RESTRICT(1,C) AIX Commands Reference RESTRICT(1,C) ------------------------------------------------------------------------------- restrict PURPOSE Enforces licensing in a TCF cluster. SYNTAX application_name --- args ---| Note: /etc/restrict/restrict is not run directly. It is run based on running another command which is linked to /etc/restrict/restrict. DESCRIPTION The restrict program enforces licensing in a TCF cluster so that licensed programs can only be executed on sites where the program has been licensed to run. When the user or system administrator installs a program in a TCF cluster and wishes that the program only be runnable on specific sites within the cluster, the user or System administrator moves the program into the /etc/restrict directory, and replaces the program in its standard place in the AIX file system with a link or symbolic link to /etc/restrict/restrict. When run, restrict opens /etc/restrict/restrictlist to determine the execution restrictions for the controlled program. /etc/restrict/restrictlist is an attribute file with stanzas for each controlled program. The name of the program being run (argument 0) is used as the name of the stanza in this attribute file. Each stanza of the file should have two fields: site - which site(s) have been licensed to run the program, and program - the pathname of the real program to be run. The site field is specified as a comma-separated list of site names or site numbers. Only if the site where the command is running is listed in the list given by the site field is the program indicated by the program field actually run. If the execution site is not in the list of licensed sites, the following error message is written to stderr: Sorry, has not been licensed to run on site . Note that if the program being restricted is normally installed with the set-user-id or set-group-id mode bit set, the program should continue to be installed that way when moved into the /etc/restrict directory. The link to Processed November 8, 1990 RESTRICT(1,C) 1 RESTRICT(1,C) AIX Commands Reference RESTRICT(1,C) /etc/restrict which the user will be calling directly is NOT to be made set-user-id, even though in so doing users who use "'ls -l'" to look at the program may be misled by the apparent owner and permissions of the program they are running. EXAMPLES An example /etc/restrict/restrictlist file might be: ls: site=fuji,akagi,9 program=/etc/restrict/ls and /bin/ls would be set up each as a symbolic link to /etc/restrict/restrict. When /bin/ls is run on site fuji, restrict validates that fuji is one of the licensed sites for ls, and therefore runs /etc/restrict/ls - the real ls program. Similarly, ls could be run on site akagi or the site whose site number is 9. If ls is run on site myoko, the restrict command denies the user permission to run the command - giving the user the following error message: Sorry, ls has not been licensed to run on site myoko. FILES /etc/restrict/restrict Restrict executable /etc/restrict/restrictlist Attribute file of restricted programs Processed November 8, 1990 RESTRICT(1,C) 2