RBAC in AIX 5.2

Posted on 2004-03-22
Last Modified: 2013-12-06

How to configure role based access control in AIX 5.2?
eg. A nornal user can run "topas" cmd. without any administrative group.

I hv configured the same in Solaris 8.

Please suggest.

Question by:rishi_dongre
  • 3
  • 3
  • 2
LVL 20

Expert Comment

ID: 10649290
Look at "smitty roles" and "smitty chuser" ... You can set the RunDiagnostics role for a regular user, but the user still needs be of group "system" (decreed by the role) for the diagnostics to be available. To run "topas" the user needs system group membership (to be able to read /dev/mem), but no specific role... To run "diag" you need be part of "system" group _and_ have the role RunDiagnostics...;-)
Or am I missreading you?
Anyway, there is a TA now that one can use for AIX questions. Perhaps wouldn't change the answer:-).

-- Glenn
LVL 61

Accepted Solution

gheist earned 75 total points
ID: 10651964
You can avoid system group to setting specific groups for read access (chmod 00640) to /dev/mem /dev/kmem (maybe /dev/drum)
then limit access to respective programs to those groups or so.
this is ugly, aix chkpwd will suffer from this or so
look at for monitor package, it does almost this

Author Comment

ID: 10655243
Thanks for ur comments. But i am looking for the option like RBAC(available in solaris) or sudo.

LVL 61

Expert Comment

ID: 10655330
sudo is in same BULL freeware archive ....
roles based access control is available in AIX just like Gns explained
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).


Author Comment

ID: 10655407
i searched for sudo and found in for AIX5.1.
I m running 5.2. Will it help?
LVL 20

Assisted Solution

Gns earned 50 total points
ID: 10656089
Most freeware stuff for 5.1 will "just work" for 5.2 (I've recently "been in the same shoes":-). Unfortunately, monitor doesn't seem to be one of them (probably due to massaging kernel structures etc, so that even slight changes makes it "bomb"). At least, didn't work for me:-(

You can of course define your own roles... You could edit the files in /etc/security directly, but there are nice commands... That smit "hides" behind a nice interface (well:-).
man roles
man mkrole
But you will be limited to the authorizations available (use either wsm or smitty to play with some tests...:-).
To run topas, I'd imagine you could very well just add a group acl to /dev/mem ... Now trying:-)
Yup, add a "read only" acl and you'll be able to run topas. The downside is of course security, but that might not be such a big deal.
man aclget aclput acledit
for more info on acls. BTW, the acl looks like this for me
# aclget /dev/mem
base permissions
    owner(root):  r--
    group(system):  r--
    others:  ---
extended permissions
    permit   r--     g:staff

sudo will be more generic in nature, and more flexible... So it might not be a bad idea to look at anyway.

-- Glenn

Author Comment

ID: 10656476
Thanks GNS, Ghiest for your valuable time.

I installed sudo from my cd and configure.
And my problem solved.
LVL 61

Expert Comment

ID: 10656658
Anyway - have a look here
it mentions some AIX facilities too

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now