authexec Command

Purpose

Runs a Role Based Access Control (RBAC) privileged command in a controlled manner.

Syntax

authexec RBACcommandName

Description

The authexec command runs a RBAC privileged command. When authexec is issued, users are authenticated against the roles defined in the authroles attribute for the RBAC command, RBACcommandName, in the RBAC privileged command database.

The authexec command in located in /usr/sbin/.

The user invoking authexec must have enough authorization to invoke the target command, RBACcommandName. The authenticating users should not be the same as the invoking user. The authenticating users must also have a valid non-blank password to successfully pass the authentication. No user can be authenticated more than once for any role. A maximum of sixteen roles can be configured for the RBAC privileged command.

A privileged command having the authexec attribute in the privileged command database cannot be run directly from shell or by using the exec subroutines in programs. Such commands have to be necessarily invoked using the authexec command.

This mechanism is not enforced when the command RBACcommandName is invoked by root in a root enabled RBAC system.

Parameters

Item Description
RBACcommandName Specifies the RBAC target command to run, including any flags or parameters. You must specify the absolute path of the target command, RBACcommandName.

Security

Access Control: All users can invoke this command.

Examples

If the command usr/sbin/shutdown is enabled for authenticated execution using the authroles attribute, then a user that is authorized to the shutdown command can run:

authexec /usr/sbin/shutdown

The following example shows the usr/sbin/shutdown command that is enabled for authenticated execution using the authrole attribute:

/usr/sbin/shutdown:
accessauths=aix.system.boot.shutdown
innateprivs=PV_AZ_ROOT,PV_DAC_O,PV_DAC_R,PV_DAC_W,
PV_DAC_X,PV_PROC_PRIV,PV_PROC_SIG
secflags=FSF_EPS
authroles=isso,so,sa

Before the shutdown command is run, three distinct users having one of the three roles listed in authroles attribute have to be authenticated. In this example, authroles attribute specifies the isso, so, and sa roles. This command requires the access authorization aix.system.boot.shutdown to invoke the shutdown command. This authorization is typically associated with the so role. A user, other than the user invoking the shutdown command, with the role so in addition to users with the isso and sa roles must authenticate to successfully issue the command.

Files

Item Description
/etc/security/users Contains the extended attributes of users.
/etc/security/roles Contains the attributes of roles.
/etc/security/authorizations Contains the attributes of authorizations
/etc/security/privcmds Contains the attributes of RBAC privileged commands.