Roles/sudo options or alternatives in AIX 5.3 -coming from a linux guy

[senoralastair]

Hey there aix people,
Hopefully someone can help me out with my situation.

Basically my question is this: What options do i have for giving non-privileged users access to doing certain things in AIX 5.3? From what I believe, the roles don't really work well before about aix6, and in my environment i don't know if i'm going to be allowed to install sudo.

I'm traditionally a linux guy, who is now responsible for a bunch of aix server as well. I'm working in a highly regulated environment, where we have to get sign-off to release root passwords, so i'm wanting to set things up so that i can do basic system tasks without having to go through the paperwork and delays.

Currently i have setup the ManageBasicUsers/passwords successfully for myself (found i had to be part of security group to make this work). But i'm struggling to find a way to safely give myself and the other (much less skillful) admin access to do the following:

mksysb backups to tape
errclear
diag (just for dealing with attention/error indicators)
possibly power down system/reboot

Ideally i guess i'd try and make use of the roles, if anyone can give me pointers on setting them up properly. I also know that there is acledit, which might be one way of doing things, but i'd really appreciate some input from those experienced aix folks out there, so that i can do this safely and properly.

I hope you gurus out there can shed some light on this...

 

[khalidaaa]

First of all sudo works well in AIX just like linux so that still a valid option for you.

Looking at the admin access that you require, it seems that the default roles will work just fine for you!

roles: an alternative method of assigning sysadmin privileges? Maybe an alternative to sudo or the commercial equivalent?
ManageBasicUsers: chsec, chuser, lsuser, mkuser 
ManageAllUsers: chfn, chsec, chuser, mkuser, rmuser, chrole, mkrole, lsrole, rmrole chsec, lssec, pwdadm chgroup, chgrpmem, chsec, mkgroup, rmgroup, chsec, chuser, lsuser, mkuser
ManageBasicPasswords pwdadm 
ManageAllPasswords chsec, lssec, pwdadm 
ManageRoles chrole, mkrole, lsrole, rmrole 
ManageBackupRestore backup, restore 
ManageBackup backup 
ManageShutdown shutdown 
RunDiagnostics diag

http://www.boran.com/security/sp/aix_hardening.html

You will have to install TCB - Trusted Computing Base (which can only be installed when you are installing the OS!) to be able to use ACL:

http://publib.boulder.ibm.com/infoc...security/doc/security/access_control_list.htm

http://www.scribd.com/doc/6896/AIX-Security-Guide

Regards,
Khalid

 

[khalidaaa]

One more useful link:

http://publib.boulder.ibm.com/infoc...c.htm&tocNode=toc:front/front.cmb/0/0/11/0/2/

Regards,
Khalid

 

[senoralastair]

Thanks for the response Khalid.
In this environment, i don't think i'm going to be allowed to install sudo (highly regulated by gov't).
We're running aix 5.3, so the RBAC stuff doesn't come into play until aix 6 or 6.1 i believe.

With the AIX roles, so far i'm unable to get them to work sufficiently. I've added myself to the ManageBasicUsers, ManageBasicPasswords, ManageBackupRestore, ManageBackup, ManageShutdown & RunDiagnostics (and also added myself to the security group). Through smitty or pwdadm i can change passwords, and i can add/modify non-admin accounts, so the user administration part of things is ok. BUT, I can't do a mksysb from either smitty or command line, and diag fails the same way. Do i need to have an extra group membership? or are there other commands i should be running to do the same thing (as per pwdadm instead of passwd)?

ps. thanks for the links. i'm downloading and reading through at the moment...

 

[khalidaaa]

Just try to add only the ManageBackupRestore role!

I just tried that with a test user and i was able to restore from a tape that was backed up by root with no problems!

I think when you add to a user so many roles, they get conflict (or IMHO maybe the first role applies!)

Regards,
Khalid

 

[senoralastair]

Hmmm, I tried that with another user account, but got the following:

Command: failed stdout: yes stderr: no

Before command completion, additional instructions may appear below.

ksh: /usr/bin/mksysb: 0403-006 Execute permission denied.

and i also got denied when running the following from the command line:
/usr/bin/mksysb '-m' '-v' '-V' '-i' /dev/rmt0

Do i need to have a specific group membership to get this to work? And are you running 5.3?


thanks again.

 

[khalidaaa]

My test user was having staff group! So it should be ok.

Could you please list the user attributes?

Regards,
Khalid

 

[senoralastair]

here's the user i'm trying this on:
I hope you can spot something cos i sure don't know...


lsuser swu
swu id=1019 pgrp=staff groups=staff home=/home/swu shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=3 pwdwarntime=10 account_locked=false minage=0 maxage=8 maxexpired=-1 minalpha=1 minother=1 mindiff=0 maxrepeats=4 minlen=7 histexpire=0 histsize=5 pwdchecks= dictionlist=/usr/share/dict/words fsize=-1 cpu=-1 data=-1 stack=-1 core=2097151 rss=-1 nofiles=2000 time_last_login=1227737842 time_last_unsuccessful_login=1227737838 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=10.60.4.19 host_last_unsuccessful_login=10.60.4.19 unsuccessful_login_count=0 roles=

 

[khalidaaa]

I really can't compare every attribute as i don't have time for now but i can see that the roles attribute is empty in your case!

Here is the output of my user:

lsuser khalid
khalid id=204 pgrp=staff groups=staff home=/home/khalid shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups=system tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=-1 stack=-1 core=2097151 rss=-1 nofiles=-1 time_last_login=1234770695 tty_last_login=/dev/pts/1 host_last_login=s2s unsuccessful_login_count=0 roles=ManageBackupRestore

Regards,
Khalid

 

[khalidaaa]

If it makes any different, your admgroups= is empty as well! Mine is SYSTEM. But i think mainly is the roles attribute being empty!

Regards,
Khalid

 

[senoralastair]

yeah, i'm pretty sure that having system group membership will make it work, but i was trying to find the least privilege poss to run these tasks, because i'm yet to find out exactly what else system group can do.

does anyone know?

 

[khalidaaa]

Your primary group should be shutdown to be able to shutdown!

If you ls -al /usr/sbin/shutdown (from root)

You will see this:

-r-xr-x--- 1 root shutdown 41521 Jan 11 2006 /usr/sbin/shutdown

which indicates that you should be of a shutdown group to run this command!

This link is something that i came across and thought of sharing:

http://www.ncsa.uiuc.edu/UserInfo/R...US/a_doc_lib/aixbman/admnconc/admin_roles.htm

Regards,
Khalid

 

[khalidaaa]

Having said that, to be able to Add a user, you have to be from the security group:

# ls -al /usr/bin/mkuser
-r-sr-x--- 1 root security 78848 Aug 09 2006 /usr/bin/mkuser

For the mksysb, there is no execute permission for the group so you might want to add that!

# ls -al /usr/bin/mksysb
-r-xr--r-- 1 bin bin 68240 Oct 04 2006 /usr/bin/mksysb

And so on for the rest!

Regards,
Khalid

 

[senoralastair]

hmmm.
thanks for that Khalid.
so you think in my situation, the best way to go about things is to just modify the permissions on the particular files in question as i need them?

 

[khalidaaa]

I'm not saying the best way! that's one way.

The best way could be sudo!

Regards,
Khalid

 

[senoralastair]

haha. yeah true.
i'm still seeing if i can get sudo installed, but i guess for now this will have to do.
thanks for your help.