Privileged file database

Edit online

Many system configuration files in traditional UNIX systems are owned by the root user and are not directly modifiable by other users. RBAC allows a user to modify these system configuration files by activating a role and running a command to gain the privileges needed to modify the file.

There are some AIX configuration files that do not have command interfaces to allow modification of the file. In these cases, it is necessary to have a tool that allows an administrator with the appropriate authorization to directly edit and save a file to which they otherwise would not have access.

The privileged file database provides a method to use authorizations to determine access to system configuration files. When the database is stored locally, it is contained in the /etc/security/privfiles file. This database maps configuration files to the authorizations required to view or modify these files. Access to a configuration file is controlled in this database with the following attributes:
readauths
List of authorizations allowed to read from the file
writeauths
List of authorizations allowed to write to the file (read authorization is implied in this case)
Entries in the privileged file database can be listed with the lssecattr command and can be created or modified with the setsecattr command. Files defined in the privileged file database can be accessed by authorized users with the /usr/bin/pvi command. The pvi command is a privileged and restricted version of the vi editor based on the /usr/bin/tvi command. The pvi command imposes all of the same security precautions as the tvi command (for example, no –r or -t flags, no shell escapes, no user defined macros) and also enforces the following restrictions:
  • The system must be in Enhanced RBAC Mode.
  • Only files defined in the privileged file database can be opened.
  • Only one file can be opened at a time.
  • Writing to a different filename then the one specified on the command line is disabled.
  • The /etc/security/privfiles file cannot be edited with the pvi command.
  • Attempts to open links will fail. Only regular files can be edited.

The authorization checks are performed prior to opening the file. If the authorization matches, the privilege set of the process is raised to include PV_DAC_R or PV_DAC_W (depending on whether the file is being opened for reading or writing). If the authorization does not match, an error message is displayed and the user is denied access to the file with the pvi command.