You are currently on IBM Systems Media’s archival website. Click here to view our new website.

AIX > Administrator > Security

How-to Integrate Applications Into AIX RBAC


Many administrators have questions about AIX role-based access control (RBAC):

     
  1. Will it work?
  2.  
  3. What will break?
  4.  
  5. I’ve tried it, now why don’t I see any difference?
  6.  
  7. What about integrating an application into RBAC?

For administrators who want a procedural template to integrate applications into AIX RBAC, consider the following example of how to start/stop Apache HTTPD using AIX RBAC. The example here shows how to start/stop httpd service without needing access to a super user. As you proceed through the steps remember to verify that the application is working when started as root. If an application does not work when root starts it you can assume the issue with the application is not an access problem but something else that needs to be solved first.

Step 1: Create a sandbox
Install AIX V6.1 or 7.1 using defaults. Optionally, install openssh. One example is: “HOWTO: Install AIX.”

Step 2: Install an application, e.g. Apache HTTPD
Install Apache HTTPD service. This can be done from any source. For this example, I’m using one I built myself and host as AIXTOOLS. The file paths used (i.e. /opt/httpd/sbin/httpd) assume this packaging.

Step 3: Verify successful installation Verify, as root, that you can start/stop the httpd service using the command "apachectl start" and that when you browse to the "homepage," you get the Apache "It works!" page, or something you have installed.

Step 4: Initiate “non-root” environment
As root, edit the httpd.conf file so user/group httpd/httpd are being used: create the httpd group and user ids, and then chown -R httpd:httpd /var/httpd. Verify again that, as root, you can start/stop httpd and "It Works!"

Step 5: Start investigating
Now you are ready to start investigating what a non-root user can and cannot do with regard to starting and stopping httpd services. Start with the user we just created. Since this user, httpd, owns all the files all normal access rights (read, write, execute) should be available where appropriate. If everything was working during Step 4 any startup problems we see here must be related to a lack of one or more privileges.

# apachectl stop
# su - httpd
$ apachectl -l
Compiled in modules:
  core.c
  mod_so.c
  http_core.c
$ apachectl start
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down

This example shows that as the user httpd the installed modules can be listed (apachectl -l) but I cannot start the full-service. Error (AH00072) indicates user httpd lacks sufficient authority to bind to port 80. Lacking this "super user" privilege the application does not have any sockets to LISTEN to and it shuts down.

Step 6: Setup application/data owner
The previous step used the account id “httpd” to ensure file access privileges was not the issue. However, for a real environment, the data owner and application management user identities should be different. Using group write access and/or switch user (su) access to manage an application puts application data integrity at risk.

Exit from the su - httpd shell and return to root access. The httpd account is meant to be an owning, not an operational, account. To prevent anyone from giving su access to the httpd account, make the following changes (the PS1 prompts are changed to clarify which identity is active):

root@x103:[/]chsec -f /etc/security/login.cfg -s usw -a
 shells="/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/
usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/bin/
false"

root@x103:[/]mkgroup -a NONE

root@x103:[/]chuser pgrp=httpd groups=httpd home=/dev/null shell=/bin/false login=false
 su=false rlogin=false daemon=false admin=true sugroups=NONE httpd 

root@x103:[/]su - httpd
3004-614 Unable to change directory to "/dev/null".
You are in "/home/guest" instead.
root@x103:[/]id
uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
root@x103:[/]

The bold text shows that even root cannot become httpd (the shell /bin/false exits). Non-root users will be additionally be blocked by the attributes login, rlogin,su and sugroups.

Step 7: Establish an userid for application operations
As root, create a new user (identity) that will be used to manage httpd services, e.g., httpd_op (httpd operator).

root@x103:[/]mkuser httpd_op

(Note that this account is not in the group httpd. We’ll use RBAC to gain any access needed—not group permissions.)



Advertisement

Advertisement

2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

Hardening the Cloud

Security considerations to protect your organization

Verify System Integrity

AIX 6.1 and Trusted Execution help ensure secure systems

A Bankable Solution

AIX Cryptographic Services improves security while simplifying administration

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
IBMi News Sign Up Today! Past News Letters