Bookmark and Share
RSS

Recent Posts

SUDO-RBAC Phase 1

September 27, 2017

Last May I wrote about integrating SUDO and AIX RBAC. After months of no time I had a long weekend and can now say that “Phase 1” is complete. Phase 1 now needs testing—and ideally, feedback.

As I write this I am getting a wiki page ready with info on where to download it. I’m also ready and willing to respond to questions, either via the comments on this blog, or through my aixtools forum at http://forums.rootvg.net/aixtools (my preference).

• A quick rundown—atm, the program is still rws-r-xr-x—but not as root!!

root@x068:[/]ls -l /opt/bin/sudo
-rwsr-xr-x    1 bin      bin          431763 Sep 25 20:42 /opt/bin/sudo


• And, if you try to use it without a role active it says:

root@x068:[/]su - michael
michael@x068:[/home/michael]sudo ls
sudo: /opt/bin/sudo is not owned by uid 0 so you need an active RBAC role


• After activating a role:

michael@x068:[/home/michael]swrole ALL
michael's Password:
michael@x068:[/home/michael]rolelist -ea
sudoer          sudo
michael@x068:[/home/michael]lssecattr -p $$
ksh: lssecattr: 0403-006 Execute permission denied.

michael@x068:[/home/michael]sudo ksh
michael@x068:[/home/michael]lssecattr -p 4456480
4456480 eprivs= mprivs= iprivs= lprivs=PV_ROOT uprivs=
michael@x068:[/home/michael]lssecattr -p $$
4194362 eprivs=PV_ROOT mprivs=PV_ROOT iprivs=PV_ROOT lprivs=PV_ROOT uprivs=PV_DAC_R,PV_DAC_W
michael@x068:[/home/michael]id
uid=199(michael) gid=0(system) euid=2(bin) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)


Testing and Feedback Needed!
I already see a few things that need further testing and, in my opinion, correction.

a) Not shown, but not working (unexpected) is: sudo lssecattr -p $$
b) euid==2 (bin). I do not want this “leftover,” so I'll make a new user and group (e.g., sudo_u and sudo_g) to own all things sudo AND I'll either work out how to not need SUID at all OR I'll add and use a privilege to undo “SUID” powers. There are several choices that can be made—this is where your feedback is essential. While my gut feeling is to remove any need for SUID (currently used for some internal config file related tests), for proof of concept I’m going to start with using a new user/group definition rather than “bin:bin” as it is today.

Is This Different From Using “sudo-legacy”?
Not that much because...

root@x068:[/]lssecattr -c /opt/bin/sudo
/opt/bin/sudo accessauths=sudo innateprivs=PV_DAC_GID,PV_DAC_R inheritprivs=PV_ROOT secflags=FSF_EPS


The current RBAC privileges basically make a user the near equivalent of 'root'. PV_ROOT doesn’t let you “su root” or “su – root” to try and hide actions done as an “anonymous” root, but that’s about the only limitation.

michael@x068:[/home/michael]mkuser abcd
michael@x068:[/home/michael]su abcd
michael@x068:[/home/michael]id
uid=204(abcd) gid=1(staff)
michael@x068:[/home/michael]
michael@x068:[/home/michael]su
root's Password:
3004-501 Cannot su to "root" : Authentication is denied.


Moving Forward
I have ideas for how to move forward and improve (more tightly) integrate sudo and RBAC – but your feedback is what moves this from some self-study and/or curiosity of mine – to something that is useful for you!

I hope you’re interested in this series. The location to download and testdrive the pre-packaged installation (installp) will be/is: http://www.aixtools.net/index.php/sudo-rbac, forums for feedback: http://forums.rootvg.net/aixtools/ or here at SecuringAIX!

Note: Another goal of mine is to not step on current installations—the files are meant to be 'elsewhere.’ The exceptions are the 'lectured' and 'ts' files:

root@x068:[/]lslpp -w | grep sudoers
  /opt/share/doc/sudo/examples/sudoers
  /opt/libexec/sudo/sudoers.la
  /opt/libexec/sudo/sudoers.so
  /usr/share/man/man5/sudoers.5
  /var/sudo-rbac/etc/sudoers.d
  /var/sudo-rbac/etc/sudoers.dist
  /var/sudo-rbac/etc/sudoers

root@x068:[/]ls -ld /etc/sudo*
ls: 0653-341 The file /etc/sudo* does not exist.

root@x068:[/]find /var -name michael
/var/lib/sudo/lectured/michael
/var/run/sudo/ts/michael

Posted September 27, 2017 | Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus