setsecattr Command
Purpose
Sets the security attributes of a command, a device, a privileged file, a process, or a domain-assigned object.
Syntax
setsecattr [-R load_module]{ -c | -d | -p | -f | -o} Attribute = Value [ Attribute = Value ...] Name
Description
The setsecattr command sets the security attributes of the command, device, or process that is specified by the Name parameter. The command interprets the Name parameter as either a command, a device, a privileged file, or a process based on whether the -c (command), -d (device), -f (privileged file), or -p (process) flag is specified.
- Uses databases from multiple domains
- Sets security attributes for a privileged command
- Sets security attributes for a privileged device
- Sets security attributes for a privileged file
- Sets security attributes for a domain-assigned object
Only the first matching entry is modified. Duplicate entries from the remaining domains are not modified. Use the -R flag to modify the entry from a specific domain. If no matching entry is found in any of the domains, a new entry for the Name parameter is created in the first domain. Use the -R flag to add the entry to a specific domain.
To set a value for an attribute,
specify the attribute name and the new value with the Attribute=Value parameter.
To clear an attribute, specify the Attribute=
for
the Attribute=Value pair. To make incremental changes to attributes,
whose values are lists, specify the Attribute=Value pairs as Attribute=+Value
,
or Attribute=-Value
. If you specify the Attribute=+Value
,
the value is added onto the existing value for the attribute. If you
specify the Attribute=-Value
, the value is removed
from the existing value for the attribute.
Flags
Item | Description |
---|---|
-c | Specifies that the security attributes of a command on the system are to be set. If the command name that you specified using the Name parameter is not in the privileged command database, a command entry is created in the /etc/security/privcmds privileged command database. If an attribute is being cleared and is the only attribute set for the command, the command is removed from the privileged command database. Modifications made to the privileged command database are not used until the database is sent to the kernel security tables using the setkst command. |
-d | Specifies that the security attributes of a device on the system are to be set. If the device name you specify using the Name parameter is not in the privileged device database, a device entry is created in the /etc/security/privdevs privileged device database. If an attribute is being cleared and is the only attribute set for the device, the device is removed from the privileged device database. Modifications made to the privileged device database are not used until the database is sent to the kernel security tables using the setkst command. |
-f | Specifies that the security attributes of a privileged file on the system are to be set. Changes requested through the Attribute=Value pairs are made in the /etc/security/privfiles privileged file database. If the specified file is not in the privileged file database, a file entry is created in the database. If an attribute is being cleared and is the only attribute set for the command, the command is removed from the privileged file database. |
-o | Specifies that the security attributes of an
object on the system are to be set. If the object name that you specified
using the Name parameter is not in the domain
object database, an object entry is created in the /etc/security/domobjs domain
object database. If an attribute is being cleared and is the only
attribute set for the object, the object entry is removed from the
domain object database. Modifications made to the domain object database
are not used until the database is sent to the kernel security tables
using the setkst command. |
-p | Specifies that the numeric process identifier (PID) of an active process on the system are to be set. Changes that you specify with the Attribute=Value pairs immediately affects the state of the specified active process. Modifications are not saved in a database. |
-R load_module | Specifies the loadable module to use for security attribute modification. |
Parameters
Item | Description |
---|---|
Attribute = Value | Sets the value of a security attribute for the object. The
list of valid attribute names are dependent on the object type as
specified using the -c, -d, -p, and -o flags. Use
the following attributes for the privileged command database (-c)
flag:
|
|
|
Use the following attributes for the privileged
device database (-d) flag:
|
|
Use the following attributes for the privileged
file (-f) flag:
Use the following attributes for the privileged
process (-p) flag:
|
|
Use the following attributes for the domain-assigned
object database (-o) flag:
|
|
Name | Specify the object to modify. The Name parameter is interpreted according to the flags that you specify. One name must be indicated for processing at a time. |
Security
The setsecattr command is a privileged command. It is owned by the root user and the security group, with the mode set to 755. You must have assume a role with at least one of the following authorizations to run the command successfully. For trusted process, the auditing system will not log any object auditing events for the respective process. However, users can capture events using event auditing.
Item | Description |
---|---|
aix.security.cmd.set | Required to modify the attributes of a command with the -c flag. |
aix.security.device.set | Required to modify the attributes of a device with the -d flag. |
aix.security.file.set | Required to modify the attributes of a device with the -f flag. |
aix.security.proc.set | Required to modify the attributes of a process with the -p flag. |
aix.security.dobject.set | Required to modify the attributes of a process with the -o flag. |
File Accessed
Item | Description |
---|---|
File | Mode |
/etc/security/privcmds | rw |
/etc/security/privdevs | rw |
/etc/security/privfiles | rw |
/etc/security/domobjs | rw |
Examples
- To set an authorized privilege pair for the /usr/sbin/mount command,
enter the following command:
setsecattr -c authprivs=aix.fs.manage.mount=PV_FS_MOUNT /usr/sbin/mount
- To incrementally add the PV_AU_WRITE and PV_DAC_W privileges to
the existing set of writing privileges for the /dev/mydev device,
enter the following command:
setsecattr -d writeprivs=+PV_AU_WRITE,PV_DAC_W /dev/mydev
- To set a read authorization for the /etc/security/user file,
enter the following command:
setsecattr -f readauths=aix.security.user.change /etc/security/user
- To incrementally remove the PV_DAC_R privilege from the effective
privilege set of an active process, enter the following command:
setsecattr -p eprivs=-PV_DAC_R 35875
- To set the access authorizations for the /usr/sbin/mount command
in LDAP, enter the following command:
setsecattr -R LDAP -c accessauths=aix.fs.manage.mount /usr/sbin/mount
- To set the domains on the network interface en0, enter
the following command:
setsecattr –o domains=INTRANET,APPLICATION conflictsets=INTERNET objtype=netint secflags=FSF_DOM_ANY en0