[sudo-workers] question on "Answer" re: AIX RBAC in sudo FAQ

Michael Felt michael at felt.demon.nl
Mon May 1 12:34:18 MDT 2017

On 01/05/2017 20:02, Michael Felt wrote:
> If I understand correctly - normally, sudo is setup using "chmod u+s"
> An RBAC way to do the same is:
> setsecattr -c euid=0 accessauths=<an_authorization || ALLOW_KEYWORD 
> (e.g., ALLOW_ALL)> sec_flags=EFS /path/to/sudo
> Ideally, rather than using the keyword ALLOW_ALL an authorization 
> would be made and assigned to a role.
> e.g., mkauth sudo; mkauth sudo.users; mkauth sudo.admin; mkauth 
> sudo.grp.wheel # the last are extra "incase" more granularity is 
> needed/desired
> setkst # update kernel security table
> Then a role:
> mkrole authorizations=sudo dfltmsg="sudoer role" sudoer
> setkst
> The assign a role to a user
> chuser roles=sudoer michael
> setsecattr -c euid=0 accessauths=sudo sec_flags=EFS /usr/local/bin/sudo
> setkst
> This is all from documentation - I'll test it. 

One of my pet-peeves: IBM keeps changing the rules - and I do not know 
if I have found a bug, or if the rules have been changed drastically. 
For the moment: setsecattr -p iprivs=PV_ROOT <PID> is not working. The 
command needs to be something more like this (on AIX 7.1)

setsecattr -p 
,PV_MAC_,PV_SEC_TRACE,PV_DOM_ iprivs=PV_ROOT 4063374

Anyway - research time...


More information about the sudo-workers mailing list