the maximum retained privileges as
		   well as minimum permitted privileges.

	      Adds or changes the maximum retained privileges.
		   This must be equal to or a superset of the minimum retained
		   privileges.	 This set must also be a subset of the maximum
		   permitted privileges.

       For the third form of the command, if any of the options are not speci‐
       fied, takes the following action:

	      ·	 If  the  binary's  extended  attributes  are already set (for
		 example, through a previous invocation of the	command),  the
		 previous value for the option is used.

	      ·	 If the binary's extended attributes are not set, they default
		 to null (i.e., empty sets for privileges and empty value  for
		 compartment).

   Option Arguments
	      privs  This  is  a list of privileges seperated by comma See the
	      desciption of priv_list argument in priv_str_to_set(3).

	      compartmentname
		     This must be a valid compartment  on  the	system	or  an
		     empty string ("").	 If it is an an empty string, the com‐
		     partment part of the security attributes are cleared.

   Operands
       The command recognizes the following operands:

	      filename	   A binary executable.	 Extended  attributes  set  on
			   executable scripts are ignored by the kernel.

   Security Restrictions
       The caller must have the following authorization:

	      —or—

RETURN VALUE
       The command returns the following values:

	      Successful completion.
		   The security attributes are updated successfully.

	      An error occurs.
		   An  error  can  be  caused by an invalid option, an invalid
		   argument, or insufficient permissions for the user to  per‐
		   form the operation.

EXAMPLES
       Example	1:  Add	 a security attributes entry for the binary executable
       for the first time:

		      setfilexsec -r cmptread \
			      -R policy,!changecmpt -p cmptread,cmptwrite \
			      -P policy -f start_nil -c web /web/java

	      The command has the following effect:

	      When a process performs a of the binary the process's attributes
	      are modified as follows:

	    ·  The retained privilege set includes at least and

	    ·  The retained privilege set does not include

	    ·  The permitted privilege set includes at least

	    ·  The  permitted  privilege  set is equal to the policy privilege
	       set (depends on the inheritable set before the

	    ·  The process changes its compartment to

	    ·  Since the process is privilege-aware, the  effective  privilege
	       set  is	empty (and the application may raise the privileges in
	       the permitted privilege set at run time).

       Example 2: Modify the minimum retained privilege set and flags for  the
       same binary:

	      Because  the  flag  is specified, the effective privilege set is
	      equal to the permitted privilege set (the application presumably
	      does not manipulate the privileges at run time).

       Example 3: Delete all extended security attributes for the same binary:

WARNINGS
       If  a binary file that has extended security attributes set is modified
       or replaced, the attributes are no longer applied for  that  file,  but
       are still present in system tables.  On reboot, the system would detect
       that the file contents have changed using a simple checksum  mechanism.
       Upon  detecting such a scenario, the attributes of the file are ignored
       and an error message is issued corresponding to the  file  entry.   For
       proper  operation,  when a file is modified, run to remove the extended
       attributes instead of relying on the checksum mechanism.

       When replacing a binary, in order  to  retain  the  privileges  on  the
       binary, run first to remove the prior privilege attributes, replace the
       binary, and then run to re-assign attributes.

       Note that the NFS protocol is not extended to support extended security
       attributes.   Hence  the	 NFS mounted binaries should not be configured
       with any extended security attributes.

SEE ALSO
       getfilexsec(1M), exec(2), priv_str_to_set(3), privileges(5).

							       setfilexsec(1M)
[top]

List of man pages available for HP-UX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net