Академический Документы
Профессиональный Документы
Культура Документы
Security is a major concern of operating systems. This article series provides an understanding
of the new features on AIX®, role-based access control and multi-level security. Part 1 of this
series discusses AIX role-based access control (RBAC) and how roles, responsibilities, and the
authorization of a root user can be delegated to more than one user.
Introduction
Traditionally, there is a single user, root, that controls the security mechanism of the system. The
root user decides who can log in, who can access the data, which process has the privileges to
get into the kernel mode, and so on. But, the drawback of a single root user is that the system
becomes vulnerable to attack if an unauthorized person takes control of the root user.
To avoid this problem, latest releases of AIX (6.1 onwards) introduces new security features like
Role Based Authentication Control (RBAC) and Multi level security (MLS) along with various other
features like Trusted Execution (TE), Encrypted File System (EFS) and more, in addition to the
existing traditional ROOT user based authentication.
This article explains, with examples, how the new features like RBAC and MLS can be easily
understood and applied.
Traditional
One can use the DAC (Discretionary Access Control) to control access to the data (in a process/
file relationship). However, the root user, who has all the privileges, is considered to be the sole
user. The root user succeeds any access control and performs any operation that it wants to do.
This can pose a major security threat.
Moreover, the root user plays many roles like system administrator, security officer to maintain
security policy, and systems operator for day-to-day activities. It is the single user which controls
the system and the system as such does not have any control over the activities within the system.
RBAC distributes the root user's roles and authorization to more than one user. This article shows
how RBAC provides enhanced security to the system.
RBAC
Traditional AIX systems have a limited set of authorizations that can be used to determine access
to certain administrative commands. The following example shows that the passwd command is
the setuid program, which has the authorization and privileges to be executed as a non-root user.
It is also able to modify the /etc/security/passwd file as a non-root user. DAC does not allow this.
# ls -l /etc/security/passwd
-rw------- 1 root security 467 Mar 10 23:48 /etc/security/passwd
This opens up a major risk of anyone who gets control of the root shell through malicious setuid
programs can then do anything they want.
Prior to AIX version 6, portions of root-user authority could be assigned to non-root users. Different
root user tasks (commands) are assigned different authorizations. These authorizations are
grouped into roles and assigned to different users:
Starting with AIX release version 6, the role-based access mechanism is been enhanced.
The system has a pre-defined authorization to certain commands and roles for system-defined
users.
Hence, a user with a defined role should be able to execute any authorized command.
shutdown command
Command: Shutdown
Authorization: aix.system.boot.shutdown
Role: isso, so
Privileges: Root privileges
Should a user with information system security officer (ISSO) or a similar role
be able to execute shutdown?
Should a user with information system security officer (ISSO) or a similar role be able to execute
shutdown?
The answer is Yes. The user should have the roles authorized to them to execute shutdown. From
the previous example, you can understand that only the user who has the roles, authorization, and
privileges should be able to execute shutdown.
Is it possible that a malicious user can get the role of ISSO and use his own
shutdown program to attack the system?
Is it possible that a malicious user can get the role of ISSO and use his own shutdown program to
attack the system?
The answer is No provided if the isso role is not assigned intentionally. Since the malicious user
in this case will be malicious administrator who does NOT have complete authorization to do
whatever he wants.
Here the point to understand is that only a user with administrator authorization can assign
authorizations and roles. Anyone who gets control of the administrative user maliciously cannot do
anything, since the administrator alone cannot do anything destructive.
Only certain users are allowed to do certain actions. The onus on a single user root is delegated.
In this way, higher security is achieved.
System-defined authorizations are prefixed with aix in the authorization hierarchy (as shown in
previous example, which may not be modified or removed).
You have the option of disabling the root access to the system and performing all tasks through
one or more user accounts.
The roles and authorizations of these users are defined in the following table:
When the roles become active? rolelist -a [To verify the roles associated with the user with which the
session is logged in]
swrole (role_name) [switch to activate the role ]
Step B: Execution
Login as testuser
Switch to the role test_role using the following command:
swrole test
(prompts for testuser password )
verify whether the testuser has the role using the following command:
rolelist -e
This displays the role associated as test_role
Execute shutdown command
So far, I have shown how authorization and roles are used. The previous example explains how a
non-root user can be given authorization to execute commands such as shutdown. This example
is shown to explain the usage of RBAC. Giving authority to a non-root user to execute commands
like shutdown is not suggested or recommended. Further, following this example shows how
creating the user and setting the password for the user is not a single-user responsibility. You need
more than one role (users) to create and set a password for the user.
This shows how the roles and authentications are distributed and how it is difficult to tamper the
activities without the proper authorization.
In this way, you delegate the root responsibility to other users and reduce the security risk.
Privileges
So far, you have seen how authorization and roles play a role in enhancing the security of the
system.
Now, you will see how privilege is part of this security system.
• Privileges are for the process to bypass certain (kernel) restrictions while executing an
authorized command.
• Privileges are for the commands and process to access the files, even if it has the required
authorization.
• Privileges provide device access control.
In short, the operating system uses authorization to determine eligibility before performing a
privileged operation like system calls.
Examples of privileges
lsconf example
lsconf - is not a privileged command, it has no authorization
to perform a privileged operation.
Access permission as per DAC.
# ls -l 'which lsconf'
-r-xr-xr-x 2 root system 12712 Mar 14 2008 /usr/sbin/lsconf
In this case, whoever has the DAC privilege should be able to execute lsconf. Interestingly, the
lsconf command internally executes commands like bootinfo, which is a privileged command. This
means that the user needs an authorization and privileges to execute bootinfo. Hence, a user who
does not have the required authorization will fail to execute bootinfo.
bootinfo example
Command: bootinfo -k
Authorization and Privileges:
$ lssecattr -c 'which bootinfo'
/usr/sbin/bootinfo accessauths=aix.system.boot.info innateprivs=PV_DAC_R,
PV_DAC_W,PV_DEV_CONFIG,PV_KER_RAS,PV_MAC_,PV_MIC secflags=FSF_EPS
DAC permission:
$ ls -l 'which bootinfo'
-r-xr-x--- 1 bin bin 13984 Mar 14 2008 /usr/sbin/bootinfo
In this case, the user with the authorization aix.system.bootinfo, assigned through a role, should
be able to execute the bootinfo command. However, DAC does not allow the file to be executed by
any non-root user.
Is it possible to execute a command by a user who has the required authorization but no DAC
permission?
Yes, it is possible if the process has the required privilege to execute the command. In this case,
as the previous output shows, bootinfo has PV_DAC* privileges.
The following command shows the privileges associated with the shell:
$ lssecattr -p $$
282824 eprivs= mprivs= iprivs= lprivs=PV_ROOT uprivs=
$ ls -l /etc/hosts
-rw-rw-r-- 1 root system 1962 Mar 3 16:35 /etc/hosts
DAC shows except root user and users belong to system group,
others do not have write access to the file
$ lssecattr -p $$
282824 eprivs= mprivs= iprivs= lprivs=PV_ROOT uprivs=
Hence, in this case, DAC access is followed where the non-root user has only READ permission.
$ lssecattr -p $$
282824 eprivs= mprivs= iprivs= lprivs=PV_ROOT uprivs=
The shell process has the root privileges but the vi command which is used to
access the file is not privileged command. This means that vi cannot
access the file even if a user has the required authorization, aix.security.user,
to edit the file.
accessauths,innateprivs,authprivs,inheritprivs
• A privileges file has the following attribute:
readauths and writeauths
• Privileges Device has the following attribute:
readprivs and writeprivs
Summary
This has been a tour of the RBAC features with examples and scenarios. I hope it gives you a
better understanding of the advanced features in AIX, RBAC and MLS.
Contact IBM® technical support for any further assistance. Contact the author for any further
clarification on this topic.
Related topics
• "Documentation:AIX6.1 Information"
• "Redbook:AIX V6 Advanced Security Features Introduction and Configuration"