Bookmark and Share

Recent Posts

Using RBAC With Scripts

November 26, 2012

I have been working on a set of tools, known as AIX Security Assessment Tool (ASAT), and want it to be able to run without requiring root privileges to execute it. I am not really decided about the best way to approach this—so I am asking for comments on a skeleton procedure.

Step A: Create a test file, chmod to 0, and try to copy it, etc. This fails of course.

$ ls -l >xxx
$ chmod 0 xxx
$ cp xxx yyy
cp: xxx: The file access permissions do not allow the specified action.

Step B: Write a shell script to copy the file—this also fails.

$ echo "#!/usr/bin/ksh\ncp xxx yyy && ls -l yyy" > test.ksh
$ chmod u+x test.ksh
$ ./test.ksh
cp: xxx: The file access permissions do not allow the specified action.

Step C: Add privileges to the script and execute. Note: For this example, I am using a special authorization.

I employ (ALLOW_OWNER) rather than creating an authorization and assigning it to a role. Second, I am assigning privilege PV_ROOT—which is much more than is needed. Normal usage dictates using tracepriv to determine the least privileges needed to use a command.

$ su
# setsecattr -c accessauths=ALLOW_OWNER innateprivs=PV_ROOT secflags=FSF_EPS `pwd`/test.ksh
# setkst
# exit
$ ./test.ksh
----------    1 michael  staff          6534 Nov 22 04:26 yyy

Step D: Clean up when finished.

$ su
# setsecattr -c accessauths= innateprivs= secflags= `pwd`/test.ksh
# setkst
# exit
$ ./test.ksh
cp: xxx: The file access permissions do not allow the specified action.

I am looking for feedback. I have never used sudo, so I am curious how something like this would be done using sudo. Extra info: It's the command /usr/bin/ksh that is actually getting the privileges—so if you shell escape out of a command started by this shell, you still have those privileges.

As a start, care will be needed to prevent shell escapes (can be done for some commands, e.g., vi, by redefining the SHELL variable before starting any other commands). I have already seen that using Ctrl-Z does not leave you in an elevated shell (you return to your previous shell status).

Don’t bother commenting about my use of PV_ROOT in the example above—that is just because I am lazy. Do think about the dangers of using any of ALLOW_USER, ALLOW_GROUP, ALLOW_ALL.

I’m looking forward to your comments. I shall try to respond to all in a timely manner.

Posted November 26, 2012| Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus