wliwrap.1 (2011 03)
wliwrap(1)
Optional WLI Product Required
wliwrap(1)
NAME
wliwrap - execute command with WLI capability
SYNOPSIS
wliwrap -h
wliwrap -k privkey [-p src:val]
-o capability,... "command [options]"
DESCRIPTION
wliwrap adds WLI capabilities to the process environment, then loads and executes
"command
[options]" with the system (3S) call. For more information on capabilities , see wli(5).
A user invokes
wliwrap to execute a command as a child process with capability
,... only in effect for the
duration of the child process. privkey must be an authorized WLI key with capability
,... granted. For
more information on authorizing WLI keys and granting capabilities , see wlicert (1M).
Authorization requirements for successful initiation of
"command [options]" by
wliwrap are as fol-
lows:
• A WLI administrator private key must have signed command. It is not necessary for any capa-
bility to be granted to command as part of the signature. For more information on signing com-
mands, see wlisign (1). The private key used for signing command can differ from privkey .
• The public key extracted from privkey must be granted capability
,... before wliwrap is
invoked. For more information on granting capabilities to authorized keys, see wlicert (1M).
• The effective user ID of the wliwrap process must have execute permission for command in accor-
dance with discretionary access control (DAC) permissions. The effective user ID is set during
login (refer to login(1)) and may be modified with su(1). WLI does not bypass any DAC restric-
tions on command execution or file access.
It is not necessary for privkey to be a WLI administrator key. It can be a WLI user key. If privkey is
authenticated successfully and the above actions have completed,
"command [options]" will be executed.
Messages and exit code returned by
wliwrap will then be generated by command.
The
"command [options]" argument must be last in the string and must be enclosed with quotes
("")
as depicted in the SYNOPSIS. This argument is passed to /usr/bin/sh as a single string which exe-
cutes it as a child process. The environment of the "command [options]"
process is identical to that of
its
wliwrap parent with the addition of the capabilities .
The capabilities are granted temporarily, only being in effect for the duration of command execution. The
temporary addition of capabilities granted during
wliwrap execution is in contrast to capabilities
granted more permanently with wlisign(1). For some use cases it may be preferable to permanently
grant capabilities to a command with wlisign(1). If command has WLI capabilities granted per-
manently, its execution through wliwrap is not necessary.
The
wliwrap command is installed with the optional HP-UX Whitelisting (WLI) product.
Options
-h Displays wliwrap command syntax
-k privkey File containing an authorized WLI private key. The extracted public key must have
WLI user or administrator authorization and have been granted capability
,... with
wlicert (1M).
-o capability,... The WLI capabilities to be granted to the "command [options]" process while it is
executing in the wliwrap environment. There are three legitimate values:
mem ability to read from and write to /dev/mem and /dev/kmem
wmd ability to read from and write to policy and signature metadata
dlkm ability to load dlkm modules
For more information on capabilities , see wli(5).
-p src:val The passphrase source for privkey . Refer to wli(5) for more information on this
option.
HP-UX 11iv3: Sep 2010 Web Release − 1 − Hewlett-Packard Company 1