privrun - invoke another application with privileges after performing appropriate authorization checks and optionally reauthenticating the
authorization] compartment] [gid|groupname]] [gid|groupname]] privileges] [uid|username]] [uid|username]] command [args]
allows a user to run legacy applications with elevated privileges according to the authorizations associated with that user. The user
invokes specifying the legacy application as command line arguments. consults the database to determine which authorization is required to
run the command with additional privileges. (The authorization is specified as an operation and a target object.) If the user has the
necessary authorization, invokes the specified command after changing its UID and/or GID as specified in the database. also allows a com-
mand to be run with a specified set of fine-grained privileges, and/or in a specified compartment.
The method to determine whether the user has the necessary authorization is configurable by the system administrator. A module is provided
to associate a fixed set of authorizations with the user based on the user's role. See rbac(5) for more information.
recognizes the following options:
Match only those entries requiring the specified authorization.
authorization is defined as pairs in the database. The specified authorization must exactly match the authorization present in the
file (that is, wildcarding not supported.)
Matches the specified compartment in the
database. The specified compartment must exactly match the compartment present in the file.
Match only those entries containing the effective group ID (EGID)
corresponding to the specified EGID or the EGID associated with the group name.
Match only those entries containing the real group ID (RGID)
corresponding to the specified RGID or the RGID associated with the group name
Prints usage or help.
Matches the specified privileges to the privileges in the
database. When specifying multiple privileges, separate each privilege with a comma. Any privileges specified with option, must
have a match in the database.
Check to see if the user has the authorization to execute the
command and inform the user of the results. The command will not be invoked.
Match only those entries containing the effective user ID (EUID) corresponding
to the specified EUID or the EUID associated with the user name.
Match only those entries containing the real user ID (RUID) corresponding
to the specified RUID or the RUID associated with the user name.
Invoke in verbose mode. The verbose level will be increased if two options are specified. An increased verbose level will print more
If the authorization check fails, the program will still be
executed with original caller's privileges only.
recognizes the following operands:
command [args] The HP-UX command to run. command must be fully qualified. If it is not, then will use the current working directory
and the environment variable to determine the desired command. args specifies any argument that the command recog-
The cmd_priv Database
The file contains information on which authorizations are required to execute each command binary, or edit each file. It also has the
resulting privileges (real, effective UID and GID, fine-grained privileges, compartment) associated with the binary. If the user is
required to reauthenticate prior to successful authorization, a PAM service name is specified in this file and indicates how should iden-
tify itself to PAM. See pam.conf(4) for more detailed information.
The file contains any number of entries, where each entry is specified on a single line in the following format:
These fields are defined as follows:
For the fully qualified path of the command being wrapped to provide additional privileges.
For the fully qualified path of a file to edit.
This field may contain wildcards as defined in fnmatch(3C).
The exact set of arguments (matched as a string) the user must invoke. If this field is empty, the command may not be invoked with
any arguments. If this field contains the keyword the specified command may be invoked with any arguments. This field is only used
by and ignored by
The operation the user is required to have on the object specified.
Together, the forms the authorization. operation must be fully qualified and cannot contain a wild card
An entry of in object requires that the user has the specified operation on all objects. (Note: This is satisfied by a specifica-
tion of in the database if RBAC is in use.)
This field may contain the keyword instead of which indicates that no access check is required and the command is invoked with priv-
ilege for any user.
Part of the privileges granted to the wrapped command (process) if the user has the specified authorization. If any of these fields
are specified, calls or before invoking the command. These fields can also be specified by name, in which case a conversion will be
performed at invocation time. This field is only used by and ignored by
The UID and GID specifications in this field are optional. No ID present indicates the field is to remain unchanged; however, the
slash characters separating the IDs must remain.
Compartment to invoke application in. A compartment is an attribute associated with a process to compartmentalize different OS pro-
cesses. If compartments are not enabled on the system, this field should be set to An error may occur if this field is left empty.
Refer to compartments(5) for more information on compartments. This field is only used by and ignored by
privs Fine-grained privileges to be associated with at invocation. These privileges may be used in lieu of to perform specific kernel
operations. If the field is set to basic privileges will be granted to the process. Refer to privileges(5) for more detailed
information. This field is only used by and ignored by
Reauthentication service. If specified, the user will be reauthenticated. The command will identify itself to PAM as the service
indicated in this field. This allows the security officer to require an additional set of restrictions for particular commands.
See pam.conf(4) for a list of PAM services.
The keyword must be used to indicate that no reauthorization is required.
flags This field is used by both and In there is only one defined flag. If the flag is set to then none of the environment variables will
be scrubbed. For the flag usage in please see privedit(1M) for more details. is expected to appear in this field for the command.
White space between each field and immediately surrounding the colon field separator is optional and ignored by the command.
There can be multiple entries in with the same command line, but requiring different authorizations required and resulting in different
privileges. evaluates each entry in the order specified in the file, continuing on to the next only if the user does not have the required
authorization. If you want to match a particular entry in use command options to specify the set of privileges for the desired entry.
determines the language in which messages are displayed.
International Code Set Support
Single-byte character code set is supported.
Success If permitted the user to execute the program, then the return value from will be the return value of the program executed.
Failure returns a value of and an appropriate error message will be printed to stderr.
In the following example, the caller invokes to execute the command, with as the argument to the command.
examines the database for an entry corresponding to the command If this entry is found, then the necessary authorization is retrieved from
that entry. invokes the command if the user has the necessary authorization.
In the following example, the caller wants to change the UID of the calling process to 28 change the GID of the calling process to other
and execute the command
If an entry exists for the command with the associated EUID set to 28, and the EGID set to the EGID corresponding to the group name the
usual authorization and invocation process occurs. If this entry does not exist, (even if an entry for appears with different associated
privileges (EUID/EGID)), the command fails and prints an error message.
In the following example, the caller wants to execute the command within compartment
If an entry exists for the command with the compartment specified as then the command will be executed in the compartment. If this entry
does not exist, (even if an entry for appears with different compartment specification), the command fails and prints an error message.
Database containing valid definitions of all roles.
Database containing definitions of all valid authorizations.
Database specifying the roles for each specified user.
Database defining the authorizations for each role.
Database defining the authorization information needed to execute commands
and and edit files under access control.
authadm(1M), cmdprivadm(1M), cmpt_tune(1M), rbacdbchk(1M), roleadm(1M), compartments(5), privileges(5), rbac(5).