|
|
The setpriv command with the -x option re-applies the privilege information found in the privilege data file (/etc/security/tcb/privs) for all commands in the file. It does this by executing a filepriv command for each line of the privilege data file. setpriv also updates the privilege data file with the attributes of the command files. If cmdname is specified, setpriv executes a single filepriv command for the specified cmdname (if cmdname is found in the privilege data file).
With no options, setpriv echoes to the standard output the appropriate filepriv commands without executing them.
While some common events can cause the privileges on a file to be lost, the removal of privileges from a system command can indicate the presence of an intruder or malicious user on your system who may have attempted to replace a system command with a command of their own, in an effort to gain information about your system that they would not be able to obtain under normal circumstances.
In general, any event that alters in any way a privileged system command file will cause that command file to lose its privileges. Examples of events that may cause loss of privileges are:
The action of removing privileges on a command file whose attribute information no longer agreees with the contents of the privilege data file is taken by the kernel to reduce the risk of a malicious user or intruder replacing a privileged system command with an untrusted and program whose use may compromise system security.
Once privileges are removed on a previously privielged command, the command can no longer be executed with the privileges it needs to function properly (for at least one of its intended uses).
The absence of privilege from a system command is usually first detected when such a command ceases to function properly. For example, if the file /usr/bin/tfadmin loses its privileges, the tfadmin command will no longer execute properly. This will in turn cause administration tools in the desktop to not function.
UX:initprivs: WARNING: File ``/usr/bin/ipcs'' fails validation: entry ignored UX:initprivs: WARNING: 1 entry ignored in ``/etc/security/tcb/privs''
# filepriv /usr/bin/ipcs #
The absence of output indicates there are no privileges on the file.
# /etc/security/tools/setpriv ipcs /sbin/filepriv -f dev /usr/bin/ipcs #
This output indicates that /usr/bin/ipcs should have the fixed dev privilege.
Let's say you determine that the file /usr/bin/ipcs was corrupted due to disk problems, and that the file was restored from backup the previous night, using a tool that does not recognize privilege information on files. Verify that the /usr/bin/ipcs file is indeed a copy of the original ipcs command that existed previously on your system (by, for example, checking previously performed trusted backups).
# /etc/security/tools/setpriv -x ipcs Executing "filepriv" for the following:/usr/bin/ipcs #
# filepriv /usr/bin/ipcs fixed dev #You could also run initprivs again as a further check.