System Administration Commands smexec(1M)
NAME
smexec - manage entries in the exec_attr database
SYNOPSIS
/usr/sadm/bin/smexec subcommand [ auth_args] --
[subcommand_args]
DESCRIPTION
The smexec command manages an entry in the exec_attr(4)
database in the local /etc files name service or an NIS name service. subcommandssmexec subcommands are:
addAdds a new entry to the exec_attr(4) database. To add an
entry to the exec_attr database, the administrator must
have the solaris.profmgr.execattr.write authorization. deleteDeletes an entry from the exec_attr(4) database. To
delete an entry from the exec_attr database, the
administrator must have the solaris.profmgr.execattr.write authorization. modifyModifies an entry in the exec_attr(4) database. To
modify an entry in the exec_attr database, the adminis-
trator must have the solaris.profmgr.execattr.write authorization. OPTIONSThe smexec authentication arguments, auth_args, are derived
from the smc(1M) arg set and are the same regardless ofwhich subcommand you use. The smexec command requires the
Solaris Management Console to be initialized for the command to succeed (see smc(1M)). After rebooting the SolarisManagement Console server, the first Solaris Management Con-
sole connection might time out, so you might need to retry the command.The subcommand-specific options, subcommand_args, must come
after the auth_args and must be separated from them by the
SunOS 5.11 Last change: 11 Dec 2009 1
System Administration Commands smexec(1M)
-- option.
auth_args
The auth_args -D, -H, -l, -p, -r, and -u are described
below. They are all optional. These options are a subset of the full complement of supported options described in smc(1M).If no auth_args are specified, certain defaults will be
assumed and the user may be prompted for additional informa-
tion, such as a password for authentication purposes. These letter options can also be specified by their equivalent option words preceded by a double dash. For example, you canuse either -D or --domain with the domain argument.
-D | --domain 13;domain
Specifies the default domain that you want to manage.The syntax of domain is type:/host_name/domain_name,
where type is nis, dns, ldap, or file; host_name is the
name of the machine that serves the domain; anddomain_name is the name of the domain you want to
manage.If you do not specify this option, the Solaris Manage-
ment Console assumes the file default domain on whatever server you choose to manage, meaning that changes are local to the server. Toolboxes can change the domain ona tool-by-tool basis; this option specifies the domain
for all other tools.-H | --hostname 13;host_name:port
Specifies the host_name and port to which you want to
connect. If you do not specify a port, the system con-
nects to the default port, 898. If you do not specifyhost_name:port, the Solaris Management Console connects
to the local host on port 898. You may still have to choose a toolbox to load into the console. To overridethis behavior, use the smc(1M) -B option, or set your
console preferences to load a "home toolbox" by default.-l | --rolepassword 13;role_password
Specifies the password for the role_name. If you specify
a role_name but do not specify a role_password, the sys-
tem prompts you to supply a role_password. Passwords
specified on the command line can be seen by any user on the system, hence this option is considered insecure.SunOS 5.11 Last change: 11 Dec 2009 2
System Administration Commands smexec(1M)
-p | --password 13;password
Specifies the password for the user_name. If you do not
specify a password, the system prompts you for one. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.-r | --rolename 13;role_name
Specifies a role name for authentication. If you do not specify this option, no role is assumed.-u | --username 13;user_name
Specifies the user name for authentication. If you do not specify this option, the user identity running the console process is assumed.--
This option is required and must always follow the preceding options. If you do not enter the precedingoptions, you must still enter the -- option.
subcommand_args
Note: Descriptions and other arg options that contain white spaces must be enclosed in double quotes. To add or change privileges, the administrator must have the solaris.admin.privilege.write authorization. See privileges(5). o For subcommand add:-c command_path|CDE_action
Specifies the full path to the command or CDEaction associated with the new exec_attr entry.
Specifying a CDE action is available only if the system is configured with Solaris TrustedExtensions. smexec automatically detects when a
system is running these extensions.SunOS 5.11 Last change: 11 Dec 2009 3
System Administration Commands smexec(1M)
-g egid
(Optional) Specifies the effective group ID that executes with the command.-G gid
(Optional) Specifies the real group ID that executes with the command.-h
(Optional) Displays the command's usage state-
ment.-n profile_name
Specifies the name of the profile associatedwith the new exec_attr entry.
-t type
Specifies the type for the command. Currently, the only acceptable value for type is cmd.-u euid
(Optional) Specifies the effective user ID that executes with the command.-U uid
(Optional) Specifies the real user ID that exe-
cutes with the command.-M limit_privs
Specifies the privilege name(s) to add to thenew exec_attr(4) entry. The default is all for
limit privilege. To add or change privileges, the administrator must have the solaris.admin.privilege.write authorization. See privileges(5).SunOS 5.11 Last change: 11 Dec 2009 4
System Administration Commands smexec(1M)
-I inheritable_privs
Specifies the inheritable privilege name(s) toadd to the new exec_attr(4) entry.
o For subcommand delete:-c command_path|CDE_action
Specifies the full path to the command or CDEaction associated with the exec_attr entry.
Specifying a CDE action is available only if the system is configured with Solaris TrustedExtensions. smexec automatically detects when a
system is running these extensions.-h
(Optional) Displays the command's usage state-
ment.-n profile_name
Specifies the name of the profile associatedwith the exec_attr entry.
-t type
Specifies the type cmd for command. Currently, the only acceptable value for type is cmd. o For subcommand modify:-c command_path|CDE_action
Specifies the full path to the command or CDEaction associated with the exec_attr entry you
want to modify. Specifying a CDE action is available only if the system is configured withSolaris Trusted Extensions. smexec automati-
cally detects when a system is running these extensions.SunOS 5.11 Last change: 11 Dec 2009 5
System Administration Commands smexec(1M)
-g egid
(Optional) Specifies the new effective group ID that executes with the command.-G gid
(Optional) Specifies the new real group ID that executes with the command.-h
(Optional) Displays the command's usage state-
ment.-n profile_name
Specifies the name of the profile associatedwith the exec_attr entry.
-t type
Specifies the type cmd for command. Currently, the only acceptable value for type is cmd.-u euid
(Optional) Specifies the new effective user ID that executes with the command.-U uid
(Optional) Specifies the new real user ID that executes with the command.-M limit_privs
Specifies the privilege name(s) to modify in anexec_attr(4) entry. The default is all for
limit privilege. To add or change privileges, the administrator must have the solaris.admin.privilege.write authorization. See privileges(5).SunOS 5.11 Last change: 11 Dec 2009 6
System Administration Commands smexec(1M)
-I inheritable_privs
Specifies the inheritable privilege name(s) tomodify in anexec_attr(4) entry.
EXAMPLES
Example 1 Creating an exec_attr Database Entry
The following creates a new exec_attr entry for the User
Manager profile on the local file system. The entry type iscmd for the command /usr/bin/cp. The command has an effec-
tive user ID of 0 and an effective group ID of 0../smexec add -H myhost -p mypasswd -u root -- -n "User Manager" \
-t cmd -c /usr/bin/cp -u 0 -g 0
Example 2 Deleting an exec_attr Database Entry
The following example deletes an exec_attr database entry
for the User Manager profile from the local file system. The entry designated for the command /usr/bin/cp is deleted../smexec delete -H myhost -p mypasswd -u root -- -n "User Manager" \
-t cmd -c /usr/bin/cp
Example 3 Modifying an exec_attr Database Entry
The following modifies the attributes of the exec_attr data-
base entry for the User Manager profile on the local file system. The /usr/bin/cp entry is modified to execute with the real user ID of 0 and the real group ID of 0../smexec modify -H myhost -p mypasswd -u root -- -n "User Manager" \
-t cmd -c /usr/bin/cp -U 0 -G 0
ENVIRONMENT VARIABLESSee environ(5) for a description of the JAVA_HOME environ-
ment variable, which affects the execution of the smexec
SunOS 5.11 Last change: 11 Dec 2009 7
System Administration Commands smexec(1M)
command. If this environment variable is not specified, the /usr/java location is used. See smc(1M). EXIT STATUS The following exit values are returned: 0 Successful completion. 1 Invalid command syntax. A usage message displays. 2 An error occurred while executing the command. An error message displays. FILESThe following file is used by the smexec command:
/etc/security/exec_attr
Rights profiles database. See exec_attr(4).
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWmga ||_____________________________|_____________________________|
| Interface Stability | Committed ||_____________________________|_____________________________|
SEE ALSO
smc(1M), exec_attr(4), attributes(5), environ(5)
SunOS 5.11 Last change: 11 Dec 2009 8