adminuser(1M)
adminuser --
display, add, change, delete administrators in the TFM database
Synopsis
adminuser [-n] [-o role[, ...]]
[-a cmd:path[:priv[:priv ...]][, ...]]
user ...
adminuser [-o role[, ...]
[-r cmd[:priv[:priv ...]][, ...]]
[-a cmd:path[:priv[:priv ...]][, ...]]
user ...
adminuser [-d] user ...
adminuser
Description
The adminuser
command allows administrators to display, add, change, and
delete administrators in the Trusted Facility Management (TFM) database.
The TFM database is
the vehicle through which
unprivileged user processes run privileged commands.
A user definition contains a list of commands.
Each command contains a list of privileges.
The tfadmin
command uses these privileges to set up its process before invoking this
command for the user.
In addition to the command definitions, there is a
list of roles available to the user, and a default command specification.
The options to the command are:
-n-
For every user in the list, create a new user description, and,
optionally, create a role list or add a command to that user.
-o-
Create the specified role list for every user in the list.
Note that order is significant if more than one role is specified, and
an individual command is in more than one of the roles.
In this case, if the user subsequently invokes such a command via
tfadmin, and does not specify a role, the roles will be
searched in the order specified here for a matching command definition.
The first match found is the one that will be used.
-a-
Add a list of commands to the definitions of a given list of users.
-r-
Remove the list of commands from the list of users.
If the user
supplies privileges in the command descriptions, then leave the command but
remove the specified privileges.
-d-
Delete the given list of users from the TFM database.
No options-
Print out the capabilities of the given list of users.
No arguments-
Print the capabilities of every user in the database.
The adminuser
command takes as its arguments the list of users to
which the actions specified by the options applies.
The list of users
is a list of user login names.
Only administrative users,
that is administrators to whom access to privileged
commands is to be granted,
should be added to the TFM database.
WARNING:
SCOadmin manager authorizations depend on certain entries
in the TFM database that are managed by adminuser.
Removing commands from an administrative user or system owner
can result in being unable to run a SCOadmin manager.
The argument to the -o option is a
comma-separated
list of role names.
This list will create a new role list for
the specified users, replacing any existing role lists.
The argument to
the -a or -r option is a comma-separated
list of command descriptions.
For the -a option,
the command description includes the name of the command to be added,
the full path at which the command file resides,
and the privilege vector,
represented by a colon-separated
list of privilege names (for example,
mount:/etc/mount:macread:mount).
There is no limit on the length of the path name;
however,
/ (``root'' or ``slash'') alone may not be specified.
The command description for the -r option is the same as for the
-a option except that the full path and the separating colon are
not given (for example, mount:macread:mount).
If the users get no privileges
when they invoke the command, the privilege description may be omitted.
The -n and -r options may not be used together.
If -n is specified with -r,
an error will occur because incompatible options have been specified.
Files
/etc/security/tfm/users/
/etc/security/tfm/users//default
/etc/security/tfm/users//roles
/etc/security/tfm/users//cmds/
Diagnostics
This command exits with a 0 if all requested operations succeeded, 1 if
any operation failed.
The following diagnostic messages are printed by adminuser:
-
command name ``cmd'' already exists
-
user ``user'' already exists
-
undefined user ``user''
-
process privilege ``priv'' does not exist in command ``cmd''
-
role name ``role'' is not unique
-
insufficient command specification: ``string''
-
duplicate process privilege: ``priv''
-
full command pathname must be specified
-
full path to TFM database must be specified
-
undefined command name ``cmd''
-
cannot read role list for user ``user''
-
cannot add user ``user''
-
cannot alter user ``user''
-
user ``user'' currently being changed, try again later
-
cannot remove user ``user''
-
cannot change command ``cmd''
-
cannot change role list for user ``user''
-
TFM database does not exist
-
cannot initialize TFM database
-
improper command name: ``string''
-
invalid process privilege: ``string''
-
unrecognized privilege number: ``number''
-
incompatible options specified
References
adminrole(1M),
intro(2),
tfadmin(1M)
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004