How do I establish or restore privileges for the Ada environment The steps below must be performed as root. 1) First establish the role in the Trusted Facilities Management database: # /usr/bin/adminrole -n RT_USERS # /usr/bin/adminrole -a ksh:/usr/bin/ksh:owner:dev:setspriv:fpri:tshar:\ plock:setupriv:cpubias:shmbind:userint:rtime RT_USERS # /usr/bin/adminrole -a csh:/usr/bin/csh:owner:dev:setspriv:fpri:tshar:\ plock:setupriv:cpubias:shmbind:userint:rtime RT_USERS # /usr/bin/adminrole -a sh:/usr/bin/sh:owner:dev:setspriv:fpri:tshar:\ plock:setupriv:cpubias:shmbind:userint:rtime RT_USERS (adminrole creates commands "ksh" "csh" and "sh" under the role "RT_USERS" with the listed privileges) The list of privileges can be found in the intro(2) manual page, beginning on page 12. Notice that the privileges given on the adminrole command line are in lower case and the "P_" is dropped from the privilege name. To define a role with all privileges to circumvent any additional privilege problems as follows (the example below uses the role named RT_USERS): # /usr/bin/adminrole -n RT_USERS # /usr/bin/adminrole -a ksh:/usr/bin/ksh:allprivs RT_USERS # /usr/bin/adminrole -a csh:/usr/bin/csh:allprivs RT_USERS # /usr/bin/adminrole -a sh:/usr/bin/sh:allprivs RT_USERS 2) The adminuser command adds the user "username" to the list of those allowed to execute commands under the RT_USERS role). To add users to the new role RT_USERS: # /usr/bin/adminuser -n -o RT_USERS username 3) The user added to the RT_USERS role can now invoke the tfadmin command. The user must append the following lines to the end of his .profile: # give myself the privileges of the RT_USERS role exec /sbin/tfadmin RT_USERS: /usr/bin/ksh The user should log out and log back in to enable the new privileges of the RT_USERS role. All child processes of the shell will inherit those privileges. The above example assumes a user (username) uses Korn shell. Step 3 should be modified appropriately for users who use a different shell. OTHER NOTES: There are 5 system roles provided with the system: AUD, SSO, OP, SOP and NET. These and all other user-defined roles are contained in the directory /etc/security/tfm/roles and privileged users' usernames are contained in the directory /etc/security/tfm/users. Invoking adminrole without options lists all the defined roles and their associated privileges. Likewise, invoking adminuser without options lists all users with their assigned roles. To display a specific user's role and associated commands, invoke "/usr/bin/adminuser username". To see what privileges are currently enabled, the user can invoke: % sh -c "priv work" (to show working privileges) or % sh -c "priv max" (to show maximum privileges) If you are having problems that appear to be related to privileges, make sure all the privileges are intact. This can be done by running the script /etc/security/tools/setpriv. This command generates a script that may be executed from a shell prompt. This operation must be executed by root in single user mode: # /etc/security/tools/setpriv > /tmp/restore_privs # chmod 555 /tmp/restore_privs # /tmp/restore_privs > /dev/null 2>&1