How-to Integrate Applications Into AIX RBAC
Step 13: Login and use the role to operate Apache HTTPD
RBAC is ready! Privileges were identified; authorizations made and the auth:priv pair assigned to a command; role created and assigned to a user. Now, have the user login; activate the role; and go-go-go! Note: Don’t continue to use the old httpd_op shell, because the shell is elevated; and changes to user attributes (such as roles) are not seen until the next login.
******************************************************************************* * *
* *
* Welcome to AIX Version 6.1! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
Last login: Wed Sep 5 13:49:04 GMT+02:00 2012 on /dev/pts/3 from felt45.xfeltx.nl
httpd_op@x103:[/home/httpd_op]apachectl start
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
httpd_op@x103:[/home/httpd_op]swrole apacheops
httpd_op@x103:[/home/httpd_op]apachectl start
httpd_op@x103:[/home/httpd_op]apachectl stop
RBAC Basics
This example displays the basic procedure needed to install and integrate an application so that super-user access isn’t needed for application-management tasks. Rather than rely on traditional *IX group-based and SUID (to super-user) access controls, AIX RBAC mechanisms provide fine-grained (least privilege principle) access control to executables.
Editor’s note: Michael AM Felt will be speaking about "RBAC integration—No looking Back" at the Power Technical University Oct. 22-26, 2012, in Dublin, Ireland. He will present a lab with additional steps to protect/manage application configuration files (e.g., /var/httpd/httpd.conf) and problem resolution.
