Re: Scripting acledit

From: Adams Kevin J (kevin.adams@PHS.COM)
Date: Wed Jul 24 2002 - 13:09:12 EDT

• Next message: Ron Schwingel: "Re: AIX 5L on 7012's?"
• Previous message: Bob Booth - UIUC: "Re: AIX 5L on 7012's?"
• Maybe in reply to: AIX geek: "Scripting acledit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You need to use the aclput command.

Here's an example of denying the "test" userid the ability to run the su
command via acl. In your case you would use permit instead of deny.

Create an enable input file for aclput:

# cat acl_su_enable
attributes: SUID
base permissions
    owner(root): r-x
    group(system): r-x
    others: r-x
extended permissions
    enabled
    deny rwx u:test

Create a script to run aclput pointing to the enable input file:

# cat aclenable
#!/bin/ksh
aclput -i acl_su_enable /bin/su

To undo the deny (disable the acl), create another input file:

# cat acl_su_disable
attributes: SUID
base permissions
    owner(root): r-x
    group(security): r-x
    others: r-x
extended permissions
    disabled

Create a script to run aclput pointing to the disable input file:

# cat acldisable
#!/bin/ksh
aclput -i acl_su_disable /bin/su

So, run aclenable to enable a deny rule, and run acldisable to disable the
deny rule.

This was an attempt at disallowing a userid from using su, but decided that
using su groups was a better solution.

Kevin Adams

-----Original Message-----
From: AIX geek [mailto:aixgeek@YAHOO.COM]
Sent: Wednesday, July 24, 2002 9:15 AM
To: aix-l@Princeton.EDU
Subject: [aix-l] Scripting acledit

How can I script the function of the acledit command?

Due to how my environment works, I need to run acledit
on /dev/kmem so that monitor will work. Due to a very
complex management decision, I can't just install the
freeware package; rather, /usr/local is automounted
over the network so that all machines have access to
the tools in /usr/local/bin. All well and good, but
the installp installation of monitor automatically
sets these perms. I just can't figure out how to do
it myself non-interactively.

Thanks,

-AG

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

This electronic message transmission, including any attachments, contains information from PacifiCare Health Systems Inc. which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited.

If you have received this electronic transmission in error, please notify the sender immediately by a "reply to sender only" message and destroy all electronic and hard copies of the communication, including attachments.

• Next message: Ron Schwingel: "Re: AIX 5L on 7012's?"
• Previous message: Bob Booth - UIUC: "Re: AIX 5L on 7012's?"
• Maybe in reply to: AIX geek: "Scripting acledit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:16:05 EDT