secswitch(8) — Maintenance
Security_Related
NAME
secswitch − switch security mode
SYNOPSIS
/tcb/bin/secswitch [−enable | −disable | −quiet | −test]
DESCRIPTION
The secswitch command by default prints the status of the security flag in the kernel. It is also used to enable or disable the security code. If the −quiet flag is used the status printout is suppressed. This command is first run by /sbin/init through the /tcb/files/spdinitrc shell script, to set/reset the state of the security flag.
When the −enable flag is set, this command is used to set the internal value of the Security-Privileged-Group-id to the effective group-id of the secswitch command.
When the −test flag is specified, the command looks for the group ’sec’ in the file /etc/group. It then compares its effective group-id against the ’sec’-gid. If there is a mismatch the command promptly creates the file /etc/nologin. This will prohibit all user logins into the system, hence forcing the system administrator to resolve the system security fault. The /etc/nologin file provides information about what needs to be fixed on the system.
FLAGS
−enable
Enables Security code in the kernel.
−disable
Disables Security code in the kernel.
−quietReports the status of the security flag as exit status.
−testTests the Security-Privileged-Group-id for correctness.
RESTRICTIONS
The security mode can only be enabled or disabled at boot-time by /sbin/init.
RETURN VALUES
If either −enable or −disable is specified, a 0 exit status indicates success, otherwise a 1 is returned and an error message is printed.
When −quiet is specified, a 0 indicates security is OFF, and a 1 indicates security is ON. (These return values apply for the default print-status mode also, ie when no arguments are specified)
For the −test case, a 0 indicates all is well. A 1 is returned if the /etc/nologin file had to be created.
FILES
/tcb/bin/secswitch
/tcb/files/spdinitrc