smexec(1M) System Administration Commands smexec(1M)
NAME
smexec - manage entries in the exec_attr database
SYNOPSIS
/usr/sadm/bin/smexec subcommand [ auth_args] -- [subcommand_args]
DESCRIPTION
The smexec command manages an entry in the exec_attr(4) database in the local /etc files name service or a NIS or NIS+ name service.
subcommands
smexec subcommands are:
add Adds a new entry to the exec_attr(4) database. To add an entry to the exec_attr database, the administrator must have the
solaris.profmgr.execattr.write authorization.
delete Deletes an entry from the exec_attr(4) database. To delete an entry from the exec_attr database, the administrator must
have the solaris.profmgr.execattr.write authorization.
modify Modifies an entry in the exec_attr(4) database. To modify an entry in the exec_attr database, the administrator must have
the solaris.profmgr.execattr.write authorization.
OPTIONS
The smexec authentication arguments, auth_args, are derived from the smc(1M) arg set and are the same regardless of which subcommand you
use. The smexec command requires the Solaris Management Console to be initialized for the command to succeed (see smc(1M)). After reboot-
ing the Solaris Management Console server, the first Solaris Management Console connection might time out, so you might need to retry the
command.
The subcommand-specific options, subcommand_args, must come after the auth_args and must be separated from them by the -- option.
auth_args
The valid auth_args are -D, -H, -l, -p, -r, and -u; they are all optional. If no auth_args are specified, certain defaults will be assumed
and the user may be prompted for additional information, such as a password for authentication purposes. These letter options can also be
specified by their equivalent option words preceded by a double dash. For example, you can use either -D or --domain with the domain argu-
ment.
-D | --domain domain
Specifies the default domain that you want to manage. The syntax of domain is type:/host_name/domain_name, where type is nis, nisplus,
dns, ldap, or file; host_name is the name of the machine that serves the domain; and domain_name is the name of the domain you want to
manage. (Note: Do not use nis+ for nisplus.)
If you do not specify this option, the Solaris Management Console assumes the file default domain on whatever server you choose to man-
age, meaning that changes are local to the server. Toolboxes can change the domain on a tool-by-tool basis; this option specifies the
domain for all other tools.
-H | --hostname host_name:port
Specifies the host_name and port to which you want to connect. If you do not specify a port, the system connects to the default port,
898. If you do not specify host_name:port, the Solaris Management Console connects to the local host on port 898. You may still have to
choose a toolbox to load into the console. To override this behavior, use the smc(1M) -B option, or set your console preferences to
load a "home toolbox" by default.
-l | --rolepassword role_password
Specifies the password for the role_name. If you specify a role_name but do not specify a role_password, the system prompts you to sup-
ply a role_password. Passwords specified on the command line can be seen by any user on the system, hence this option is considered
insecure.
-p | --password password
Specifies the password for the user_name. If you do not specify a password, the system prompts you for one. Passwords specified on the
command line can be seen by any user on the system, hence this option is considered insecure.
-r | --rolename role_name
Specifies a role name for authentication. If you do not specify this option, no role is assumed.
-u | --username user_name
Specifies the user name for authentication. If you do not specify this option, the user identity running the console process is
assumed.
--
This option is required and must always follow the preceding options. If you do not enter the preceding options, you must still enter
the -- option.
subcommand_args
Note: Descriptions and other arg options that contain white spaces must be enclosed in double quotes.
To add or change privileges, the administrator must have the solaris.admin.privilege.write authorization. See privileges(5).
o For subcommand add:
-c command_path
Specifies the full path to the command associated with the new exec_attr entry.
-g egid
(Optional) Specifies the effective group ID that executes with the command.
-G gid
(Optional) Specifies the real group ID that executes with the command.
-h
(Optional) Displays the command's usage statement.
-n profile_name
Specifies the name of the profile associated with the new exec_attr entry.
-t type
Specifies the type for the command. Currently, the only acceptable value for type is cmd.
-u euid
(Optional) Specifies the effective user ID that executes with the command.
-U uid
(Optional) Specifies the real user ID that executes with the command.
-M limit_privs
Specifies the privilege name(s) to add to the new exec_attr(4) entry. The default is all for limit privilege.
To add or change privileges, the administrator must have the solaris.admin.privilege.write authorization. See privileges(5).
-I inheritable_privs
Specifies the inheritable privilege name(s) to add to the new exec_attr(4) entry.
o For subcommand delete:
-c command_path
Specifies the full path to the command associated with the exec_attr entry.
-h
(Optional) Displays the command's usage statement.
-n profile_name
Specifies the name of the profile associated with the exec_attr entry.
-t type
Specifies the type cmd for command. Currently, the only acceptable value for type is cmd.
o For subcommand modify:
-c command_path
Specifies the full path to the command associated with the exec_attr entry that you want to modify.
-g egid
(Optional) Specifies the new effective group ID that executes with the command.
-G gid
(Optional) Specifies the new real group ID that executes with the command.
-h
(Optional) Displays the command's usage statement.
-n profile_name
Specifies the name of the profile associated with the exec_attr entry.
-t type
Specifies the type cmd for command. Currently, the only acceptable value for type is cmd.
-u euid
(Optional) Specifies the new effective user ID that executes with the command.
-U uid
(Optional) Specifies the new real user ID that executes with the command.
-M limit_privs
Specifies the privilege name(s) to modify in an exec_attr(4) entry. The default is all for limit privilege.
To add or change privileges, the administrator must have the solaris.admin.privilege.write authorization. See privileges(5).
-I inheritable_privs
Specifies the inheritable privilege name(s) to modify in anexec_attr(4) entry.
EXAMPLES
Example 1: Creating an exec_attr Database Entry
The following creates a new exec_attr entry for the User Manager profile on the local file system. The entry type is cmd for the command
/usr/bin/cp. The command has an effective user ID of 0 and an effective group ID of 0.
./smexec add -H myhost -p mypasswd -u root -- -n "User Manager"
-t cmd -c /usr/bin/cp -u 0 -g 0
Example 2: Deleting an exec_attr Database Entry
The following example deletes an exec_attr database entry for the User Manager profile from the local file system. The entry designated for
the command /usr/bin/cp is deleted.
./smexec delete -H myhost -p mypasswd -u root -- -n "User Manager"
-t cmd -c /usr/bin/cp
Example 3: Modifying an exec_attr Database Entry
The following modifies the attributes of the exec_attr database entry for the User Manager profile on the local file system. The
/usr/bin/cp entry is modified to execute with the real user ID of 0 and the real group ID of 0.
./smexec modify -H myhost -p mypasswd -u root -- -n "User Manager"
-t cmd -c /usr/bin/cp -U 0 -G 0
ENVIRONMENT VARIABLES
See environ(5) for a description of the JAVA_HOME environment variable, which affects the execution of the smexec command. If this envi-
ronment variable is not specified, the /usr/java location is used. See smc(1M).
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 Invalid command syntax. A usage message displays.
2 An error occurred while executing the command. An error message displays.
FILES
The following file is used by the smexec command:
/etc/security/exec_attr Rights profiles database. See exec_attr(4).
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Availability |SUNWmga |
+-----------------------------+-----------------------------+
|Interface Stability |Evolving |
+-----------------------------+-----------------------------+
SEE ALSO
smc(1M), exec_attr(4), attributes(5), environ(5)
SunOS 5.10 24 May 2004 smexec(1M)