Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ adminrole(1M) — UnixWare 2.01

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

adminuser(1M)

intro(2)

tfadmin(1M)






       adminrole(1M)                                          adminrole(1M)


       NAME
             adminrole - display, add, change, delete roles in the TFM
             database

       SYNOPSIS
             adminrole [-n] [-a [cmd:path[:priv[:priv . . .]][,. . .]] role . . .
             adminrole [-a [cmd:path[:priv[:priv . . .]][, . . .]] role . . .
                       [-r cmd[:priv[:priv . . .]][, . . .]] role . . .
             adminrole [-d] role . . .
             adminrole

       DESCRIPTION
             The adminrole command allows administrators to display, add,
             change, and delete roles in the Trusted Facility Management
             database.  The TFM database is the vehicle through which
             unprivileged user processes run privileged commands.

             A role contains a list of commands.  Each command contains a
             (possibly empty) list of privileges.  The tfadmin command will
             use these privileges to set up its process before it invokes
             this command for a member of the role.  The adminrole command
             has the following options:

             -n    For every role in the list, create a new role
                   description.

             -a    Add a command to a role, add the role to the database if
                   it does not already exist.

             -r    Remove a command from a role or remove privileges from a
                   command within a role.

             -d    Delete a role.

             No options
                   List the contents of the specified roles.

             No Arguments
                   List the contents of all roles in the database.

             The adminrole command takes as its arguments the list of roles
             to which
             the actions specified by the options applies.  The argument to
             the -a or -r
             option is a comma-separated list of command descriptions.  For
             the -a option,


                           Copyright 1994 Novell, Inc.               Page 1













      adminrole(1M)                                          adminrole(1M)


            the command description includes the name of the command to be
            added,
            the full path at which the command file resides, and the
            privilege set, rep-
            resented by a colon-separated list of privilege names (for
            example, mount:/etc/mount:macread:mount). There is no limit on
            the length of the path name; however, / ("root" or "slash")
            alone may not be specified.

            The command description for the -r option is the same as for
            the -a option except that the full path and the separating
            colon are not given (for example, mount:macread:mount).

            If users in the specified role(s) get no privilege when they
            invoke the command, the privilege description may be omitted;
            that is, if the definition to be removed does not have any
            privileges associated with it (it merely provides an alias for
            the command), then you do not have to specify privileges when
            removing that definition.

            Note that in any case when you use the -r option and you do
            not specify privileges, the definition is removed entirely
            from that role. Future attempts to use that command in that
            role with tfadmin will return errors. If you do specify
            privileges, then only those privileges are removed from the
            definition. This can leave you with a definition that has no
            privilege associated with it. In this case, users in that role
            can run the command with tfadmin, but will gain no privileges
            by doing so. The command will function solely as an alias for
            the path provided in the definition.

            The -n and -r options may not be used together.  Doing so will
            cause an error, since incompatible options have been
            specified.

            If the -d is used in an attempt to delete a non-existent role,
            an error will result.

      REFERENCES
            adminuser(1M), intro(2), tfadmin(1M)

      DIAGNOSTICS
            This command exits with a 0 if all requested operations
            succeeded, 1 if any operation failed.




                          Copyright 1994 Novell, Inc.               Page 2













       adminrole(1M)                                          adminrole(1M)


             The following diagnostic messages are printed by adminrole:

                   command name ``cmd'' already exists

                   role name ``role'' already exists

                   undefined role name ``role''

                   process privilege ``priv'' does not exist in command
                   ``cmd''

                   insufficient command specification: ``string''

                   full command pathname must be specified

                   duplicate process privilege: ``priv''

                   cannot add role ``role''

                   cannot alter role ``role''

                   role ``role'' currently being changed, try again later

                   cannot remove role ``role''

                   cannot change command ``cmd''

                   full path to TFM database must be specified

                   undefined command name ``cmd''

                   TFM database does not exist

                   cannot initialize TFM database

                   improper command name: ``string''

                   invalid process privilege: ``string''

                   unrecognized privilege number: ``number''

                   incompatible options specified






                           Copyright 1994 Novell, Inc.               Page 3








Typewritten Software • bear@typewritten.org • Edmonds, WA 98026