adminuser(1M) adminuser(1M)
NAME
adminuser - display, add, change, delete administrators in the
TFM database.
SYNOPSIS
adminuser [-n] [-o role[, . . .]]
[-a cmd:path[:priv[:priv . . .]][, . . .]]
user . . .
adminuser [-o role[, . . .]
[-r cmd[:priv[:priv . . .]][, . . .]]
[-a cmd:path[:priv[:priv . . .]][, . . .]]
user . . .
adminuser [-d] user . . .
adminuser
DESCRIPTION
The adminuser command allows administrators to display, add,
change, and delete administrators in the Trusted Facility
Management (TFM) database. The TFM database is the vehicle
through which unprivileged user processes run privileged
commands.
A user definition contains a list of commands. Each command
contains a list of privileges. The tfadmin command uses these
privileges to set up its process before invoking this command
for the user. In addition to the command definitions, there
is a list of roles available to the user, and a default
command specification.
The options to the command are:
-n For every user in the list, create a new user
description, and, optionally, create a role list or add
a command to that user.
-o Create the specified role list for every user in the
list. Note that order is significant if more than one
role is specified, and an individual command is in more
than one of the roles. In this case, if the user
subsequently invokes such a command via tfadmin, and
does not specify a role, the roles will be searched in
the order specified here for a matching command
definition. The first match found is the one that will
be used.
Copyright 1994 Novell, Inc. Page 1
adminuser(1M) adminuser(1M)
-a Add a list of commands to the definitions of a given
list of users.
-r Remove the list of commands from the list of users. If
the user supplies privileges in the command
descriptions, then leave the command but remove the
specified privileges.
-d Delete the given list of users from the TFM database.
No options
Print out the capabilities of the given list of users.
No arguments
Print the capabilities of every user in the database.
The adminuser command takes as its arguments the list of users
to which the actions specified by the options applies. The
list of users is a list of user login names. Only
administrative users, that is administrators to whom access to
privileged commands is to be granted, should be added to the
TFM database.
The argument to the -o option is a comma-separated list of
role names. This list will create a new role list for the
specified users, replacing any existing role lists.
The argument to the -a or -r option is a comma-separated list
of command descriptions. For the -a option, the command
description includes the name of the command to be added, the
full path at which the command file resides, and the privilege
vector, represented by a colon-separated list of privilege
names (for example, mount:/etc/mount:macread:mount). There is
no limit on the length of the path name; however, / (``root''
or ``slash'') alone may not be specified.
The command description for the -r option is the same as for
the -a option except that the full path and the separating
colon are not given (for example, mount:macread:mount). If
the users get no privileges when they invoke the command, the
privilege description may be omitted.
The -n and -r options may not be used together. If -n is
specified with -r, an error will occur because incompatible
options have been specified.
Copyright 1994 Novell, Inc. Page 2
adminuser(1M) adminuser(1M)
FILES
/etc/security/tfm/users/*
/etc/security/tfm/users/*/default
/etc/security/tfm/users/*/roles
/etc/security/tfm/users/*/cmds/*
REFERENCES
adminrole(1M), intro(2), tfadmin(1M)
DIAGNOSTICS
This command exits with a 0 if all requested operations
succeeded, 1 if any operation failed.
The following diagnostic messages are printed by adminuser:
command name ``cmd'' already exists
user ``user'' already exists
undefined user ``user''
process privilege ``priv'' does not exist in command
``cmd''
role name ``role'' is not unique
insufficient command specification: ``string''
duplicate process privilege: ``priv''
full command pathname must be specified
full path to TFM database must be specified
undefined command name ``cmd''
cannot read role list for user ``user''
cannot add user ``user''
cannot alter user ``user''
user ``user'' currently being changed, try again later
Copyright 1994 Novell, Inc. Page 3
adminuser(1M) adminuser(1M)
cannot remove user ``user''
cannot change command ``cmd''
cannot change role list for user ``user''
TFM database does not exist
cannot initialize TFM database
improper command name: ``string''
invalid process privilege: ``string''
unrecognized privilege number: ``number''
incompatible options specified
Copyright 1994 Novell, Inc. Page 4