[sudo-workers] question on "Answer" re: AIX RBAC in sudo FAQ

Michael Felt michael at felt.demon.nl
Tue May 2 12:41:52 MDT 2017

On 01/05/2017 20:02, Michael Felt wrote:
> If I understand correctly - normally, sudo is setup using "chmod u+s"
> An RBAC way to do the same is:
> setsecattr -c euid=0 accessauths=<an_authorization || ALLOW_KEYWORD 
> (e.g., ALLOW_ALL)> sec_flags=EFS /path/to/sudo
> Ideally, rather than using the keyword ALLOW_ALL an authorization 
> would be made and assigned to a role.
> e.g., mkauth sudo; mkauth sudo.users; mkauth sudo.admin; mkauth 
> sudo.grp.wheel # the last are extra "incase" more granularity is 
> needed/desired
> setkst # update kernel security table
> Then a role:
> mkrole authorizations=sudo dfltmsg="sudoer role" sudoer
> setkst
> The assign a role to a user
> chuser roles=sudoer michael
> setsecattr -c euid=0 accessauths=sudo sec_flags=EFS /usr/local/bin/sudo
> setkst
> This is all from documentation - I'll test it. 

After having done something like above - still was not working - obviously.

So, going into 'trace mode':

1st, as root: upgrade the users shell:

root at x068:[/]setsecattr -p iprivs=PV_ROOT 4784380

michael at x068:[/home/michael]echo $$; id
uid=203(michael) gid=1(staff)

michael at x068:[/home/michael]tracepriv lssecattr -p $$
4784380 eprivs= mprivs= iprivs=PV_ROOT lprivs=PV_ROOT uprivs=

4259884: Used privileges for /usr/sbin/lssecattr:

michael at x068:[/home/michael]tracepriv sudo ls

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

     #1) Respect the privacy of others.
     #2) Think before you type.
     #3) With great power comes great responsibility.

michael is not in the sudoers file.  This incident will be reported.

6094946: Used privileges for /opt/bin/sudo:
   PV_DAC_O                           PV_DAC_UID
   PV_DAC_GID                         PV_FS_CHOWN
   PV_NET_CNTL                        PV_NET_PORT

So, as a starting point the privileges listed above are needed.

michael at x068:[/home/michael]ls -l /opt/bin/sudo
-rwsr-xr-x    1 root     bin          227616 Mar 21 17:09 /opt/bin/sudo

Not "oops", yet.

michael at x068:[/home/michael]chmod u-s  /opt/bin/sudo
michael at x068:[/home/michael]ls -l /opt/bin/sudo
-rwxr-xr-x    1 root     bin          227616 Mar 21 17:09 /opt/bin/sudo
michael at x068:[/home/michael]

michael at x068:[/home/michael]tracepriv sudo ls
sudo: /opt/bin/sudo must be owned by uid 0 and have the setuid bit set

6094952: Used privileges for /opt/bin/sudo:

Hmm, a new 'problem' - that I guess the FAQ addressed, or tried to.

Next attempt: prime the shell with:

root at x068:[/]setsecattr -p iprivs=PV_ROOT,PV_SU_UID 4784380

michael at x068:[/home/michael]tracepriv sudo ls
sudo: sudoers specifies that root is not allowed to sudo

4259906: Used privileges for /opt/bin/sudo:
   PV_DAC_R                           PV_DAC_X
   PV_DAC_UID                         PV_DAC_GID
   PV_SU_UID                          PV_NET_CNTL

So, sort of stuck - if I use the option --disable-root-sudo - so I'll 
remove it.

In closing: the FAQ says:

        innateprivs = 

What is extra in the FAQ is: 

What is missing is:   PV_NET_PORT,PV_NET_CNTL and a 'new' PV - PV_SU_UID 
(to get past the test for "sudo: /opt/bin/sudo must be owned by uid 0 
and have the setuid bit set".

re: the extra - PV_PROC_PRIO - in any case - is needed by something I 
have not 'used' yet I expect (a plugin?).

Does the 'request' for network control and to open a 'restricted' port 
(<1024) sound right?


More information about the sudo-workers mailing list