|
|
Once entries for you exist in the TFM database, use tfadmin to execute those commands. The TFM database entries will include any privileges you are granted when executing the commands. The privileges acquired via the TFM database are propagated as fixed privileges if child processes are executed by the commands in the TFM database.
The command name used with tfadmin in the database does not need to be the same as the actual command, but it must correspond with a command entry in the TFM database.
To execute a command with tfadmin, perform the following:
Assume an entry for mount exists in the TFM database for darrell. In this case, the mount entry in the TFM database has a full path of /etc/mount and darrell is allowed to execute it with the mount privilege.
darrell
would run
tfadmin mount /dev/dsk/c1b1t0d0sf /x
to mount the device /dev/dsk/c1b1t0d0sf on the mount point /x.
If the full path for the mount command
were associated with
mnt
in the TFM database entry for darrell,
then darrell would need to execute
tfadmin mnt /dev/dsk/c1b1t0d0sf /x
to use the mount command. Otherwise, tfadmin would print an error and exit.
By allowing entries such as mnt to alias for the full pathname, the user is assured that they are executing the desired executable, and not being spoofed by a malicious intruder, who could otherwise introduce their own mount program somewhere in the user's PATH.