authexec Command
Purpose
Runs a Role Based Access Control (RBAC) privileged command in a controlled manner.
Syntax
authexec RBACcommandNameDescription
The authexec command runs an RBAC privileged command. When authexec is issued, users are authenticated against the roles that are defined in the authroles attribute for the RBAC command, RBACcommandName, in the RBAC privileged command database.
The authexec command in located in /usr/sbin/.
The user invoking authexec must have enough authorization to invoke the target command, RBACcommandName. The authenticated users must not be the same as the invoking user. The authenticating users must also have a valid nonblank password to successfully pass the authentication. No user can be authenticated more than one time for any role. A maximum of sixteen roles can be configured for the RBAC privileged command.
A privileged command with the authexec attribute in the privileged command database cannot be run directly from shell or by using the exec subroutines in programs. Such commands must be necessarily invoked by using the authexec command.
This mechanism is not enforced when the command RBACcommandName is invoked by root in a root enabled RBAC system.
Parameters
| Item | Description |
|---|---|
| RBACcommandName | Specifies the RBAC target command to run, including any flags or parameters. Specify the absolute path of the target command RBACcommandName. |
Security
- Access Control
- All users can invoke this command.
Examples
If the command usr/sbin/shutdown is enabled for authenticated execution using the authroles attribute, then a user that is authorized to the shutdown command can run:
The following example shows the usr/sbin/shutdown command that is enabled for authenticated execution using the authrole attribute:
/usr/sbin/shutdown:
accessauths=aix.system.boot.shutdown
innateprivs=PV_AZ_ROOT,PV_DAC_O,PV_DAC_R,PV_DAC_W,
PV_DAC_X,PV_PROC_PRIV,PV_PROC_SIG
secflags=FSF_EPS
authroles=isso,so,saBefore the shutdown command is run, three distinct users with the one of the
three roles that are listed in authroles attribute must be authenticated. In
this example, the authroles attribute specifies the
isso, so, and sa roles. This
command requires the access authorization aix.system.boot.shutdown to invoke the
shutdown command. This authorization is typically associated with the
so role. A user, other than the user invoking the shutdown
command, with the role so in addition to users with the
isso and sa roles must authenticate to successfully
issue the command.
Files
| Item | Description |
|---|---|
| /etc/security/users | Contains the extended attributes of users. |
| /etc/security/roles | This file contains the attributes of roles. |
| /etc/security/authorizations | This file contains the attributes of authorizations |
| /etc/security/privcmds | This file contains the attributes of RBAC privileged commands. |