[sudo-workers] question on "Answer" re: AIX RBAC in sudo FAQ
michael at felt.demon.nl
Tue May 2 12:03:31 MDT 2017
On 01/05/2017 20:34, Michael Felt wrote:
> On 01/05/2017 20:02, Michael Felt wrote:
>> If I understand correctly - normally, sudo is setup using "chmod u+s"
>> An RBAC way to do the same is:
>> setsecattr -c euid=0 accessauths=<an_authorization || ALLOW_KEYWORD
>> (e.g., ALLOW_ALL)> sec_flags=EFS /path/to/sudo
>> Ideally, rather than using the keyword ALLOW_ALL an authorization
>> would be made and assigned to a role.
>> e.g., mkauth sudo; mkauth sudo.users; mkauth sudo.admin; mkauth
>> sudo.grp.wheel # the last are extra "incase" more granularity is
>> setkst # update kernel security table
>> Then a role:
>> mkrole authorizations=sudo dfltmsg="sudoer role" sudoer
>> The assign a role to a user
>> chuser roles=sudoer michael
>> setsecattr -c euid=0 accessauths=sudo sec_flags=EFS /usr/local/bin/sudo
>> This is all from documentation - I'll test it.
> One of my pet-peeves: IBM keeps changing the rules - and I do not know
> if I have found a bug, or if the rules have been changed drastically.
> For the moment: setsecattr -p iprivs=PV_ROOT <PID> is not working. The
> command needs to be something more like this (on AIX 7.1)
> setsecattr -p
> ,PV_MAC_,PV_SEC_TRACE,PV_DOM_ iprivs=PV_ROOT 4063374
> Anyway - research time...
The good news is: working as designed. My "bad luck" that I was trying
to run a program with r-x------ permissions.
-r-x------ 1 root security 82658 Aug 19 2016 /usr/sbin/lsauth
As I could not start it, I could not get my promoted privileges
activated. "iprivs" are not innate privileges (but inherited (by child
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-workers