tfadmin -- invoke a command, regulating privilege based on TFM database information


tfadmin [role:] cmd [args]

tfadmin -t [role:] cmd[:priv[:priv. . .]]


The tfadmin command invokes a command at the request of an administrative user. If the user is allowed to use privileges with the command, tfadmin places the allowed privileges in the maximum and working privilege sets of the process before invoking the command.

role is a role name defined in the administrative database for Trusted Facility Management.

cmd can be either a command defined in the TFM database or it can be the full pathname of a command. The executable file associated with cmd will be executed only if the user has been defined as an administrator and has access to cmd.

If cmd is a full pathname, the last component of the pathname (the basename) will be searched for in the TFM database. If role was specified, the search will be limited to the definition for the specified role. If not, each role assigned to the user will be searched, in the order that the roles were assigned to the user (see adminuser(1M)). Finally, any individual commands, outside any assigned roles, assigned to the user, will be searched.

If cmd or the basename does not exist in the user definition, tfadmin issues an error and exits with an error code. If the path associated with cmd in the administrative database is not equal to the full pathname specified for cmd, tfadmin issues a diagnostic message.

args are a set of command arguments to be passed to the program indicated by cmd.

priv is the name of a process privilege. (See intro(2) for a complete list of process privileges.)

In addition, if the -t option is used, a privilege vector, consisting of one or more privilege names separated by colons (e.g., macread:mount) may be appended to the role-command pair, separated from it by a colon (for example, SSA:mount:macread:mount). This privilege list is meaningful only when the -t option is used, because it is used to test whether the given command can be executed by the invoking user with the specified privileges.

The tfadmin command takes the following options:

Test whether the user can invoke the given command with the (optionally) given privileges. Do not execute the command.

No options
Execute the specified command for the invoking user taking the definition from the role argument (if supplied). If the role does not exist in that user's role list, print a message and fail.


If the requested operation succeeds, tfadmin executes the command, and, therefore, does not exit. The invoked command exits with whatever value is appropriate. If the -t option is used and the requested privileges would have been granted to the user invoking the requested command within the requested role, tfadmin exits with a 0. If the -t option was specified and tfadmin would have denied the request, tfadmin exits with a 1. If the operation fails for any reason, tfadmin exits with a 1 and issues a diagnostic message.

The following diagnostic messages are printed by tfadmin:


adminuser(1M), adminrole(1M), intro(2)
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004