Specify optional security attributes that apply to the displayed action or the command or directory of commands.
Click Apply to apply the current settings.
Click Reset to return to the previous settings.
See the man pages for individual commands for the security attributes needed by the command or any of its options to succeed. If you do not specify any security attributes, a command or action in a rights profile runs normally, with the real uid/gid, the effective uid/gid, the label, and the clearance of the process that is executing the command or action and with no inherited privileges.
OwnershipSimilar to the setuid and setgid feature of UNIX commands, assigning a real or effective uid or gid to a command or action in a rights profile allows the command or action to succeed when it requires a real or effective uid or gid that is different from the uid or gid of the person who launched the command or action. The user name specified in this dialog determines the uid and the group name determines the gid.
Help for choosing Effective or Real user and group ids displays when you click the buttons and fields.
UID Tips and Examples
One use of the effective uid is to allow programs to run with the uid of one of the system accounts such as bin, sys, and lp to update files owned by the system account. These system accounts do not have passwords to prevent the possiblity that someone could learn the password and compromise the system.
The uid most often required is 0, the uid of root (or superuser). For example, most installation programs check that they are being run by root with real uid of 0.
By adding the name of an installation program to a rights profile, assigning to the command a real uid of root, and then assigning the profile to a role, the Security Administrator can enable an installation program to succeed when run by a role that has another uid, such as the System Administrator role, which usually has uid 100.
GID Tips and ExamplesThe real group id is used when the group is set on newly-created files.
The effective group id is used by mkdir
when creating directories.
In most cases, the effective group id is used when determining which files or directories can be accessed.
Some programs require the real group id to match that of the object being accessed before access is allowed.
To conform to the principle of least privilege, if you are not sure which is required assign an effective gid first, and then if the command does not behave as expected, change to the real gid.
If, for example, your site has created a group called enghelp to allow sharing of files among the members of the enghelp group, and you want to set up a role so that
new directories created by the role are given the enghelp group.
Because the group of a directory is obtained by mkdir
from the effective gid, you then
need to assign enghelp
as the effective gid
to mkdir
.
1.
Select mkdir
in the Commands Permitted column.
2.
Select Effective.
3.
Type enghelp in the Group field.
4.
Grant the rights profile containing
mkdir
with the enghelp group id to the desired role.
5.
Make sure that the new rights profile is in the
role's list of rights profile above any other
profile that assigns other attributes to mkdir.
Any directories created by the role then have the group of enghelp.
Extended Attributes
To specify a new value or to modify existing values in the Label, Clearance, or Privileges fields, click Edit.
Clicking the Label > Edit button brings up a Label Builder.
The action or command is executed with the specified label as the
process label.
Clicking the Clearance > Edit button brings up a Clearance Builder.
The action or command is executed with the specified clearance as the
process clearance.
Clicking the Privileges > Edit button brings up a Privilege Chooser.
The action or command is executed with the specified privileges inherited by
the process.
Any Label, Clearance, or Privileges already specified for the action or command or directory display in the Extended Attributes fields.
If any of the values are in error (which could occur
for example if the exec_attr
(4) file was edited manually
and an incorrect privilege was specified or if the
clearance does not dominate the label),
the string ***** displays in the field.