suattr(1M) suattr(1M)
suattr - Execute shell command with specified capabilities at specified
MAC label
suattr [ -M label ] [ -C capability set ] [ -m ][ arg ... ]
suattr allows root to execute a command using the given capabilities set
and at the given MAC label.
suattr is designed primarily for system initialization, to grant commands
executed by startup scripts the privileges they need. To use suattr, the
real user id must be 0.
-C <capability set>
Execute the requested command with the specified capability set . If
capabilities are not configured on your system, this option is
silently ignored.
-M <MAC label>
Execute the requested command at the specified label . The invoker
of su must be cleared to operate at the requested label. If that
label is different than the user's current label, stdin, stdout, and
stderr will be closed. If MAC is not configured on your system,
this option is silently ignored.
-m Execute the command with a moldy process label.
The remaining arguments given on the command line are passed to /bin/sh.
An arg of the form -c string executes string via the shell and an arg of
-r gives the user a restricted shell.
/sbin/suattr -M dbadmin -c "killall syslogd"
The command killall syslogd is executed at the dbadmin label.
/sbin/suattr -C CAP_SWAP_MGT+ip -c "/sbin/swap -m"
Set the inherited and permitted capability set to CAP_SWAP_MGP and
execute swap. This has the effect of granting swap the capability to
execute the swap(2) system call.
Page 1
suattr(1M) suattr(1M)
/sbin/suattr -m -c "mv /tmp /.oldtmp"
Has the effect of preserving the moldy bit when /tmp is moved.
/etc/passwd system's password file
/etc/capability system's capability file
/etc/clearance user clearance label information file
capability(4), clearance(4), newlabel(1m), chcap(1).
Unexpected results, including a system which hangs during startup, may
occur if the user root is removed from /etc/passwd or if root's
capability set or clearance range is altered.
P�P�P�Pa�a�a�ag�g�g�ge�e�e�e 2�2�2�2 [ Back ]
|
