name:policy:type:res1:res2:id:attr

name

The name of the rights profile. Rights profile names are case-sensitive. The name refers to a rights profile in the prof_attr database.

policy

The security policy that is associated with this entry. Currently, suser (the superuser policy model) is the only valid entry.

type

The type of entity that is specified. Currently, the only valid entity type is cmd (command).

res1

Reserved for future use. 

res2

Reserved for future use. 

id

A string that identifies the entity. Commands should have the full path or a path with a wildcard. To specify arguments, write a script with the arguments and point the id to the script.

attr

An optional list of semicolon (;) separated key-value pairs that describes the security attributes to apply to the entity on execution. Zero or more keys can be specified. The list of valid keywords depends on the policy that is enforced. The four valid keys are euid, uid, egid, and gid.

The euid and uid keywords contain a single user name or a numeric user ID (UID). Commands that are designated with euid run with the effective UID indicated, which is similar to setting the setuid bit on an executable file. Commands that are designated with uid run with both the real and effective UIDs.

The egid and gid keywords contain a single group name or numeric group ID (GID). Commands that are designated with egid run with the effective GID indicated, which is similar to setting the setgid bit on an executable file. Commands that are designated with gid run with both the real and effective GIDs.

% grep 'Printer Management' /etc/security/exec_attr
Printer Management:suser:cmd:::/usr/sbin/accept:euid=lp
Printer Management:suser:cmd:::/usr/ucb/lpq:euid=0
Printer Management:suser:cmd:::/etc/init.d/lp:euid=0
.
.
.