This section presents the CDE actions available to roles and describes how to use or change the restricted editor used in these actions. The trusted CDE actions are listed in the following table.
Table 2-1 Administrative Actions, Purposes, and Default RolesAction Name | Purpose of Action | Default Rights Profile |
---|---|---|
Creates entries in device_allocate(4), and device_maps(4), and creates an auxiliary file for a new allocatable or nonallocatable device. User enters device name, device type, and lists all device special files associated with the device. See add_allocatable(1M). |
Device Security |
|
Edits any specified file |
Object Access Management |
|
Edits audit_class(4) |
Audit Control |
|
Edits audit_control(4) |
Audit Control |
|
Edits audit_event(4) |
Audit Control |
|
Edits the audit_startup.sh script [see audit_startup(1M)] |
Audit Control |
|
Runs chk_encodings(1M) on specified encodings file |
Object Label Management |
|
Runs tnchkdb(1M) on local tnidb(4), tnrhdb(4), and tnrhtp(4) files |
Network Security |
|
Check TN NIS+ Tables |
Runs tnchkdb(1M) on tnrhdb(4), and tnrhtp(4) NIS+ trusted network maps | Network Management |
Edits /usr/dt/config/sel_config [see sel_config(4)] |
Object Label Management |
|
Runs ypinit(1M), using both the specified hostname for the NIS master and the specified domain name |
Name Server Security |
|
Runs nisclient(1M), using both the specified hostname for the NIS+ master and the specified domain name |
Name Server Security |
|
Runs ypinit(1M) using the specified domain name |
Name Server Security |
|
Runs nisserver(1M) using the specified domain name |
Name Server Security |
|
Edits specified label_encodings(4) file and runs chk_encodings(1M) |
Object Label Management |
|
Edits nsswitch.conf(4) |
Network Management |
|
Runs nispopulate(1M) from the specified directory |
Name Service Security |
|
Network Management |
||
Edits /etc/defaultrouter [see the route(1M) man page] |
Network Management |
|
Edits resolv.conf(4) |
Network Management |
|
Edits /etc/mail/sendmail.cf [see sendmail(1M)] |
Mail Management |
|
Edits vfstab_adjunct(4) |
File System Security |
|
Edits vfstab(4) |
File System Management |
|
Edits tsolgateways(4) |
Network Management |
|
File System Management |
||
Runs niscat(1) with the -o option on the specified NIS+ trusted network database to display the table's attributes. |
Name Service Management |
|
Runs niscat(1) on the specified NIS+ trusted network database to display the table's contents. |
Name Service Management |
The Admin Editor action, which can also be accessed from the command adminvi(1M) is a modified version of the vi(1) command. It is restricted to prevent the user from executing shell commands and from writing to (saving to) any file other than the original file being edited. The Admin Editor action, which is assigned to the security administrator role by default, should be used in most cases instead of adminvi on the command line to edit or create administrative files. (This is due to the fact that the Admin Editor is wrapper for adminvi that incorporates auditing and allows an editor preference.) You can assign the adminvi command to any users with the profile shell as their default if you need to provide them a text editor with the restrictions of adminvi.
The admin editor is launched through the /usr/dt/bin/trusted_edit shell script, which brings up the editor specified in the EDITOR environment variable for the role account, restricts saves, and audits any changes made at the time the file is saved. The variable is set to adminvi(1M) by default, but the security administrator role can redefine the EDITOR variable to /usr/dt/bin/dtpad. When adminvi is specified, /bin/adminvi is invoked as root to edit the file. The adminvi command prevents the saving of the file with any other name. If dtpad(1) is specified, the New, Save, and Open options in the File menu are disabled when the action runs, so that the file cannot be renamed.