rmsecattr Command
Purpose
Removes the definition of the security attributes for a command, a device, a privileged file, or a domain-assigned object in the database.
Syntax
Description
The rmsecattr command removes the security attributes for a command, a device, a file entry, or a domain-assigned object that is identified by the Name parameter from the appropriate database. The command interprets the Name parameter as a command, device, file entry, or domain-assigned object based on whether the -c (command), -d (device), -f (privileged file), or -o (domain-assigned object) flag is specified. If the -c flag is specified, the Name parameter must include the full path to the command and the command must at that time have an entry in the /etc/security/privcmds privileged command database.
If you specify the -d flag, the Name parameter must include the full path to the device and the device must at that time have an entry in the /etc/security/privdevs privileged device database.
If you specify the -f flag, the Name parameter must include the full path to the file and the file must have an entry in the /etc/security/privfiles privileged file database.
If you specify the -o flag, the Name parameter must include the full path if the object type is file or device and it must have an entry in the /etc/security/domobjs domain-assigned object database.
If the system is configured to use databases from multiple domains, the rmsecattr command finds the first match from the database domains in the order that was specified by the secorder attribute of the corresponding database stanza in the /etc/nscontrol.conf file. Meanwhile, the rmsecattr command removes that command or device entry from the domain. If any matching entries from the rest of the domains exist, they are not affected. Use the -R flag to remove an entry from a specific domain.
Modifications made by this command are not used for the security considerations until the databases are sent to the kernel security tables using the setkst command.
Flags
Item | Description |
---|---|
-c | Specifies, when used with the Name parameter, the full paths to one or more commands on the system that have entries in the privileged command database. |
-d | Specifies, when used with the Name parameter, the full paths to one or more devices on the system that have entries in the privileged device database. |
-f | Specifies, when used with the Name parameter, the full path to a privileged file on the system. |
-o | Specifies, when used with the Name parameter, an object as specified in the domain-assigned object database. |
-R load_module | Specifies the loadable module to use for the deletion of the Name entry. |
Parameters
Item | Description |
---|---|
Name | The object to modify. The Name parameter is interpreted according to the -c, -d, -f, or -o flags that you specified. |
Security
The rmsecattr command is a privileged command. It is owned by the root user and the security group, with mode set to 755. You must have at least one of the following authorizations to run the command:
Item | Description |
---|---|
aix.security.cmd.remove | Required to remove the security attributes of a command with the -c flag. |
aix.security.device.remove | Required to remove the security attributes of a device with the -d flag. |
aix.security.dobject.remove | Required to remove the security attributes of a domain-assigned object with the -o flag. |
aix.security.file.remove | Required to remove the security attributes of a file with the -f flag. |
Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
File Accessed
File | Mode |
---|---|
/etc/security/domobjs | rw |
/etc/security/privcmds | rw |
/etc/security/privdevs | rw |
/etc/security/privfiles | rw |
Examples
- To remove the /usr/sbin/mytest command from the privileged
command database, type:
rmsecattr -c /usr/sbin/mytest
- To remove the /dev/mydev device from the privileged device
database, type:
rmsecattr -d /dev/mydev
- To remove the /dev/mydev device from the privileged device
database in LDAP, type:
rmsecattr -R LDAP -d /dev/mydev
- To remove the /etc/testconf file from the privileged file
database, type:
rmsecattr -f /etc/testconf
- To remove the network interface en0 from the domained
object database, type:
rmsecattr -o objectype=netint en0