Privileged command database

Authorizations, roles, and privileges allow granular security controls to be implemented. However, the exploitation of RBAC by various system operations allows an RBAC security policy to be enforced.

While historically some AIX® commands directly checked for authorizations, it required that the executable code itself be modified to perform these checks. The enhanced RBAC mode provides a framework to enforce authorization checks and grant associated privileges through the privileged command database without requiring changes to system executables.

The privileged command database grants access and powers to users for commands they would not otherwise be able to run or for which they would not have the proper privilege to perform the task. The database saves the authorization information for a particular command as well as the privileges that are granted to the process if authorization checks succeed. When the database is stored locally, it exists in the /etc/security/privcmds file and contains stanzas of information in the form of command-versus-security attributes. The following are a few of the key attributes in this database (for a full description of all of the attributes, see the /etc/security/privcmds file).
accessauths
List of access authorizations that protect the execution of the command. A user with any one of the listed authorizations is allowed to run the command and perform some or all of the privileged operations that are contained in the command.
innateprivs
Innate privileges are privileges assigned to the process if the invoker succeeds the access authorization checks.
authprivs
Authorized privileges are additional privileges assigned to the process if the user has the associated authorization. This attribute allows more granular control of the command to allow a restricted set of users to perform additional privileged operations.
inheritprivs
Inheritable privileges are privileges that the process passes on to child processes.
secflags
List of security flags. FSF_EPS is a flag which causes the maximum privilege set (MPS) to be loaded into the effective privilege set (EPS) when the command is run.

When a user on an enhanced RBAC mode system attempts to run a command, the command is first checked in the privileged command database. If the command exists in the database, a check is performed against the authorizations associated with the user’s session and the value of the accessauths attribute for the command. If the session has one of the authorizations listed, the user can run the command regardless of whether the user passes the DAC execution checks for the command. Upon invocation, the command process has the privileges listed in the innateprivs attribute assigned into its maximum privilege set (MPS). Additional authorization checks are performed with the authorization-privilege pairs listed in the authprivs attribute. If the session has one of the listed authorizations, the associated privilege(s) are also added to the MPS of the command process. A command entry in the privileged command database that has the FSF_EPS value set in the secflags attribute assigns all of the privileges in the MPS to the effective privilege set (EPS) upon when the command is invoked.

A command is known as a privileged command when it is included in the privileged command database. While setuid programs that are not listed in the database are still technically privileged commands, they are not referred to as privileged commands when describing RBAC behavior. If a command does not have an entry in the privileged commands database, then it is not a privileged command and access to it is enforced by DAC and the command itself. Additionally, if a command is listed in the privileged command database, but the user's session does not have an authorization that allows invocation of the command, the system reverts to checking DAC access and allows the command to be run if these checks succeed.

Several management commands have been created to manipulate and query the privileged command database. Entries in the privileged command database can be created or modified with the setsecattr command, displayed with the lssecattr command, and removed with the rmsecattr command.