• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1486
  • Last Modified:

RBAC in AIX 5.2

Hi,

How to configure role based access control in AIX 5.2?
eg. A nornal user can run "topas" cmd. without any administrative group.

I hv configured the same in Solaris 8.

Please suggest.

Thanks,
rishi
0
rishi_dongre
Asked:
rishi_dongre
  • 3
  • 3
  • 2
2 Solutions
 
GnsCommented:
Look at "smitty roles" and "smitty chuser" ... You can set the RunDiagnostics role for a regular user, but the user still needs be of group "system" (decreed by the role) for the diagnostics to be available. To run "topas" the user needs system group membership (to be able to read /dev/mem), but no specific role... To run "diag" you need be part of "system" group _and_ have the role RunDiagnostics...;-)
Or am I missreading you?
Anyway, there is a http://www.experts-exchange.com/Operating_Systems/AIX_IBMs_UNIX_OS/ TA now that one can use for AIX questions. Perhaps wouldn't change the answer:-).

-- Glenn
0
 
gheistCommented:
You can avoid system group to setting specific groups for read access (chmod 00640) to /dev/mem /dev/kmem (maybe /dev/drum)
then limit access to respective programs to those groups or so.
this is ugly, aix chkpwd will suffer from this or so
look at www.bullfreeware.com for monitor package, it does almost this
0
 
rishi_dongreAuthor Commented:
Friends,
Thanks for ur comments. But i am looking for the option like RBAC(available in solaris) or sudo.

Thanks
rishi
0
2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

 
gheistCommented:
sudo is in same BULL freeware archive ....
roles based access control is available in AIX just like Gns explained
0
 
rishi_dongreAuthor Commented:
i searched for sudo and found in for AIX5.1.
I m running 5.2. Will it help?
0
 
GnsCommented:
Most freeware stuff for 5.1 will "just work" for 5.2 (I've recently "been in the same shoes":-). Unfortunately, monitor doesn't seem to be one of them (probably due to massaging kernel structures etc, so that even slight changes makes it "bomb"). At least, didn't work for me:-(

You can of course define your own roles... You could edit the files in /etc/security directly, but there are nice commands... That smit "hides" behind a nice interface (well:-).
man roles
man mkrole
etc.
But you will be limited to the authorizations available (use either wsm or smitty to play with some tests...:-).
To run topas, I'd imagine you could very well just add a group acl to /dev/mem ... Now trying:-)
Yup, add a "read only" acl and you'll be able to run topas. The downside is of course security, but that might not be such a big deal.
man aclget aclput acledit
for more info on acls. BTW, the acl looks like this for me
# aclget /dev/mem
attributes:
base permissions
    owner(root):  r--
    group(system):  r--
    others:  ---
extended permissions
    enabled
    permit   r--     g:staff

sudo will be more generic in nature, and more flexible... So it might not be a bad idea to look at anyway.

-- Glenn
0
 
rishi_dongreAuthor Commented:
Thanks GNS, Ghiest for your valuable time.

I installed sudo from my cd and configure.
And my problem solved.
0
 
gheistCommented:
Anyway - have a look here
http://www.sudo.ws/sudo/other.html
it mentions some AIX facilities too
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now