10.0;lprotect (local_protection), revision 2.0, 90/09/07
lprotect - Control local protection.
usage: lprotect [-rmtroot all | none | readonly] [-protect unix | owners | aegis ]
DESCRIPTION
lprotect enables system administrators to set the following Domain/OS
security policies:
⊕ Control what privileges processes running as root (locksmith) on
remote nodes have on the local node.
⊕ Specify which users can perform privileged operations, such as
mounting disk volumes and restoring or copying files with their
original ACLs.
When executed without options, lprotect prints a message declaring the
current setting of both security policies.
OPTIONS
-rmtroot all | none | readonly
Determines how local nodes handle requests made by superusers
logged in as root (locksmith) on remote nodes. The rmtroot
option provides three levels of privilege, as follows:
⊕ The all argument permits the remote superuser to have all
privileges on the local node. The default level of
privilege, upon node boot, is all.
⊕ The none argument limits access to the local system by
changing the remote superuser's identity to "user.none.none"
before any access checks or rights determinations are made.
⊕ The readonly argument permits a remote superuser to retain
the superuser identity for read operations only. For write
and execute operations, readonly performs like the none
argument: it limits access by changing the remote
superuser's identity to "user.none.none" before any access
checks or rights determinations are made.
The none and readonly arguments also
⊕ prohibit remote root users from setting setid bits on
files or stamping files as protected subsystem managers
or objects.
⊕ prevent any setid programs or files that reside on remote
nodes from successfully changing their process identity
when being executed on the local node.
-protect unix | owners | aegis
Controls which users, if any, are permitted to perform the
following privileged operations on a local node:
mount disk volumes
restore files with their original ACLs (rbak -sacl)
copy files with their original ACLs (cp -P, cpf -sacl)
The protect option provides three levels of user privilege:
⊕ The unix argument permits only the root (locksmith) user to
perform the privileged operations. This level of control is
similar to the policy enforced by traditional UNIX operating
system implementations.
⊕ The aegis argument permits all users to perform privileged
operations. This level of control is similar to the policy
enforced by earlier versions of the Aegis operating system
environment. The default argument for the -protect option is
aegis.
⊕ The owners argument permits a set of users, including the
superuser, to perform privileged operations. The set of
privileged users is determined from the access control list
(ACL) of the file `nodedata/nodeowners at the time the
lprotect command is executed. Any user identity with write
access rights to this file is considered privileged.
Note that any user can run the lprotect program to determine
what the current settings are; however, only users with "p"
rights (allows rights to be changed) to
`nodedata/nodeowners can run the lprotect program to
change the current settings.
EXAMPLE
To allow remote processes running as root (locksmith) on remote nodes to
have no privileges on the local node, use the following command:
$ /etc/lprotect -rmtroot none
To check the current privileges of remote processes running as root
(locksmith) and the current protection mode, enter the following command:
$ /etc/lprotect
No remote root requests are honored. (-rmtroot none)
Aegis protection mode currently in force. (-protect aegis)
To enforce UNIX operating system protection controls, enter the following
command:
$ /etc/lprotect -protect unix
SEE ALSO
rbak(1)