.pf_wrapper

NAME

SYNOPSIS

AVAILABILITY

DESCRIPTION

The attributes of the privileged edrc_command is done with the original operating system commands ( sudo, pfexec ) to execute it with elevated permissions.

The pf_wrapper(1) does simplify the startup of those commands. The user only needs to add the ~edrc/pbin/ directory into the $PATH environment variable and does not need to know if a system (as Solaris or HP-UX) is configured to use RBAC (Role Based Access Control) pfexec to execute a command with elevated permissions or sudo.

To include an additional WA2L/edrc command into this mechanism, create a symlink to the .pf_wrapper in the edrc/pbin/ directory.

If a system uses both startup mechanisms ( RBAC and sudo ), first it is checked if a command is configured to be started thru RBAC, then sudo.

OPTIONS

ENVIRONMENT

EXIT STATUS

107

direct call of .pf_wrapper.

126

permission denied to start a command. This error occures, if the WA2L/edrc command is not configured to be executed thru sudo or RBAC.

127

command does not exist in WA2L/edrc ( edrc/sbin/, edrc/bin/ or edrc/lib/ ).

x

exit status of the related command.

FILES

bin/

binary directory in WA2L/edrc where the edrc_command is located.

lib/

library directory in WA2L/edrc where the edrc_command is located.

pbin/

binary directory for commands that could be started with elevated permissions. This directory only contains symlinks to the .pf_wrapper.

sbin/

binary directory where the edrc(1m) command is located.

var/log/pf_wrapper.log

log file for the .pf_wrapper command.

/etc/sudoers

typical configuration file for sudo(8).

/etc/security/exec_attr

execution profiles database for RBAC.

/etc/security/prof_attr

profile description database for RBAC.

/etc/user_attr

extended user attributes database for RBAC.

EXAMPLES

1) sudo configuration example

To start some commands thru sudo, the following lines could be added to the /etc/sudoers file, using the visudo command. To ensure, that the user has to supply the own password to execute the privileged commands, the settings in line 55 and 56 should be commented out or removed from the file.

  [ /etc ]
  [ root@host-001 ][*eshell*/bash]: sav sudoers; visudo

     1  #
     2  # /etc/sudoers - sudo access definition file
     3  #
     4  # [01] 25.02.2012 CWa  +*_EDRC_* definitions
     5  #
     6  ##
     7  ## Sudoers allows particular users to run various commands
     8  ## as the root user, without needing the root password.
     9  ##
     :
    18  ## User Aliases
    19  User_Alias     ROLE_EDRC_ADM = john, fred
    20  User_Alias     ROLE_EDRC_OPS = barney
    21  User_Alias     ROLE_EDRC_USR = wilma, betty
    22  
    23  # WA2L/edrc definitions
    24  #
    25  ROLE_EDRC_ADM  ALL = PASSWD: CMD_EDRC_USR, CMD_EDRC_OPS, CMD_EDRC_ADM
    26  ROLE_EDRC_OPS  ALL = PASSWD: CMD_EDRC_USR, CMD_EDRC_OPS
    27  ROLE_EDRC_USR  ALL = PASSWD: CMD_EDRC_USR
    28  Cmnd_Alias     CMD_EDRC_ADM = /opt/edrc/bin/shell, /opt/edrc/bin/sat,\
    29                                /opt/edrc/sbin/edrc, /opt/edrc/bin/sys
    30  Cmnd_Alias     CMD_EDRC_OPS = /opt/edrc/bin/osup
    31  Cmnd_Alias     CMD_EDRC_USR = /opt/edrc/bin/asup,  /opt/edrc/bin/psup
     :
    51  # In the default (unconfigured) configuration, sudo asks for the root
    52  # password. This  allows  use  of   an  ordinary  user   account  for
    53  # administration of a fresh installed system.  When configuring sudo,
    54  # delete the two following lines:
    55  #Defaults      targetpw      # specify passwd of target user i.e root
    56  #ALL           ALL=(ALL) ALL # only together with 'Defaults targetpw'
     :
   ~
   ~
   ~

The concept of the configuration example above is, that all commands that are to be used by an user are defined in the command alias CMD_EDRC_USR, the additional commands that are used by operational personnel are defined in the command alias CMD_EDRC_OPS and the additional commands that are used by administrators are listed in CMD_EDRC_ADM.

To build roles, the role ROLE_EDRC_USR consists of the CMD_EDRC_USR commands, the ROLE_EDRC_OPS consists of the CMD_EDRC_USR and CMD_EDRC_OPS commands and the ROLE_EDRC_ADM consists of all three CMD_EDRC_* command sets (CMD_EDRC_USR, CMD_EDRC_OPS CMD_EDRC_ADM).

Finally a role is connected to a real user using the User_Alias directive. In a more automated environment you most likely don't want to edit the sudoers file every time a change in your user base occurs, therefore a User_Alias can be connected to an operating system group ( %groupname ) with the setting:

     :
    18  ## User Aliases
    19  User_Alias     ROLE_EDRC_ADM = %edrc_adm
    20  User_Alias     ROLE_EDRC_OPS = %edrc_ops
    21  User_Alias     ROLE_EDRC_USR = %edrc_usr
    22
     :

In this example the operating system groups edrc_adm, edrc_ops and edrc_adm represent the roles defined in the sudoers file.

2) RBAC configuration example

-

3) add ~edrc/pbin directory to users ~/.bashrc for Bourne again Shell

  [ /home/fred ]
  [ fred@host-001 ][bash]: vi ~/.bashrc
     :
    27  # Add edrc/pbin to $PATH
    28  PATH=~edrc/pbin:$PATH; export PATH
   ~
   ~

4) add ~edrc/pbin directory to users ~/.kshrc for Korn Shell

  [ /home/fred ]
  [ fred@host-001 ][bash]: vi ~/.kshrc
     :
    27  # Add edrc/pbin to $PATH
    28  PATH=~edrc/pbin:$PATH; export PATH
   ~
   ~

SEE ALSO

NOTES

Be aware, that always the original command ( for example: ~edrc/bin/shell ) has to be configured in sudo or RBAC and not the pbin/.pf_wrapper command.

Therefore, if you followed the suggestions how to configure sudo(8) in the edrcsetup(1m) manual page, you don't have to change anything in the sudo configuration.

BUGS

AUTHOR

COPYRIGHT

This is free software; see edrc/doc/COPYING for copying conditions. There is ABSOLUTELY NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.