Determining the required authorizations for a command

Edit online

Many system administrative applications require authorizations to run properly. While a set of predefined commands is provided in the privileged command database, system administrators might need to add entries that are specific to their environment. The privileged command database allows entries to be added to the database. Proper authorization must be listed in the accessauths attribute in order to gain access to the command.

There are two ways an authorization can be used and checked in the AIX® operating system using the enhanced RBAC framework:

  • Access Auths (Access Authorization): An attribute specified in the privileged command database and contains a comma-separated list of authorization names. A user whose current session has one of the authorizations in the list is allowed to run the command. This is being checked by the system loader while running protected privileged executables.
  • Check Auths (checkauths()): A specific authorization or a list of authorizations can be checked programmatically using the checkauths() API. The specified authorizations are checked against the authorizations present in a role within the current session. Based on the outcome of this check, a program might perform privileged operations.

Prior to adding a command to the privileged command database, authorization sets must be determined to ensure that command execution is allowed. A program or application might perform additional authorization checks internally. It is necessary to determine a list of authorizations used in a process that can be assigned while creating a custom role.

The following is the basic strategy to determine the required authorizations for a command:
  1. Assign the PV_ROOT privilege to the invoking shell, or assume a role with aix authorization.
    Important: In a global-WPAR, the PV_ROOT privilege must be assigned to an effective and maximum privilege set of an invoking shell process. Within a system-WPAR, this privilege also has to be added to the inherit privilege set of a process.
  2. Run the command.
  3. Record the authorizations used for the process.
  4. Store the authorization reported under Access Auths in the accessauths attribute of the command in the privileged command database. The authorizations reported under Check Auths can be used while creating roles in a system.
These steps should be performed in a controlled environment because the PV_ROOT privilege is assigned to a shell, or it is assuming a role with aix authorization, and because both of these methods are extremely powerful. In addition, running the command might have some system impact that can affect other users. In practice, this is likely to be a trial-and-error procedure. In order to obtain the full set of authorizations, the command will likely need to be run repeatedly with different flags and options, and possibly for a long period of time for long-running applications. The required authorization set of the process can be easily gathered using one of the following procedures, which can be performed by an administrator with proper authority:
traceauth
Specify an argument that is the command to execute. The traceauth command runs the command and records both types of authorizations used during the lifetime of the process. When the command finishes, the traceauth command displays the authorizations that were used on stdout.
lssecattr
If the command is a long-running process, the lssecattr command can be used to display the authorizations used by the process. In order to enable the authorization tracing in a system, run the following command:

setrunmode –c; setsecconf –o traceauth=enable

To display the used authorization for a process, run the lssecattr command as follows, substituting the PID of the process that is being monitored:

lssecattr –p –A PID

After the required authorizations have been determined, perform the steps in Adding a command to the privileged command database to add the command to the privileged command database. The command should then be run by an authorized user to verify that it runs properly.