NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | OPTIONS | RETURN VALUES | EXAMPLES | SEE ALSO
testfpriv checks or tests the privilege sets of a file or files. The command must have MAC read permission.
privseta and privsetf are one of these:
A comma-separated list of privilege names as reported by getfpriv
A comma-separated list of numeric privilege IDs as found in </usr/include/sys/tsol/priv_names.h>
The keyword all to indicate all privileges
No whitespace may exist in either list.
Without the -e (equal) option, the specified set of privileges is checked as a subset of the forced or the allowed privileges specified on the command line. The testfpriv function reports those privileges that are specified in privseta and privsetf but not found in the allowed or forced sets of the file. The -e option also reports privileges that the file has but that were not specified in the testfpriv command.
The privilege sets of each named file are checked according to options described in the next section.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWtsu |
Test whether privseta is either equal to or a subset of the allowed set of filename.
Test the equality of privset and the privilege set of filename.
Test whether privsetf is either equal to or a subset of the forced set of filename.
Use silent mode to suppress output. (This option is useful in shell scripts that need only the return value.)
testfpriv exits with one of these values:
Specified privileges are in the allowed or the forced set of the file. With the -e option, the specified privileges are equal to the allowed set or the forced set of the file.
The specified privileges are not in the allowed set of the file, or (with -e) the allowed set of the file contains privileges not specified in this command.
The specified privileges are not in the forced set of the file, or (with -e) the forced set of the file contains privileges not specified in this command.
Both the allowed and forced sets have mismatches as described for return values 1 and 2.
testfpriv completed unsuccessfully.
To determine if a set of privileges is in the forced set of a file, use this command:
example%testfpriv –f p1,p2,p3 file1 |
If all the specified privileges are in the forced set of the file, no output is returned. If any of the privileges is not in the forced set of the file, the function displays the missing privilege(s). For example,
example% file1:missing:p2 |
To test if a file's forced and allowed sets are exactly equal to the specified privileges, use this command:
example%testfpriv -e -f p1 -e -a p2 file2 |
If the file's privileges did not match the specified privileges exactly, the output could be in this format:
example% file3:forced:extra:p3:allowed:missing:p2:extra:p4 |
For example, use this command to test for all bits on in the allowed set, and whether only p1 and p2 are present in the forced set:
example% testfpriv -s -e -a all -f p1,p2 file4 |
Because this example uses the silent mode, no output is returned. The returned exit value demonstrates the result.
NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | OPTIONS | RETURN VALUES | EXAMPLES | SEE ALSO