smexec(1M) System Administration Commands smexec(1M)NAMEsmexec - manage entries in the exec_attr database
SYNOPSIS
/usr/sadm/bin/smexec subcommand [ auth_args] -− [subcommand_args]
DESCRIPTION
The smexec command manages an entry in the exec_attr(4) database in the
local /etc files name service or a NIS or NIS+ name service.
subcommands
smexec subcommands are:
add Adds a new entry to the exec_attr(4) database. To add
an entry to the exec_attr database, the administrator
must have the solaris.profmgr.execattr.write authoriza‐
tion.
delete Deletes an entry from the exec_attr(4) database. To
delete an entry from the exec_attr database, the admin‐
istrator must have the solaris.profmgr.execattr.write
authorization.
modify Modifies an entry in the exec_attr(4) database. To mod‐
ify an entry in the exec_attr database, the administra‐
tor must have the solaris.profmgr.execattr.write autho‐
rization.
OPTIONS
The smexec authentication arguments, auth_args, are derived from the
smc(1M) arg set and are the same regardless of which subcommand you
use. The smexec command requires the Solaris Management Console to be
initialized for the command to succeed (see smc(1M)). After rebooting
the Solaris Management Console server, the first Solaris Management
Console connection might time out, so you might need to retry the com‐
mand.
The subcommand-specific options, subcommand_args, must come after the
auth_args and must be separated from them by the -− option.
auth_args
The auth_args -D, -H, -l, -p, -r, and -u are described below. They are
all optional. These options are a subset of the full complement of sup‐
ported options described in smc(1M).
If no auth_args are specified, certain defaults will be assumed and the
user may be prompted for additional information, such as a password for
authentication purposes. These letter options can also be specified by
their equivalent option words preceded by a double dash. For example,
you can use either -D or -−domain with the domain argument.
-D | -−domain domain
Specifies the default domain that you want to manage. The syntax of
domain is type:/host_name/domain_name, where type is nis, nisplus,
dns, ldap, or file; host_name is the name of the machine that
serves the domain; and domain_name is the name of the domain you
want to manage. (Note: Do not use nis+ for nisplus.)
If you do not specify this option, the Solaris Management Console
assumes the file default domain on whatever server you choose to
manage, meaning that changes are local to the server. Toolboxes can
change the domain on a tool-by-tool basis; this option specifies
the domain for all other tools.
-H | -−hostname host_name:port
Specifies the host_name and port to which you want to connect. If
you do not specify a port, the system connects to the default port,
898. If you do not specify host_name:port, the Solaris Management
Console connects to the local host on port 898. You may still have
to choose a toolbox to load into the console. To override this
behavior, use the smc(1M)-B option, or set your console prefer‐
ences to load a "home toolbox" by default.
-l | -−rolepassword role_password
Specifies the password for the role_name. If you specify a
role_name but do not specify a role_password, the system prompts
you to supply a role_password. Passwords specified on the command
line can be seen by any user on the system, hence this option is
considered insecure.
-p | -−password password
Specifies the password for the user_name. If you do not specify a
password, the system prompts you for one. Passwords specified on
the command line can be seen by any user on the system, hence this
option is considered insecure.
-r | -−rolename role_name
Specifies a role name for authentication. If you do not specify
this option, no role is assumed.
-u | -−username user_name
Specifies the user name for authentication. If you do not specify
this option, the user identity running the console process is
assumed.
-−
This option is required and must always follow the preceding
options. If you do not enter the preceding options, you must still
enter the -− option.
subcommand_args
Note: Descriptions and other arg options that contain white spaces must
be enclosed in double quotes.
To add or change privileges, the administrator must have the
solaris.admin.privilege.write authorization. See privileges(5).
· For subcommand add:
-c command_path|CDE_action
Specifies the full path to the command or CDE action associ‐
ated with the new exec_attr entry. Specifying a CDE action is
available only if the system is configured with Solaris
Trusted Extensions. See "Using Options that Require Solaris
Trusted Extensions," below.
-g egid
(Optional) Specifies the effective group ID that executes with
the command.
-G gid
(Optional) Specifies the real group ID that executes with the
command.
-h
(Optional) Displays the command's usage statement.
-n profile_name
Specifies the name of the profile associated with the new
exec_attr entry.
-t type
Specifies the type for the command. Currently, the only
acceptable value for type is cmd.
-u euid
(Optional) Specifies the effective user ID that executes with
the command.
-U uid
(Optional) Specifies the real user ID that executes with the
command.
-M limit_privs
Specifies the privilege name(s) to add to the new exec_attr(4)
entry. The default is all for limit privilege.
To add or change privileges, the administrator must have the
solaris.admin.privilege.write authorization. See privi‐
leges(5).
-I inheritable_privs
Specifies the inheritable privilege name(s) to add to the new
exec_attr(4) entry.
· For subcommand delete:
-c command_path|CDE_action
Specifies the full path to the command or CDE action associ‐
ated with the exec_attr entry. Specifying a CDE action is
available only if the system is configured with Solaris
Trusted Extensions. See "Using Options that Require Solaris
Trusted Extensions," below.
-h
(Optional) Displays the command's usage statement.
-n profile_name
Specifies the name of the profile associated with the
exec_attr entry.
-t type
Specifies the type cmd for command. Currently, the only
acceptable value for type is cmd.
· For subcommand modify:
-c command_path|CDE_action
Specifies the full path to the command or CDE action associ‐
ated with the exec_attr entry you want to modify. Specifying a
CDE action is available only if the system is configured with
Solaris Trusted Extensions. See "Using Options that Require
Solaris Trusted Extensions," below.
-g egid
(Optional) Specifies the new effective group ID that executes
with the command.
-G gid
(Optional) Specifies the new real group ID that executes with
the command.
-h
(Optional) Displays the command's usage statement.
-n profile_name
Specifies the name of the profile associated with the
exec_attr entry.
-t type
Specifies the type cmd for command. Currently, the only
acceptable value for type is cmd.
-u euid
(Optional) Specifies the new effective user ID that executes
with the command.
-U uid
(Optional) Specifies the new real user ID that executes with
the command.
-M limit_privs
Specifies the privilege name(s) to modify in an exec_attr(4)
entry. The default is all for limit privilege.
To add or change privileges, the administrator must have the
solaris.admin.privilege.write authorization. See privi‐
leges(5).
-I inheritable_privs
Specifies the inheritable privilege name(s) to modify in
anexec_attr(4) entry.
Using Options that Require Solaris Trusted Extensions
To use an option that requires the Solaris Trusted Extensions feature,
you must use the -B toolbox option to specify a toolbox that contains
support for Trusted Extensions. For example:
# smexec-add -c <CDE action> -n "User Manager" \
-B http://<server>/toolboxes/tsol_files.tbx
In the command above, <server> is the name of the machine running the
Solaris Management Console. See smc(1M) for a description of the -B
option.
EXAMPLES
Example 1: Creating an exec_attr Database Entry
The following creates a new exec_attr entry for the User Manager pro‐
file on the local file system. The entry type is cmd for the command
/usr/bin/cp. The command has an effective user ID of 0 and an effective
group ID of 0.
./smexec add -H myhost -p mypasswd -u root -- -n "User Manager" \
-t cmd -c /usr/bin/cp -u 0 -g 0
Example 2: Deleting an exec_attr Database Entry
The following example deletes an exec_attr database entry for the User
Manager profile from the local file system. The entry designated for
the command /usr/bin/cp is deleted.
./smexec delete -H myhost -p mypasswd -u root -- -n "User Manager" \
-t cmd -c /usr/bin/cp
Example 3: Modifying an exec_attr Database Entry
The following modifies the attributes of the exec_attr database entry
for the User Manager profile on the local file system. The /usr/bin/cp
entry is modified to execute with the real user ID of 0 and the real
group ID of 0.
./smexec modify -H myhost -p mypasswd -u root -- -n "User Manager" \
-t cmd -c /usr/bin/cp -U 0 -G 0
ENVIRONMENT VARIABLES
See environ(5) for a description of the JAVA_HOME environment variable,
which affects the execution of the smexec command. If this environment
variable is not specified, the /usr/java location is used. See smc(1M).
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 Invalid command syntax. A usage message displays.
2 An error occurred while executing the command. An error mes‐
sage displays.
FILES
The following file is used by the smexec command:
/etc/security/exec_attr Rights profiles database. See
exec_attr(4).
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWmga │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Evolving │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOsmc(1M), exec_attr(4), attributes(5), environ(5)SunOS 5.10 17 Mar 2006 smexec(1M)
