rolerpt Command
Purpose
Reports the security capabilities of roles.
Syntax
rolerpt [-R <load_module>] [-C ] [-c | -f ] { "ALL" | role1, role2, .... | -a }
rolerpt [-R <load_module>] [-C ] [ -u ] { "ALL" | role1, role2, ... }
Description
The rolerpt command reports capability information of roles such as privileged commands, privileged files, and user information.
Either of –c, -f, or –u flags
can be specified. When the -c flag is specified, the privileged
commands present in the /etc/security/privcmds database
that can be run by virtue of the roles is listed. When the –f flag
is specified, the list of privileged files present in the /etc/security/privfiles database
that can be accessed by users that are assigned to the roles is displayed.
When the –u flag is specified, the list of users with roles are displayed based on the Loadable Authentication Model (LAM) 's that is configured in the /etc/nscontrol.conf database. The –u flag can be used only by a root user or a privileged user that is authorized for the rolerpt command. Only root user or the authorized user with aix.security.role.list authorization can view reports that display capabilities for roles that are not held by them.
When no flag is specified, all the capability information such as commands, privileged files, and user information for the role is displayed.
The –a flag specifies the capabilities of the active roles. The –u flag cannot be used with the –a flag. The root user or the authorized user can specify the ALL keyword to display capabilities for all the roles on the system.
The rolerpt command accepts inputs such as -a flag to specify the active roles, the ALL keyword, or a comma-separated list of role names. When no role name is specified, all the capability information such as commands, privileged files, and user information that is associated with the roles of the invoker is displayed.
Flags
| Item | Description |
|---|---|
| -a | Specifies that report on only capabilities of active roles is to be obtained. |
| -c | Specifies that a report of privileged commands executable by the roles is to be obtained. |
| -C | Displays the role attributes in colon-separated
records, as displayed in the following example: |
| -f | Specifies that a report of privileged file information accessible to the roles is to be obtained. |
| -R | Specifies the loadable module to obtain the report of roles capabilities from. |
| -u | Specifies that a report of authorized user information that is assigned to the roles is to be obtained. |
Exit status
| Item | Description |
|---|---|
| 0 | Successful completion. |
| >0 | An error occurred. |
Security
Access Control: This command must grant execute (x) access to all users. The –u flag can be used by the root user or authorized users with aix.security.role.list authorization or aix.security.user.list authorization. Only root or the authorized user with aix.security.role.list authorization can specify the ALL keyword and view reports of capabilities of roles that are not held by them.
Attention RBAC users and Trusted AIX® users: This command does privileged operations. Only privileged users can run privileged operations For more information about authorizations and privileges, review the Privileged Command Database topic. For a list of privileges and the authorizations that are associated with this command, review the lssecattr command or the getcmdattr subcommand.
Files
- /etc/security/roles
- /etc/security/authorizations
- /etc/security/privcmds
- /etc/security/privfiles
Examples
- To report the commands that are associated with the role ManageAllUsers,
run the following command:
rolerpt –c ManageAllUsers - To report capabilities of active roles that are, the authorization, command,
and privileged file information run the following command:
rolerpt –a - To report all capabilities of role ManageAllUsers in a colon
separated format, run the following command:
rolerpt –C ManageAllUsers Information similar to the following appears: #role:commands:privfiles:users ManageAllUsers:/usr/bin/lsuser,/usr/bin/mkuser:/var/adm/sulog:Bob,Simon