Партнёры:
Хостинг:
smexec - manage entries in the exec_attr database
/usr/sadm/bin/smexec subcommand [ auth_args] -- [subcommand_args]
The smexec command manages an entry in the exec_attr(4) database in the local /etc files name service or a NIS or NIS+ name service.
smexec subcommands are:
add Adds a new entry to the exec_attr(4) database. To add an entry to the exec_attr database, the administrator must have the solaris.profmgr.execattr.write authorization.
delete Deletes an entry from the exec_attr(4) database. To delete an entry from the exec_attr database, the administrator must have the solaris.profmgr.execattr.write authorization.
modify Modifies an entry in the exec_attr(4) database. To modify an entry in the exec_attr database, the administrator must have the solaris.profmgr.execattr.write authorization.
The smexec authentication arguments, auth_args, are derived from the smc(1M) arg set and are the same regardless of which subcommand you use. The smexec command requires the Solaris Management Console to be initialized for the command to succeed (see smc(1M)). After rebooting the Solaris Management Console server, the first Solaris Management Console connection might time out, so you might need to retry the command.
The subcommand-specific options, subcommand_args, must come after the auth_args and must be separated from them by the -- option.
The auth_args -D, -H, -l, -p, -r, and -u are described below. They are all optional. These options are a subset of the full complement of supported options described in smc(1M).
If no auth_args are specified, certain defaults will be assumed and the user may be prompted for additional information, such as a password for authentication purposes. These letter options can also be specified by their equivalent option words preceded by a double dash. For example, you can use either -D or --domain with the domain argument.
-D | --domain domain
Specifies the default domain that you want to manage. The syntax of domain is type:/host_name/domain_name, where type is nis, nisplus, dns, ldap, or file; host_name is the name of the machine that serves the domain; and domain_name is the name of the domain you want to manage. (Note: Do not use nis+ for nisplus.)
If you do not specify this option, the Solaris Management Console assumes the file default domain on whatever server you choose to manage, meaning that changes are local to the server. Toolboxes can change the domain on a tool-by-tool basis; this option specifies the domain for all other tools.
-H | --hostname host_name:port
Specifies the host_name and port to which you want to connect. If you do not specify a port, the system connects to the default port, 898. If you do not specify host_name:port, the Solaris Management Console connects to the local host on port 898. You may still have to choose a toolbox to load into the console. To override this behavior, use the smc(1M) -B option, or set your console preferences to load a "home toolbox" by default.
-l | --rolepassword role_password
Specifies the password for the role_name. If you specify a role_name but do not specify a role_password, the system prompts you to supply a role_password. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.
-p | --password password
Specifies the password for the user_name. If you do not specify a password, the system prompts you for one. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.
-r | --rolename role_name
Specifies a role name for authentication. If you do not specify this option, no role is assumed.
-u | --username user_name
Specifies the user name for authentication. If you do not specify this option, the user identity running the console process is assumed.
--
This option is required and must always follow the preceding options. If you do not enter the preceding options, you must still enter the -- option.
Note: Descriptions and other arg options that contain white spaces must be enclosed in double quotes.
To add or change privileges, the administrator must have the solaris.admin.privilege.write authorization. See privileges(5).
* For subcommand add:
-c command_path|CDE_action
Specifies the full path to the command or CDE action associated with the new exec_attr entry. Specifying a CDE action is available only if the system is configured with Solaris Trusted Extensions. See "Using Options that Require Solaris Trusted Extensions," below.
-g egid
(Optional) Specifies the effective group ID that executes with the command.
-G gid
(Optional) Specifies the real group ID that executes with the command.
-h
(Optional) Displays the command's usage statement.
-n profile_name
Specifies the name of the profile associated with the new exec_attr entry.
-t type
Specifies the type for the command. Currently, the only acceptable value for type is cmd.
-u euid
(Optional) Specifies the effective user ID that executes with the command.
-U uid
(Optional) Specifies the real user ID that executes with the command.
-M limit_privs
Specifies the privilege name(s) to add to the new exec_attr(4) entry. The default is all for limit privilege.
To add or change privileges, the administrator must have the solaris.admin.privilege.write authorization. See privileges(5).
-I inheritable_privs
Specifies the inheritable privilege name(s) to add to the new exec_attr(4) entry.
* For subcommand delete:
-c command_path|CDE_action
Specifies the full path to the command or CDE action associated with the exec_attr entry. Specifying a CDE action is available only if the system is configured with Solaris Trusted Extensions. See "Using Options that Require Solaris Trusted Extensions," below.
-h
(Optional) Displays the command's usage statement.
-n profile_name
Specifies the name of the profile associated with the exec_attr entry.
-t type
Specifies the type cmd for command. Currently, the only acceptable value for type is cmd.
* For subcommand modify:
-c command_path|CDE_action
Specifies the full path to the command or CDE action associated with the exec_attr entry you want to modify. Specifying a CDE action is available only if the system is configured with Solaris Trusted Extensions. See "Using Options that Require Solaris Trusted Extensions," below.
-g egid
(Optional) Specifies the new effective group ID that executes with the command.
-G gid
(Optional) Specifies the new real group ID that executes with the command.
-h
(Optional) Displays the command's usage statement.
-n profile_name
Specifies the name of the profile associated with the exec_attr entry.
-t type
Specifies the type cmd for command. Currently, the only acceptable value for type is cmd.
-u euid
(Optional) Specifies the new effective user ID that executes with the command.
-U uid
(Optional) Specifies the new real user ID that executes with the command.
-M limit_privs
Specifies the privilege name(s) to modify in an exec_attr(4) entry. The default is all for limit privilege.
To add or change privileges, the administrator must have the solaris.admin.privilege.write authorization. See privileges(5).
-I inheritable_privs
Specifies the inheritable privilege name(s) to modify in anexec_attr(4) entry.
To use an option that requires the Solaris Trusted Extensions feature, you must use the -B toolbox option to specify a toolbox that contains support for Trusted Extensions. For example:
# smexec -add -c <CDE action> -n "User Manager" \ -B http://<server>/toolboxes/tsol_files.tbx
In the command above, <server> is the name of the machine running the Solaris Management Console. See smc(1M) for a description of the -B option.
Example 1: Creating an exec_attr Database Entry
The following creates a new exec_attr entry for the User Manager profile on the local file system. The entry type is cmd for the command /usr/bin/cp. The command has an effective user ID of 0 and an effective group ID of 0.
./smexec add -H myhost -p mypasswd -u root -- -n "User Manager" \
-t cmd -c /usr/bin/cp -u 0 -g 0
Example 2: Deleting an exec_attr Database Entry
The following example deletes an exec_attr database entry for the User Manager profile from the local file system. The entry designated for the command /usr/bin/cp is deleted.
./smexec delete -H myhost -p mypasswd -u root -- -n "User Manager" \
-t cmd -c /usr/bin/cp
Example 3: Modifying an exec_attr Database Entry
The following modifies the attributes of the exec_attr database entry for the User Manager profile on the local file system. The /usr/bin/cp entry is modified to execute with the real user ID of 0 and the real group ID of 0.
./smexec modify -H myhost -p mypasswd -u root -- -n "User Manager" \
-t cmd -c /usr/bin/cp -U 0 -G 0
See environ(5) for a description of the JAVA_HOME environment variable, which affects the execution of the smexec command. If this environment variable is not specified, the /usr/java location is used. See smc(1M).
The following exit values are returned:
0 Successful completion.
1 Invalid command syntax. A usage message displays.
2 An error occurred while executing the command. An error message displays.
The following file is used by the smexec command:
/etc/security/exec_attr Rights profiles database. See exec_attr(4).
See attributes(5) for descriptions of the following attributes:
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
| Availability | SUNWmga |
| Interface Stability | Evolving |
smc(1M), exec_attr(4), attributes(5), environ(5)
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |