Blog
SecuringAIX

« How to FAIL a Security Audit | Main | Are You Compliant, in Control, or Neither? »

November 27, 2012

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83545a5d153ef017d3e2df3a7970c

Listed below are links to weblogs that reference Using RBAC With Scripts:

Comments

how is this different from running sudo /home/michael/test.ksh?
$ sudo /home/rroberts/test.ksh
---------- 1 root system 282 Nov 28 16:32 yyy
in your example you grant the privs as root, run the command as michael then deny the privs as root. how is this different from adding a line to sudo then taking it away?

Not different at all I suspect. I was being lazy. I just wanted to show the principle of assigning a privelidge to a script. PV_ROOT is the one that is sure to work. What I should have done is run the command tracepriv (after promoting the user script to PV_ROOT)
Use the following privilidges rather than PV_ROOT and the test.ksh will also work.

michael@x054:[/home/michael]tracepriv -e ./test.ksh
---------- 1 michael staff 6534 Nov 29 16:10 yyy

6946928: Used privileges for ./test.ksh:
PV_AZ_ROOT PV_PROC_PRIV PV_TP_SET PV_KER_ACCT PV_KER_RAC

And thanks for asking! (layout of output modified to better fit screen)

I made a small typo in my answer above:
Elevate script should be "evelate shell" (hint: using
# setsecattr -p iprivs=PV_ROOT pid)

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.