You are currently on IBM Systems Media’s archival website. Click here to view our new website.

AIX > Administrator > Security

How-to Integrate Applications Into AIX RBAC


Step 8: Setup separate root and non-root sessions
In a new window/session, login as "httpd_op" and repeat Step 5. You should get the same error messages. Or maybe worse - you cannot even execute the application. And, just as before, verify in the another session that "as root" httpd still starts and stops using apachectl.

Step 9: Determine privileges needed using tracepriv
In the httpd_op window, get your shell process ID:

httpd_op@x103:[/home/httpd_op]echo $$
5243132

Using the root session elevates the privileges of the non-root shell so that programs it starts will inherit ROOT privileges:

root@x103:[/]setsecattr -p iprivs=PV_ROOT 5243132 

Step 10: Start/stop httpd
As httpd_op, with the elevated shell, start/stop httpd using script apachectl:

httpd_op@x103:[/home/httpd_op]id
uid=204(httpd_op) gid=1(staff)
httpd_op@x103:[/home/httpd_op]apachectl start
httpd_op@x103:[/home/httpd_op]apachectl stop 

We know it can be managed using the elevated shell using the tracepriv command to determine the privileges needed. The flag -f is important because we want to see what privileges are used by /opt/httpd/sbin/httpd as it starts (forks) from the shell:

httpd_op@x103:[/home/httpd_op]tracepriv -ef apachectl start
6619318: Used privileges for /usr/bin/apachectl:
  PV_DAC_R                           PV_KER_ACCT                      
  PV_KER_RAC                       

6619318: Used privileges for /etc/apachectl:
  PV_DAC_R                           PV_KER_ACCT                      
  PV_KER_RAC                       

6357072: Used privileges for /usr/sbin/apachectl:
  PV_TP_SET                          PV_KER_RAC                       

6357072: Used privileges for /opt/httpd/sbin/httpd:   
PV_DAC_R PV_DAC_W
PV_DAC_X PV_DAC_O
PV_KER_RAC PV_NET_CNTL
PV_NET_PORT
6619318: Used privileges for /usr/sbin/apachectl: PV_AZ_ROOT PV_TP_SET PV_KER_ACCT PV_KER_RAC httpd_op@x103:[/home/httpd_op]tracepriv -ef apachectl stop 6422566: Used privileges for /usr/bin/apachectl: PV_DAC_R PV_KER_ACCT PV_KER_RAC 6422566: Used privileges for /etc/apachectl: PV_DAC_R PV_KER_ACCT PV_KER_RAC 5832890: Used privileges for /usr/sbin/apachectl: PV_TP_SET PV_KER_RAC 5832890: Used privileges for /opt/httpd/sbin/httpd:
PV_DAC_R PV_DAC_X
PV_DAC_O PV_PROC_SIG
PV_KER_RAC PV_NET_CNTL
PV_NET_PORT
6422566: Used privileges for /usr/sbin/apachectl: PV_AZ_ROOT PV_TP_SET PV_KER_ACCT PV_KER_RAC

Step 11: Create authorizations
Above we have a listing of the privileges used by apachectl to start the httpd service. As root, we still have to create an authorization with which to associate the privileges. In other words, we have the privileges we need but not a way of selectively assigning them to a user and not to all other users. I describe the RBAC term authorization as a key that unlocks privileges.

Authorizations are hierarchical so they must be made from a root node on out. Authorizations beginning with aix. are reserved so a new root authorization is needed. Without a complete hierarchy AIX will exit with an error message. For this example use the authorization aixtools.httpd.operate to unlock the privileges.

root@x103:[/]mkauth aixtools.httpd.operate
1420-004 Authorization hierarchy "aixtools.httpd" does not exist.
root@x103:[/]mkauth aixtools
root@x103:[/]mkauth aixtools.httpd
root@x103:[/]mkauth aixtools.httpd.operate

Now that the key, I should say authorization, exists—I can proceed to assign the authorization:privileges pair to the executable, using setsecattr (set security attributes):

root@x103:[/]setsecattr -c authprivs=aixtools.httpd.operate=PV_DAC_R+PV_DAC_W+PV_DAC_X+PV_DAC_O+PV_KER_RAC+PV_NET_CNTL
+PV_NET_PORT+PV_PROC_SIG accessauths=aixtools.httpd.operate secflags=FSF_EPS /opt/httpd/sbin/httpd

All this has done is update some files in /etc. To get the changes recognized by the kernel, we need to set the kernel security tables:

root@x103:[/]setkst
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel  Domains Table.

Step 12: Create and assign role to account/user
Now that the command has been assigned RBAC authorization requirement and associated privileges, a way to assign this key to a user is needed. I describe the RBAC term role as key rings. So now you create a role and link an authorizations to it, like putting a key on a key ring. Once created, the role can be assigned to users.

root@x103:[/]mkrole authorizations="aixtools.httpd.operate" dfltmsg="APACHE HTTPD Control" apacheops
root@x103:[/]setkst
root@x103:[/]chuser roles=apacheops httpd_op



Advertisement

Advertisement

2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

Hardening the Cloud

Security considerations to protect your organization

Verify System Integrity

AIX 6.1 and Trusted Execution help ensure secure systems

A Bankable Solution

AIX Cryptographic Services improves security while simplifying administration

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
IBMi News Sign Up Today! Past News Letters