setsecattr Command

Purpose

Sets the security attributes of a command, a device, a privileged file, a process, or a domain-assigned object.

Syntax

setsecattr [-R load_module]{ -c | -d | -p | -f | -o} Attribute = Value [ Attribute = Value ...] Name

Description

The setsecattr command sets the security attributes of the command, device, or process that is specified by the Name parameter. The command interprets the Name parameter as either a command, a device, a privileged file, or a process based on whether the -c (command), -d (device), -f (privileged file), or -p (process) flag is specified.

If you configure the system to one of the following values specified by the Name parameter, the system performs in the order that is specified by the secorder attribute of the corresponding database stanza in the /etc/nscontrol.conf file:
  • Uses databases from multiple domains
  • Sets security attributes for a privileged command
  • Sets security attributes for a privileged device
  • Sets security attributes for a privileged file
  • Sets security attributes for a domain-assigned object

Only the first matching entry is modified. Duplicate entries from the remaining domains are not modified. Use the -R flag to modify the entry from a specific domain. If no matching entry is found in any of the domains, a new entry for the Name parameter is created in the first domain. Use the -R flag to add the entry to a specific domain.

To set a value for an attribute, specify the attribute name and the new value with the Attribute=Value parameter. To clear an attribute, specify the Attribute= for the Attribute=Value pair. To make incremental changes to attributes, whose values are lists, specify the Attribute=Value pairs as Attribute=+Value, or Attribute=-Value. If you specify the Attribute=+Value, the value is added onto the existing value for the attribute. If you specify the Attribute=-Value, the value is removed from the existing value for the attribute.

Flags

Item Description
-c Specifies that the security attributes of a command on the system are to be set. If the command name that you specified using the Name parameter is not in the privileged command database, a command entry is created in the /etc/security/privcmds privileged command database. If an attribute is being cleared and is the only attribute set for the command, the command is removed from the privileged command database. Modifications made to the privileged command database are not used until the database is sent to the kernel security tables using the setkst command.
-d Specifies that the security attributes of a device on the system are to be set. If the device name you specify using the Name parameter is not in the privileged device database, a device entry is created in the /etc/security/privdevs privileged device database. If an attribute is being cleared and is the only attribute set for the device, the device is removed from the privileged device database. Modifications made to the privileged device database are not used until the database is sent to the kernel security tables using the setkst command.
-f Specifies that the security attributes of a privileged file on the system are to be set. Changes requested through the Attribute=Value pairs are made in the /etc/security/privfiles privileged file database. If the specified file is not in the privileged file database, a file entry is created in the database. If an attribute is being cleared and is the only attribute set for the command, the command is removed from the privileged file database.
-o Specifies that the security attributes of an object on the system are to be set. If the object name that you specified using the Name parameter is not in the domain object database, an object entry is created in the /etc/security/domobjs domain object database. If an attribute is being cleared and is the only attribute set for the object, the object entry is removed from the domain object database. Modifications made to the domain object database are not used until the database is sent to the kernel security tables using the setkst command.
-p Specifies that the numeric process identifier (PID) of an active process on the system are to be set. Changes that you specify with the Attribute=Value pairs immediately affects the state of the specified active process. Modifications are not saved in a database.
-R load_module Specifies the loadable module to use for security attribute modification.

Parameters

Item Description
Attribute = Value Sets the value of a security attribute for the object. The list of valid attribute names are dependent on the object type as specified using the -c, -d, -p, and -o flags.
Use the following attributes for the privileged command database (-c) flag:
accessauths
Specifies access authorizations. Specifies a comma-separated list of authorization names. You can specify a total of sixteen authorization. A user with any of the authorizations that you specified can run the command. This attribute has three special additional values: ALLOW_OWNER, ALLOW_GROUP, and ALLOW_ALL that allows a command owner, a group, or all users to run the command without checking for access authorizations.
authprivs
Specifies authorized privileges. Specifies a list of authorizations and privilege pairs that grant additional privileges to the process. The authorization and its corresponding privileges are separated by an equal sign (=), individual privileges are separated by a plus sign (+), and authorization or privilege pairs are separated by a comma (,), as shown in the following examples:
auth=priv+priv+...,auth=priv+priv+...,...
You can specify a maximum of sixteen pairs of authorizations or privileges.Specifies roles, the users of which need to be authenticated before command can be executed successfully. Specifies a comma separated list of roles. Each role should be authenticated by different users such as no user can perform the authentication for more than one role at a time.
authroles
Specifies the user roles that need to be authenticated before the command can run successfully. If listing multiple roles, separate each role with a comma. For example:
authroles=so,isso
Each role must be authenticated by different users. For example, no one user can perform the authentication for more than one role.
innateprivs
Specifies the innate privileges. Specifies a comma-separated list of privileges that are assigned to the process when the command is run.
inheritprivs
Specifies inheritable privileges. Specifies a comma-separated list of privileges that are passed to child processes.
euid
Specifies the effective user ID to assume when the command is run.
egid
Specifies the effective group ID to assume when the command is run.
 
ruid
Specifies the real user ID to assume when the command is run. Only valid value is 0. This attribute value will be ignored if the command provides access to all users by specifying the special value ALLOW_ALL in its accessauths attribute.
secflags
Specifies the file security flags. Specifies a comma-separated list of security flags. Use the following values for this flag:
FSF_EPS
Causes the maximum privilege set to be loaded into the effective privilege set when the command is run.
 
Use the following attributes for the privileged device database (-d) flag:
readprivs
Specifies a comma-separated list of privileges that a user or a process must have for read access to the device. You can specify a maximum of eight privileges. The user or process must have one of the listed privileges to read from the device.
writeprivs
Specifies a comma-separated list of privileges that a user or a process must have for write access to the device. You can specify a maximum of eight privileges. The user or process must have one of the listed privileges to write to the device.
 
Use the following attributes for the privileged file (-f) flag:
readauths
Specify the read access authorizations. Specify a comma-separated list of authorization names. A user with any of the authorizations can read the file.
writeauths
Specify the write access authorizations. Specify a comma-separated list of authorization names. A user with any of the authorizations can read or write the file.
Use the following attributes for the privileged process (-p) flag:
eprivs
Specify the effective privilege set. Specify a comma-separated list of privileges that are to be active for the process. The process might remove the privileges from this set and add the privileges from the maximum privilege set to its effective privilege set.
iprivs
Specifies the inheritable privilege set. Specifies a comma-separated list of privileges that are passed to child processes' effective and maximum privilege sets. The inheritable privilege set is a subset of the limiting privilege set.
mprivs
Specify a maximum privilege set. Specify a comma-separated list of privileges that the process can add to its effective privilege set. The maximum privilege set is a superset of the effective privilege set.
lprivs
Specify the limiting privilege set. Specify a comma-separated list of privileges that make up the maximum possible privilege set for a process. The limiting privilege set is a superset of the maximum privilege set.
uprivs
Specify the used privilege set. Specify a comma-separated list of privileges that are used during the life of the process. This set is mainly used by the tracepriv command.
  Use the following attributes for the domain-assigned object database (-o) flag:
domains
Specify a comma-separated list of domains the objects belong to.
conflictsets
Specify a comma-separated list of domains that are excluded from accessing the object.
objtype
Specify the type of the object. Valid values are device, netint, netport and file.
secflags
Specify the security flags for the object. Valid values are:
  • FSF_DOM_ANY: This value specifies that a process can access the object if it has any of the domains given in the domains attribute.
  • FSF_DOM_ALL: Specifies that a process can access the object only if it has all the domains as specified in the domains attribute. This is the default value if no secflags is specified.

The FSF_DOM_ANY and FSF_DOM_ALL are mutually exclusive flags.

Name Specify the object to modify. The Name parameter is interpreted according to the flags that you specify. One name must be indicated for processing at a time.

Security

The setsecattr command is a privileged command. It is owned by the root user and the security group, with the mode set to 755. You must have assume a role with at least one of the following authorizations to run the command successfully. For trusted process, the auditing system will not log any object auditing events for the respective process. However, users can capture events using event auditing.

Item Description
aix.security.cmd.set Required to modify the attributes of a command with the -c flag.
aix.security.device.set Required to modify the attributes of a device with the -d flag.
aix.security.file.set Required to modify the attributes of a device with the -f flag.
aix.security.proc.set Required to modify the attributes of a process with the -p flag.
aix.security.dobject.set Required to modify the attributes of a process with the -o flag.

File Accessed

Item Description
File Mode
/etc/security/privcmds rw
/etc/security/privdevs rw
/etc/security/privfiles rw
/etc/security/domobjs rw

Examples

  1. To set an authorized privilege pair for the /usr/sbin/mount command, enter the following command:
    setsecattr -c authprivs=aix.fs.manage.mount=PV_FS_MOUNT /usr/sbin/mount
  2. To incrementally add the PV_AU_WRITE and PV_DAC_W privileges to the existing set of writing privileges for the /dev/mydev device, enter the following command:
    setsecattr -d writeprivs=+PV_AU_WRITE,PV_DAC_W /dev/mydev
  3. To set a read authorization for the /etc/security/user file, enter the following command:
    setsecattr -f readauths=aix.security.user.change /etc/security/user
  4. To incrementally remove the PV_DAC_R privilege from the effective privilege set of an active process, enter the following command:
    setsecattr -p eprivs=-PV_DAC_R 35875
  5. To set the access authorizations for the /usr/sbin/mount command in LDAP, enter the following command:
    setsecattr -R LDAP -c accessauths=aix.fs.manage.mount /usr/sbin/mount 
  6. To set the domains on the network interface en0, enter the following command:
    setsecattr –o domains=INTRANET,APPLICATION conflictsets=INTERNET
    objtype=netint secflags=FSF_DOM_ANY en0