This blog, written by Michael Felt, discusses AIX security topics. Articles on IBM AIX security including PowerSC, AIX RBAC, AIX shell scripting, passwords and user security. RBAC or Role Based Access Control has been available in AIX since starting with AIX Prior to that, access control is AIX was the same as for any .
|Country:||Saint Kitts and Nevis|
|Published (Last):||17 November 2006|
|PDF File Size:||15.78 Mb|
|ePub File Size:||10.82 Mb|
|Price:||Free* [*Free Regsitration Required]|
Install an application, e. This article shows how RBAC provides enhanced security to the system. This allows a normal user account special privileges without having to become root or use another utility, such as sudo. This document discusses creating a custom role to run an existing AIX OS command using an existing authorization. In this case, whoever has the DAC privilege should be able to execute lsconf.
To bypass DAC, privileges are required. There are five 5 components to the RBAC security database: Is it possible that a malicious user can get the role of ISSO and use his own shutdown program to attack the system? Create our custom role We’ll make a role with a name, and a default message letting future users know what the role does, and assigning that authorization to the role. Test to see if the role was assigned If we log in as bob we can see if the role was assigned to the account: System shutdown reboot File system backup, restore, and quotas System error logging, trace, and statistics Workload administration.
Is it possible to execute a command by a user who has the required authorization but no DAC permission?
Start with the user we just created. To prevent anyone from giving su access to the httpd account, make the following changes the PS1 prompts are changed to clarify which identity is active:.
Disk Flash Servers Software Tape. Successfully updated the Kernel Command Table.
ROOTVG – AIX, LinuxOnPower & POWER Systems Portal – RBAC: Role Based Access Control in AIX
Contact the author for any further clarification on this topic. This example is shown to explain the usage of RBAC.
To summarize, authorizations can be assigned to an executable command. A priviledge is an explicit access granted to a command, device, or file. Since this user, httpd, owns all the files all normal access rights read, write, execute should be available where appropriate.
If an application does not work when root starts it you can assume the issue with the application is not an access problem but something else that needs to be solved first. Anyone who gets control of the administrative user maliciously cannot do anything, since the administrator alone cannot do anything destructive.
To avoid this problem, latest releases of AIX 6. Role-based access control in simple steps A step-by-step approach with examples. Sign in or register to add and subscribe to comments.
If everything was working during Step 4 any startup problems we see here must be related to a lack of one or more privileges. The httpd account is meant to be an owning, not an operational, account.
Check for an existing role that might be used instead of having to create one. Hardening the Cloud Security considerations to protect your organization.
Successfully updated the Kernel Object Domain Table. Jeyapaul Published on June 23, Extended RBAC is granular. However, the root user, who has all the privileges, is considered to be the sole user. The root user decides who can log in, who can access the data, which process has the privileges to get into the kernel mode, and so on.
sudo-rbac – AIXTOOLS
Establishing and maintaining security policy Setting passwords for users Network configuration Device administration SA – Systems Administrator The SA role provides authorizations for daily administration and includes: Prior to AIX version 6, portions of root-user authority could be assigned to non-root users. Hence, a user who does zix have the required authorization will fail to execute bootinfo.
In short, the operating system uses authorization to determine eligibility before performing a privileged operation like system calls. System shutdown and reboot File system backup, restore and quotas System error logging, trace and statistics Workload administration.
The onus on a single user root is delegated. The system has a pre-defined authorization to certain commands and roles for system-defined users. Comments Sign in or register to add and subscribe to comments.
As you proceed through the steps remember to verify that the application is working when started as root.
You need more than one role users to create and set a password for the user. Yes, access control DAC, or discretionary access controlbut no role based management of lists of authorizations or priviledges to execute sets of commands.
None of the above, continue with my search. Giving authority to a non-root user to execute commands like shutdown is not suggested or recommended. Further, a user who is considered as administrator can provide an user-defined authorization to an executable program and assign the authorization to a role.