Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

RBAC in AIX 5.2

Posted on 2004-03-22
8
Medium Priority
?
1,463 Views
Last Modified: 2013-12-06
Hi,

How to configure role based access control in AIX 5.2?
eg. A nornal user can run "topas" cmd. without any administrative group.

I hv configured the same in Solaris 8.

Please suggest.

Thanks,
rishi
0
Comment
Question by:rishi_dongre
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 20

Expert Comment

by:Gns
ID: 10649290
Look at "smitty roles" and "smitty chuser" ... You can set the RunDiagnostics role for a regular user, but the user still needs be of group "system" (decreed by the role) for the diagnostics to be available. To run "topas" the user needs system group membership (to be able to read /dev/mem), but no specific role... To run "diag" you need be part of "system" group _and_ have the role RunDiagnostics...;-)
Or am I missreading you?
Anyway, there is a http://www.experts-exchange.com/Operating_Systems/AIX_IBMs_UNIX_OS/ TA now that one can use for AIX questions. Perhaps wouldn't change the answer:-).

-- Glenn
0
 
LVL 62

Accepted Solution

by:
gheist earned 225 total points
ID: 10651964
You can avoid system group to setting specific groups for read access (chmod 00640) to /dev/mem /dev/kmem (maybe /dev/drum)
then limit access to respective programs to those groups or so.
this is ugly, aix chkpwd will suffer from this or so
look at www.bullfreeware.com for monitor package, it does almost this
0
 

Author Comment

by:rishi_dongre
ID: 10655243
Friends,
Thanks for ur comments. But i am looking for the option like RBAC(available in solaris) or sudo.

Thanks
rishi
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 62

Expert Comment

by:gheist
ID: 10655330
sudo is in same BULL freeware archive ....
roles based access control is available in AIX just like Gns explained
0
 

Author Comment

by:rishi_dongre
ID: 10655407
i searched for sudo and found in for AIX5.1.
I m running 5.2. Will it help?
0
 
LVL 20

Assisted Solution

by:Gns
Gns earned 150 total points
ID: 10656089
Most freeware stuff for 5.1 will "just work" for 5.2 (I've recently "been in the same shoes":-). Unfortunately, monitor doesn't seem to be one of them (probably due to massaging kernel structures etc, so that even slight changes makes it "bomb"). At least, didn't work for me:-(

You can of course define your own roles... You could edit the files in /etc/security directly, but there are nice commands... That smit "hides" behind a nice interface (well:-).
man roles
man mkrole
etc.
But you will be limited to the authorizations available (use either wsm or smitty to play with some tests...:-).
To run topas, I'd imagine you could very well just add a group acl to /dev/mem ... Now trying:-)
Yup, add a "read only" acl and you'll be able to run topas. The downside is of course security, but that might not be such a big deal.
man aclget aclput acledit
for more info on acls. BTW, the acl looks like this for me
# aclget /dev/mem
attributes:
base permissions
    owner(root):  r--
    group(system):  r--
    others:  ---
extended permissions
    enabled
    permit   r--     g:staff

sudo will be more generic in nature, and more flexible... So it might not be a bad idea to look at anyway.

-- Glenn
0
 

Author Comment

by:rishi_dongre
ID: 10656476
Thanks GNS, Ghiest for your valuable time.

I installed sudo from my cd and configure.
And my problem solved.
0
 
LVL 62

Expert Comment

by:gheist
ID: 10656658
Anyway - have a look here
http://www.sudo.ws/sudo/other.html
it mentions some AIX facilities too
0

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question