Solved

I guess I'm just not getting it!

Posted on 2011-09-27
15
996 Views
Last Modified: 2013-11-17
I'm trying to use RBAC on an AIX 6.1 system to authorize a subset of users to perform user administration. In particular, I'd like for this group to be able to administer passwords. I created a role named "testrole" with the following definition:

testrole authorizations=aix.security.passwd,aix.security.user rolelist= groups=rsam visibility=1 screens=* dfltmsg= msgcat= auth_mod
e=INVOKER id=13

I've created a test account named "dopey" to which I've added this role. What I can't figure out is why I'm getting the following error when, as dopey, I try changing the password of another account.

ksh[22]: passwd: 0403-006 Execute permission denied.
0
Comment
Question by:babyb00mer
  • 8
  • 6
15 Comments
 
LVL 45

Expert Comment

by:Kdo
ID: 36711869
Hi boomer,

You're overthinking this.  :)

The shell is informing you that the user has no permission to execute the passwd statement.

You should probably create a group permission for "authorizations" to execute passwd.



Good Luck,
kent
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 36712073
Did you check (as dopey) with "rolelist" that dopey is indeed authorized to use "testrole?

Did you issue (as root) "setkst" to update the kernel tables with your new settings?

Did you issue "swrole testrole" before attempting to use the "passwd" command?
(dopey will be asked for their own password!)

wmp

0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 36712132
You can avoid being asked for your own password with "authmode=role"

Attention: After making changes don't forget "setkst"

You can avoid having to enter  "swrole" by adding "testrole" as a default role to "dopey":

chuser default_roles=testrole dopey

0
 

Author Comment

by:babyb00mer
ID: 36712236
This is what the dopey account looks like

dopey id=5001 pgrp=rsam groups=rsam,staff home=/home/dopey shell=/usr/bin/ksh gecos=Test Account login=true su=true rlogin=true daemon
=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=comp
at logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=1 minother=1 mindiff=0 max
repeats=2 minlen=6 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=
2097151 rss=65536 nofiles=2000 roles=testrole

And yes, I ran setkst and swroles.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 36712341
Ok,

dopey looks good.

Please post the entry for "testrole" from /etc/security/roles exactly as it appears there.

The way you posted it in your Q it will not work due to some syntax errors (copy-and-paste ?)

What happens when dopey issues "swrole testrole"  (not "swroles ...")

swrole should ask for dopey's password and then start a new shell.

What does dopey get inside this new shell with "rolelist -e"?

0
 

Author Comment

by:babyb00mer
ID: 36712455
This is the definition of testrole from the /etc/security/roles file:

testrole:
        authorizations = aix.security.passwd,aix.security.user
        id = 13
        groups = rsam

Invoking rolelist -e yields:
intft1:/home/dopey> rolelist -e
testrole        

I did not execute the swrole command prior to running rolelist because I've already used the chuser command from your previous response to set a default role for this user.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 36712753
Ok,

id = 13

should be the first line following the "testrole:", and there must be
an empty line between the end of the previous role definition and
this stanza.

Don't forget to issue "setkst" after making changes to any RBAC database!

Done this, dopey must be able to issue "passwd"!

This message "Execute permission denied" seems a bit strange to me!

Normally one would expect "3004-664 You are not authorized to change ..."

What do you get with ls -l /usr/bin/passwd" ?

It should look like this: "-r-sr-xr-x    1 root     security  ... ..."

Does it?







0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:babyb00mer
ID: 36712913
It does... the passwd access permissions that is.

The problem goes away if I add dopey to the security group. I'm just not sure why that works or, more importantly, why it's necessary.

0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 36713546
The membership in the "security" group makes all this RBAC stuff obsolete.

It's a feature built into AIX since long that members of this group can change passwords and attributes
of other users/groups, except for those users/groups flagged as being "administrative".
(You must use "chuser" or "mkuser" or "passwd" (or smitty), "useradd", "userdel" or "usermod" will not work).

OK, I couldn't resist:

In the meantime I added your role definition to my /etc/security/roles file, updated a testuser (which is NOT in the security group!)  with "chuser roles=...." and "chuser default_roles=...", issued "setkst" and - "passwd otheruser" works without any issue.

It turned out that the blank line between roles is indeed important!

So I must admit that I'm just clueless why this shouldn't work for you...

I can only suggest double checking all your definitions in /etc/security/roles, /etc/security/user.roles and /etc/security/user.

Additionally check (as root) with

lsauth -a roles | grep testrole

if all authorizations are present.

Instead of "testrole" you could try using the system defined role "AccountAdmin" which will do nearly the same as "testrole" should.

And I keep telling you: Don't ever forget "setkst"!

wmp





0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 36713567
Just an idea - try

which passwd

file $(which passwd)

type passwd

alias passwd


as dopey.
0
 

Author Comment

by:babyb00mer
ID: 36904068
I found out that the new role I've defined (testrole) works on our AIX system running 6100-06-03-1048. It does not work on our system running 6100-04-01-0944.
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 500 total points
ID: 36905887
Could it be that enhanced RBAC is not activated on the 6100-04 system?

Check with

lsattr -EHl sys0 -a enhanced_RBAC

You should see  
attribute             value description                 user_settable
enhanced_RBAC true  Enhanced RBAC Mode True

If the value in column 2 is False, the system is using Legacy RBAC. Change it to True by issuing:

chdev -l sys0 -a enhanced_RBAC=true

Reboot and try again.

wmp


0
 

Author Comment

by:babyb00mer
ID: 36910728
This is what we're getting on our test system (6100-04-01-0944)...

enhanced_RBAC true  Enhanced RBAC Mode True
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 36910784
Too bad,

this would have been an easy solution.

I researched in IBM's support databases and didn't find an APAR (not even the smallest hint)
about a bug like this one in RBAC under AIX 6.1 TL4.

So I think you should compare once more both systems in regard to the concerned files /etc/security/roles, /etc/security/user.roles and /etc/security/user.

Besides that, I have to admit that I'm out of ideas now.

wmp

 
0
 

Author Comment

by:babyb00mer
ID: 36911226
No worries. We do intend to apply a tech-level upgrade to that system... eventually. Regardless, I got a lot of good information from you... as usual. Fortunately, the target system - for which all of this testing is a precursor -  is working as advertised.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
forget admin password 8 23
g++ pthread_init failure on AIX 10 68
Shell script errors 10 99
how to check for shares on aix 1 51
A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now