To Write a Standard Shell Script that Runs Privileged Commands

You can create a standard shell script to run its commands with privileges by adding the script to a rights profile and specifying the script to run with all the privileges that are needed by the script's commands. The script then inherits privileges when invoked in a profile shell, when an account has a rights profile containing the script.

1. Start the script with any standard shell (not a profile shell) on the first line.

   #!/bin/csh

2. In the PrivDebug or the Security Administrator role, determine what privileges are needed by what commands in script.

   See "To Find Out Which Privileges a Program Needs", if needed. The example, called autosetpriv, would enable the Security Administrator to assign a defined set of forced and allowed privileges to a file called executable. The setfpriv command in this script needs the file_setpriv privilege.

   ---

   Note -

   This shell script is just an example. A normal shell script accepts the privileges and the filename as arguments and does error checking.

   ---

   #!/bin/csh setfpriv -s -f ipc_mac_write,proc_setsl,sys_trans_label -a ipc_mac_write,proc_setsl,sys_trans_label executable

3. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

4. Use the Rights tool to update an appropriate profile to list the script, each of the commands that need to run within the shell script and to assign to the commands the required privileges.

   See "Adding or Modifying a Rights Profile", if needed.

   To enable the script called autosetpriv to run with the file_setpriv privilege needed by the setfpriv command, the Security Administrator role would use the Rights tool to update the Custom Secadmin Role (which is assigned to the Security Administrator role by default) to include the autosetpriv script and assign to autosetpriv the file_setpriv privileges.

5. Test, debug, and execute the shell script as desired in the profile shell.

   $ autosetpriv