What are Kernel Authorization Tables and why do I care?
AnthonyEnglish 270000RKFN Visits (4030)
From AIX 6.1 when you install AIX filesets you'll often see mysterious messages advising updates to the Kernel Authorization Table (and some other tables), as in the example below:
installp: APPLYING software for:
So, do you sudo?
These messages are all to do with Enhanced RBAC (Role Based Access Control). Briefly, Enhanced RBAC allows you to give certain privileges to selected users, or groups of users, without granting them the root password or using sudo.
As the IBM RBAC documentation explains:
It then goes to list the databases which Enhanced RBAC uses:
In AIX 6.1 and 7.1, Enhanced RBAC is enabled by default.
ASCII is less pesky
Because the AIX people are nice (just like you), configuring complicated functions can often be done by editing ASCII files or via SMIT, and then a daemon or executable is run to read the files in from human-readable format to human unreadable format..
These are the principal ASCII files used by Enhanced RBAC:
So here's where your mysterious messages come in. After editing any of these files you need to set the entries in the Kernel Security Tables by running setkst. This is the command which gets invoked when you install most AIX software these days (since AIX 6.1).
Man, what is RBAC doing there?
You may have already seen references to RBAC in the man pages for AIX commands. For certain commands, the documentation will have a note indicating that the command can do "privileged operations". That doesn't mean you have to post the root password up on your intranet. You could grant limited access to a group of users for what would have required root or sudo access in the past.
Here's the RBAC note for the chdev command:
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.If you want to know more about Enhanced RBAC, have a look at RBAC in simple steps. You could also watch Nigel Griffiths' Wiki movie 14 AIX 6 RBAC. Of course, the AIX 6 Advanced Security Features Redbook is a wealth of information with practical examples.
Why do I care?
Even if you don't use RBAC, you never know when someone's going to watch you doing whatever AIX admins do and ask "what does that Kernel Authorization message mean?" Well, now you know, and you're a better person for it.