adminuser(1M)

Synopsis

adminuser [-o role[, ...] [-r cmd[:priv[:priv ...]][, ...]] [-a cmd:path[:priv[:priv ...]][, ...]] user ...

adminuser [-d] user ...

adminuser

Description

A user definition contains a list of commands. Each command contains a list of privileges. The tfadmin command uses these privileges to set up its process before invoking this command for the user. In addition to the command definitions, there is a list of roles available to the user, and a default command specification.

The options to the command are:

-n

For every user in the list, create a new user description, and, optionally, create a role list or add a command to that user.

-o

Create the specified role list for every user in the list. Note that order is significant if more than one role is specified, and an individual command is in more than one of the roles. In this case, if the user subsequently invokes such a command via tfadmin, and does not specify a role, the roles will be searched in the order specified here for a matching command definition. The first match found is the one that will be used.

-a

Add a list of commands to the definitions of a given list of users.

-r

Remove the list of commands from the list of users. If the user supplies privileges in the command descriptions, then leave the command but remove the specified privileges.

-d

Delete the given list of users from the TFM database.

No options

Print out the capabilities of the given list of users.

No arguments

Print the capabilities of every user in the database.

The adminuser command takes as its arguments the list of users to which the actions specified by the options applies. The list of users is a list of user login names. Only administrative users, that is administrators to whom access to privileged commands is to be granted, should be added to the TFM database.

The argument to the -o option is a comma-separated list of role names. This list will create a new role list for the specified users, replacing any existing role lists.

The argument to the -a or -r option is a comma-separated list of command descriptions. For the -a option, the command description includes the name of the command to be added, the full path at which the command file resides, and the privilege vector, represented by a colon-separated list of privilege names (for example, mount:/etc/mount:macread:mount). There is no limit on the length of the path name; however, / (``root'' or ``slash'') alone may not be specified.

The command description for the -r option is the same as for the -a option except that the full path and the separating colon are not given (for example, mount:macread:mount). If the users get no privileges when they invoke the command, the privilege description may be omitted.

The -n and -r options may not be used together. If -n is specified with -r, an error will occur because incompatible options have been specified.

Files

/etc/security/tfm/users/

/etc/security/tfm/users//default

/etc/security/tfm/users//roles

/etc/security/tfm/users//cmds/

Diagnostics

The following diagnostic messages are printed by adminuser:

• command name ``cmd'' already exists

• user ``user'' already exists

• undefined user ``user''

• process privilege ``priv'' does not exist in command ``cmd''

• role name ``role'' is not unique

• insufficient command specification: ``string''

• duplicate process privilege: ``priv''

• full command pathname must be specified

• full path to TFM database must be specified

• undefined command name ``cmd''

• cannot read role list for user ``user''

• cannot add user ``user''

• cannot alter user ``user''

• user ``user'' currently being changed, try again later

• cannot remove user ``user''

• cannot change command ``cmd''

• cannot change role list for user ``user''

• TFM database does not exist

• cannot initialize TFM database

• improper command name: ``string''

• invalid process privilege: ``string''

• unrecognized privilege number: ``number''

• incompatible options specified

References