[sudo-workers] question on "Answer" re: AIX RBAC in sudo FAQ

Michael Felt michael at felt.demon.nl
Mon May 1 12:02:42 MDT 2017 

On 01/05/2017 18:33, Todd C. Miller wrote:
> On Mon, 01 May 2017 13:15:16 +0200, Michael Felt wrote:
>
>> I am curious why PV_DAC_{ROX} are needed - the _UID and _GID seem
>> clear enough.
> This was needed for sudo to be able to access some of its own files
> that are root-owned.
>
>> Also, unsure on why:
>> PV_FS_CHOWN is needed (wouldn't that be handled by "sudo chown"?)
> Sudo itself may use the chown system call to set the owner on certain
> files it creates such as the time stamp files and I/O log files.
>
>> PV_PROV_PRIO (why not "sudo nice"?)
> The sudo plugin API allows the policy plugin to specify the priority
> of the command to be run.  The sudoers plugin does not currently
> implement this.
>
>> And, lastly - why try to be specific - when sudo is still elevating
>> the command requested to 'root'. Instead, the options:
>>                 euid
>>                      Specifies the effective user ID to assume when the comman
>> d is run.
>>                 egid
>>                      Specifies the effective group ID to assume when the comma
>> nd is run.
>>
>> Could be used rather than 'innateprivs'.
> Because sudo can run commands are more than just root.
If I understand correctly - normally, sudo is setup using "chmod u+s"

An RBAC way to do the same is:
setsecattr -c euid=0 accessauths=<an_authorization || ALLOW_KEYWORD 
(e.g., ALLOW_ALL)> sec_flags=EFS /path/to/sudo

Ideally, rather than using the keyword ALLOW_ALL an authorization would 
be made and assigned to a role.

e.g., mkauth sudo; mkauth sudo.users; mkauth sudo.admin; mkauth 
sudo.grp.wheel # the last are extra "incase" more granularity is 
needed/desired
setkst # update kernel security table

Then a role:
mkrole authorizations=sudo dfltmsg="sudoer role" sudoer
setkst

The assign a role to a user
chuser roles=sudoer michael

setsecattr -c euid=0 accessauths=sudo sec_flags=EFS /usr/local/bin/sudo
setkst

This is all from documentation - I'll test it.
>
> All that being said, I don't currently have access to an AIX machine
> where RBAC is configured so I'm unable to test sudo in that
> environment.  Someone had tried to get sudo working in a VIO with
> RBAC but never succeeded.  There is some info about this in
> https://bugzilla.sudo.ws/show_bug.cgi?id=498
However, they way this "should" be done is to start a shell, use 
setsecattr to assign PV_ROOT. And then prefix the call to sudo with 
"tracepriv" command.
Assuming something does not work (as the PV_SU_ privelidges did not 
exist 5 years ago, fyi - use the setsecattr -p command to set both 
PV_ROOT and PV_SU_ROOT
My reading  of the documentation - and some guessing - is that 
PV_SU_EMUL and PV_SU_UID are special to "Trusted AIX" when UID=0 not not 
"super".

And then the output from tracepriv will list all the privileges actually 
used.

I wrote a 'simple' case (for apache): see 
http://www.ibmsystemsmag.com/aix/administrator/security/rbac_applications/

Michael
>   - todd

More information about the sudo-workers mailing list