RBAC-aware applications

Edit online

Traditionally, in AIX® and on root-enabled enhanced RBAC systems, a root or root-owned setuid program (with UID=0) that does not appear in the privileged command database is always granted all privileges in the kernel. Privilege checks in the kernel will therefore always return success even when a requested privilege is not present in the process effective privilege set (EPS).

This behavior is still needed to support existing setuid applications, but this can be a security risk because a setuid program will have all of the powers of root.

To allow proper privilege bracketing in a process on a root-enabled enhanced RBAC system, a new bit in the process structure has been introduced. If this bit is set, then the process becomes an RBAC-aware process and an effective UID of 0 does not provide any extra privileges. This bit can be set in a program with the proc_rbac_op system call. Any setuid programs which are not listed in the privileged command database can use this functionality to reduce security vulnerability by lowering the available privileges. Note that programs that are defined in the privileged command database are automatically marked as RBAC-aware processes and are only assigned the privileges listed in the database.

The following code demonstrates how an application can mark itself as RBAC-aware and then perform proper privilege bracketing:

#include <userpriv.h
#include <sys/priv.h>

privg_t effpriv;

int rbac_flags = SEC_RBACAWARE;

/* Mark the process as RBAC-aware. */
proc_rbac_op(-1, PROC_RBAC_SET, &rbac_flags);

/* Set the effective privilege set as empty. */ 	
priv_clrall(effpriv); 	
setppriv(-1, &effpriv, NULL, NULL, NULL); 

/* Raise privilege when required. */ 	
priv_raise(PV_AU_ADMIN, -1); 	
auditproc(); 

/* Lower privilege when no longer needed. */ 	
priv_lower(PV_AU_ADMIN, -1);