An execution attribute is a command that is associated with a specific UID or GID and that is assigned to a rights profile. The command with its security attributes can be run by users or roles to whom the rights profile is assigned.
The exec_attr database stores the definitions of the execution attributes.
The fields in the exec_attr database are separated by colons:
name:policy:type:res1:res2:id:attr |
The following table describes these fields.
Field Name |
Description |
---|---|
name |
The name of the rights profile. Rights profile names are case-sensitive. The name refers to a rights profile in the prof_attr database. |
policy |
The security policy that is associated with this entry. Currently, suser (the superuser policy model) is the only valid entry. |
type |
The type of entity that is specified. Currently, the only valid entity type is cmd (command). |
res1 |
Reserved for future use. |
res2 |
Reserved for future use. |
id |
A string that identifies the entity. Commands should have the full path or a path with a wildcard. To specify arguments, write a script with the arguments and point the id to the script. |
attr |
An optional list of semicolon (;) separated key-value pairs that describes the security attributes to apply to the entity on execution. Zero or more keys can be specified. The list of valid keywords depends on the policy that is enforced. The four valid keys are euid, uid, egid, and gid. The euid and uid keywords contain a single user name or a numeric user ID (UID). Commands that are designated with euid run with the effective UID indicated, which is similar to setting the setuid bit on an executable file. Commands that are designated with uid run with both the real and effective UIDs. The egid and gid keywords contain a single group name or numeric group ID (GID). Commands that are designated with egid run with the effective GID indicated, which is similar to setting the setgid bit on an executable file. Commands that are designated with gid run with both the real and effective GIDs. |
The following example shows some typical values from an exec_attr database.
% grep 'Printer Management' /etc/security/exec_attr Printer Management:suser:cmd:::/usr/sbin/accept:euid=lp Printer Management:suser:cmd:::/usr/ucb/lpq:euid=0 Printer Management:suser:cmd:::/etc/init.d/lp:euid=0 . . . |