Use Conditional Access Control Lists

You can make access to a file conditional on the program that is used to access the file. Making file access conditional in this way is named program pathing.
cminder140
You can make access to a file conditional on the program that is used to access the file. Making file access conditional in this way is named program pathing.
If the program specified to access the file is a shell script, the shell script must have#!/bin/sh as its first line. Because the shell script treats #!/bin/sh line as a comment and does not process it, do not execute the shell script following # /home/test/test.sh or # sh /home/test/test.sh.
Example: This code allows any process to update the file /etc/passwd under the control of the password change program /bin/passwd. All access attempts to the /etc/passwd file that do not originate from /bin/passwd are blocked.
newres FILE /etc/passwd owner(nobody) defaccess(R) authorize FILE /etc/passwd gid(users) access(U) via(pgm(/bin/passwd))
The newres command defines the file /etc/passwd to
Privileged Access Manager Server Control
. This command allows any user, including the owner of the file, to read the file. The authorize command allows all users to access the file when the access is made under the program /bin/passwd. Once the password file is protected in this manner, any Trojan horse that inserts entries into the /etc/passwd file or any update to the password file by a user of the group users is blocked if the user is not using the /bin/passwd program.
Conditional access lists are also useful for controlling access to the files of a database management system (DBMS). Usually, you permit users to access such files only through the programs and utilities supplied by the database vendor. Consider the following commands:
authorize FILE /usr/dbms/xyz uid(*) via(pgm(/usr/dbms/bin/pgm1)) access(U) authorize FILE /usr/dbms/xyz uid(*) via(pgm(/usr/dbms/bin/pgm2)) access(U)
This set of authorize commands allows all
Privileged Access Manager Server Control
users to access the file xyz of the DBMS system provided the access is made by either program pgm1 or program pgm2, which belong to the DBMS binaries directory. Note the use of the asterisk in the user operand. The asterisk specifies all users who are defined to
Privileged Access Manager Server Control
. The use of the asterisk is similar in concept to the default access. However, default access also applies to users who are not defined to
Privileged Access Manager Server Control
. You can use the _undefined group for users who are not defined in the 
Privileged Access Manager Server Control
database.