The greater weakness of DAC is the “all or nothing” level of access that’s granted using SUID—set (effective) user ID. When a kernel privilege is needed by a program to start and/or operate, that program must execute as SUID 0, or you must already be EUID 0 when you start it.
Use RBAC to Manage Access Control and Related Privileges
In other words, the key issue is that to do many “regular” things, access to root is required on a legacy UNIX—and RBAC provides a relatively easy way to delegate both access controls and the privileges required with any code-change to (most) applications.
Using RBAC: A Simple Example
An example is perhaps the simplest way to understand the advantage of using RBAC versus relying on procedures that require access to root aka super-user privileges for administration of an application.
HTTPD is a very well known service. The Apache Software Foundation (ASF) version uses a file named httpd.conf as a starting point to configure the server. Some key directives that require root access are the ones to connect to port 80 (port numbers < 1024 require kernel privileges) and to set a non-root user/group ID for data ownership. Other privileges are likely needed as well. ASF also provides a script named apachectl to assist with starting and stopping the httpd service. Since the service is running with a unique ID (i.e., different from the administrator) a kernel privilege is needed to stop the service. Using AIX and RBAC can permit “apache control” without needing access to obtain a super-user level of privileges. Instead, AIX and RBAC permit the configuration of the so-called Least Privilege Principle (LLP).
I am going to skip over some explanation, but you can see the links above for short/detailed explanations. Instead, I am going to give some commands needed to implement a role that can be assigned to a user so that httpd can be controlled (start/stop) by a non-root user.
Steps as Root
In case you’re wondering—“Can this be done without being root?”—the answer is yes. This is one of the details I am passing over for today.
- Install httpd (I have a recent version pre-packaged for AIX at http://dl.aixtools.net/httpd. You will need four packages: ASF.httpd, ASF.apr, ASF.apu and aixtools.pcre. The download links also include version numbers.)
- Make user and group httpd.
- Edit /etc/httpd/httpd.conf to use user/group httpd (rather than daemon).
- chown -R httpd:httpd /var/httpd
- Create an httpd_op user.
- ln -s /opt/httpd/sbin/apachectl /usr/sbin/apachectl # for ease of use – optional.
- Start/stop httpd to test it works when started as root.
- Log in.
- Try to start apachectl—it will fail.
- Echo $$ # this is your PID—process ID number, you need an increase in authority to trace privileges.
Back as root:
- Elevate httpd_op shell to root level—assume PID is 6357222
# setsecattr -p iprivs=PV_ROOT 6357222.
Back as httpd_op:
- Use command tracepriv to start/stop /opt/httpd/sbin/httpd.
Back as root:
- Make authorizations: mkauth aixtools; mkauth aixtools.httpd; mkauth aixtools.httpd.opr.
- Set authorization and related privileges to /opt/httpd/sbin/httpd.
# setsecattr -c \ authprivs=aixtools.httpd.opr=PV_DAC_R+PV_DAC_W+PV_DAC_X+PV_DAC_O+PV_KER_RAC+PV_NET_CNTL+PV_NET_PORT+PV_PROC_SIG
- Make the apachectl role
# mkrole authorizations=aixtools.httpd.opr dfltmsg=”Apache HTTPD Operator”
- Assign the role to user httpd_op
# chuser roles=apachectl httpd_op
Back as httpd_op:
- Logout and login again to drop super-user shell and get access to new role.
- apachectl start—will fail this time
- swrole apachectl
- apachectl start—succeeds
- Verify success.
$ netstat -tn | grep 80 | grep LISTEN
There's more, obviously, and it shall come either in articles on rootvg.net and/or my blog on IBM developerWorks. However, I hope the key reason for looking at RBAC is clear: You need neither root access nor super-user privileges on AIX when an application is integrated with AIX RBAC.