security question: run-as / adopt authority

[sumgirl]

Hello all. I have what is probably a basic question, but coming from an NT/AS400 background I am not sure where to look. In the NT world you can flag an executable so that it will "run-as" an admin, then give users rights to the executable but not the data the executable needs; The authority to the data is inherited when the process 'runs-as' the admin. The same functionality is achieved on the AS400 by allowing an object to adopt the authority of its owner and just making sure the owner is the admin/QSECOFR.

How do I do this on an AIX machine? I have a bunch of folks logging in at admin level to run some scripts and executables...how do I give the executables all of the authority (to destroy my system) and the users just enough to run the scripts?

Looking forward to learning something.
-thanks

 

[Chapter11]

There are two answers to this.

The first is the older method of the "suid" bit on a file. A program that is set suid runs with the access of the owner of the file. This is less desirable.

The second, more preferred method, is a program called "sudo". It allows you to have a great deal of control over who can run what programs with altered/elevated priviledges.