[sudo-workers] question on "Answer" re: AIX RBAC in sudo FAQ

Michael Felt michael at felt.demon.nl
Mon May 1 05:15:16 MDT 2017 

Q) When I run sudo on AIX I get the following error:
     setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted.
A) AIX's Enhanced RBAC is preventing sudo from running.  To fix
    this, add the following entry to /etc/security/privcmds (adjust
    the path to sudo as needed) and run the setkst command as root:

     /usr/local/bin/sudo:
	    accessauths = ALLOW_ALL
	    innateprivs = PV_DAC_GID,PV_DAC_O,PV_DAC_R,PV_DAC_UID,PV_DAC_W,PV_DAC_X,\
                  PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
	    secflags = FSF_EPS

I am curious why PV_DAC_{ROX} are needed - the _UID and _GID seem clear enough.
Also, unsure on why:
PV_FS_CHOWN is needed (wouldn't that be handled by "sudo chown"?)
PV_PROV_PRIO (why not "sudo nice"?)

root at x062:[/export/lpp]lspriv -v | grep DAC
PV_DAC_ Equivalent to all DAC privileges (PV_DAC_*) combined.
PV_DAC_R Allows a process to override DAC read permission on all objects.
PV_DAC_W Allows a process to override DAC write permission on all objects.
PV_DAC_X Allows a process to override DAC execute permission on all objects.
PV_DAC_O Allows a process to override DAC ownership on all objects.
PV_DAC_UID Allows a process to change its user ID.
PV_DAC_GID Allows a process to set a new group ID.
PV_DAC_RID Allows a process to set a new role ID.
PV_KER_IPC_O Allows a process to override DAC ownership on all IPC objects.

root at x062:[/export/lpp]lspriv -v | grep _PROC
PV_AU_PROC Allows a process to get or set an audit state of a process.
PV_PROC_ Equivalent to all Process privileges (PV_PROC_*) combined.
PV_PROC_PRIO Allows a process/thread to change priority, policy and other schedulig parameters.
PV_PROC_CORE Allows a process to dump core.
PV_PROC_RAC Allows a process create more processes than the per user limit.
PV_PROC_RSET Allows to attach resource set (rset) to a process or thread.
PV_PROC_ENV Allows a process to set user information in the user structure.
PV_PROC_CKPT Allows a process to checkpoint/restart another process.
PV_PROC_CRED Allows a process to set new process credential during the exec().
PV_PROC_SIG Allows a process to send signal to an unrelated process.
PV_PROC_PRIV Allows a process to modify or view privilege sets associated with a process.
PV_PROC_TIMER Allows a process to submit and use fine granularity timers.
PV_PROC_RTCLK Allows a process to access CPU-time clock.
PV_PROC_VARS Allows a process to retrieve and update process tunable parameters.
PV_PROC_PDMODE Allows a process to change REAL mode.
PV_LAB_SL_PROC Allows a process to change subject SL.
PV_MAC_R_PROC Allows a process to bypass MAC read restrictions when getting information about a process, provided that the target process's label is within the acting process's clearance.
PV_MAC_W_PROC Allows a process to bypass MAC write restrictions when sending a signal to a process, provided that the target process's label is within the acting process's clearance.
PV_DOM_PROC Allows a process to change other domains.

And, lastly - why try to be specific - when sudo is still elevating the command requested to 'root'. Instead, the options:
               euid
                    Specifies the effective user ID to assume when the command is run.
               egid
                    Specifies the effective group ID to assume when the command is run.

Could be used rather than 'innateprivs'.

Regards,
Michael

More information about the sudo-workers mailing list