chlpcmd Command

Purpose

Changes the attribute values of a least-privilege (LP) resource.

Syntax

To change the attribute values of an LP resource:
  • On the local node:

    chlpcmd [ -l 01 ] [ -c 0123 ] [-h] [-TV] resource_name attr1=value1 [attr2=value2…]

    chlpcmd -r [-h] [-TV] resource_name

  • On all nodes in a domain:

    chlpcmd -a [ -l 01 ] [ -c 0123 ] [-h] [-TV] resource_name attr1=value1 [attr2=value2…]

    chlpcmd -a -r [-h] [-TV] resource_name

  • On a subset of nodes in a domain:

    chlpcmd -n host1 [,host2,…] [ -l 01 ] [ -c 0123 ] [-h] [-TV] resource_name attr1=value1 [attr2=value2…]

    chlpcmd -n host1 [,host2,…] -r [-h] [-TV] resource_name

Description

Use the chlpcmd command to change any of the read/write attribute values of an LP resource. An LP resource is a root command or script to which users are granted access based on permissions in the LP access control lists (ACLs). Use the -r flag to recalculate and assign the CheckSum attribute. Use the -c flag to change the ControlFlags attribute. Use the -l flag to change the Lock attribute. Use attr=value parameters to modify these attributes: Name, CommandPath, RunCmdName, FilterScript, FilterArg, and Description.

This command runs on any node. If you want this command to run on all of the nodes in a domain, use the -a flag. If you want this command to run on a subset of nodes in a domain, use the -n flag. Otherwise, this command runs on the local node.

Flags

-a
Changes attribute values for resource_name on all nodes in the domain. The CT_MANAGEMENT_SCOPE environment variable's setting determines the cluster scope. If CT_MANAGEMENT_SCOPE is not set, the LP resource manager uses scope settings in this order:
  1. The management domain, if it exists
  2. The peer domain, if it exists
  3. Local scope
The chlpcmd command runs once for the first valid scope that the LP resource manager finds. For example, suppose a management domain and a peer domain exist and the CT_MANAGEMENT_SCOPE environment variable is not set. In this case, chlpcmd –a runs in the management domain. To run chlpcmd –a in the peer domain, you must set CT_MANAGEMENT_SCOPE to 2.
-n host1[,host2,…]
Specifies one or more nodes in the domain on which the LP resource is to be changed. By default, the LP resource is changed on the local node. This flag is valid only in a management domain or a peer domain. If the CT_MANAGEMENT_SCOPE environment variable is not set, the LP resource manager uses scope settings in this order:
  1. The management domain, if it exists
  2. The peer domain, if it exists
  3. Local scope
The chlpcmd command runs once for the first valid scope that the LP resource manager finds.
–r
Recalculates and assigns the CheckSum attribute value for this LP resource. Use the -r flag when:
  • You have modified the command or script that this LP resource represents.
  • You want to change the CheckSum value from 0 to the correct value after the command or script becomes available on the system.
-l 0 1
Locks or unlocks the resource. You can use this flag to protect the resource from being deleted by accident. The default value is 0, which means no lock is set. To lock the resource, use chlpcmd -l 1.
-c 0 1 2 3
Sets the ControlFlags attribute, which is used to specify the control features for an LP command. If ControlFlags is not specified, it is set to 1 by default. Use this flag to specify one of these values:
0
Does not validate the CheckSum value.
1
Does not validate the CheckSum value. This is the default.
2
Validates the CheckSum value.
3
Validates the CheckSum value.

When an attempt is made to run the LP resource using the runlpcmd command, the value of the ControlFlags attribute determines which checks are performed before running the command represented by the resource.

In this release of RSCT, the ControlFlags attribute value specifies whether the CheckSum value is to be validated.

In previous releases of RSCT, the ControlFlags attribute value also specified whether the presence of certain characters in the input arguments to runlpcmd were to be disallowed. Checking for these characters is no longer necessary.

To maintain compatibility with LP resources that were defined in previous releases of RSCT, the ControlFlags attribute values, with respect to validating the CheckSum value, have remained the same. Consequently, values 0 and 1 indicate that the CheckSum value is not to be validated, and values 2 and 3 indicate that the CheckSum value is to be validated.

-h
Writes the command's usage statement to standard output.
-T
Writes the command's trace messages to standard error.
-V
Writes the command's verbose messages to standard output.

Parameters

resource_name
Specifies the name of the LP resource to change.
attr1=value1 [attr2=value2…]
Specifies one or more read/write attributes and their new values.

Security

To run the chlpcmd command, you need:
  • read permission in the Class ACL of the IBM.LPCommands resource class.
  • write permission in the Resource ACL.

    As an alternative, the Resource ACL can direct the use of the Resource Shared ACL if this permission exists in the Resource Shared ACL.

Permissions are specified in the LP ACLs on the contacted system. See the lpacl file for general information about LP ACLs and the RSCT Administration Guide for information about modifying them.

Exit Status

0
The command has run successfully.
1
An error occurred with RMC.
2
An error occurred with the command-line interface (CLI) script.
3
An incorrect flag was specified on the command line.
4
An incorrect parameter was specified on the command line.
5
An error occurred with RMC that was based on incorrect command-line input.
6
The resource was not found.

Environment Variables

CT_CONTACT
Determines the system that is used for the session with the RMC daemon. When CT_CONTACT is set to a host name or IP address, the command contacts the RMC daemon on the specified host. If CT_CONTACT is not set, the command contacts the RMC daemon on the local system where the command is being run. The target of the RMC daemon session and the management scope determine the LP resources that are processed.
CT_IP_AUTHENT
When the CT_IP_AUTHENT environment variable exists, the RMC daemon uses IP-based network authentication to contact the RMC daemon on the system that is specified by the IP address to which the CT_CONTACT environment variable is set. CT_IP_AUTHENT only has meaning if CT_CONTACT is set to an IP address; it does not rely on the domain name system (DNS) service.
CT_MANAGEMENT_SCOPE
Determines the management scope that is used for the session with the RMC daemon to process the LP resources. The management scope determines the set of possible target nodes where the resources can be processed. The valid values are:
0
Specifies local scope.
1
Specifies local scope.
2
Specifies peer domain scope.
3
Specifies management domain scope.
If CT_MANAGEMENT_SCOPE is not set, local scope is used.

Implementation Specifics

This command is part of the Reliable Scalable Cluster Technology (RSCT) fileset for AIX®.

Standard Output

When the -h flag is specified, this command's usage statement is written to standard output. When the -V flag is specified, this command's verbose messages are written to standard output.

Standard Error

All trace messages are written to standard error.

Examples

  1. To change the Lock attribute of LP resource lpcommand1 before deleting a resource on a local node, enter: 
    chlpcmd -l 0 lpcommand1
  2. Suppose nodeA is in a management domain and CT_MANAGEMENT_SCOPE is set to 3. To recalculate the CheckSum attribute value of LP resource lpcommand2 on nodeA, enter: 
    chlpcmd -r -n nodeA lpcommand2

Location

/usr/sbin/rsct/bin/chlpcmd
Contains the chlpcmd command