Education
Abstract
IBM Java for AIX Reference: RBAC privileged process and the Environment variables
Content
The purpose of this document is to explain the impact of a process with Elevated Role Based Access control (RBAC) privileges on the user Environment variables.
The Enhanced Role Based Access Control (RBAC) in AIX v6 and above allows privileges to be assigned to processes to give them certain attributes to gain certain security privileges. These assigned privileges allow the process to bypass privileged operation restrictions.
For a process configured with RBAC elevated privileges, following list of environment variables in the user's environment are either ignored or reset:
LIBPATH
NLSPATH
LD_LIBRARY_PATH
LDR_PRELOAD
This is the basic AIX security behavior and default behavior by design.
However, a hardcoded LIBPATH would not be affected by any SUID or RBAC elevated privileges.
The LIBPATH environment variable can be hardcoded into executables. Refer to the compiler documentation for the specific option to use.
The behavior of LIBPATH being ignored/reset is not specific to RBAC. It happens any time a process's privileges are elevated; the most well-known example of this being when an executable has the SUID bit set.
It is a severe security issue if the above environment variables are not ignored. For example, a non-root user can utilize elevated privileges to specify LIBPATH to point to a malicious copy of a regular library, and the library can then execute with the elevated privileges causing serious damage to the system -- like affect critical data, system and network security etc.
Contact IBM Support
If, after reading and following the above instructions, further assistance is required, please complete the following steps:
1. Confirm that you have review and completed all of the above steps.
2. Contact IBM and open a new IBM service request (i.e., a new IBM PMR).
3. Collect and upload data as per the data collection procedures noted in the above sections or package and upload the current data and details by following the instructions on this web page:
IBM Java for AIX MustGather: How to upload diagnostic data and testcases to IBM
Document Type: | Technical Document |
Content Type: | Reference |
Hardware: | All Power |
Operating System: | AIX Version6 and above |
IBM Java: | All Java Versions |
Author(s): | Rama Tenjarla |
Reviewer(s): | NA |
Was this topic helpful?
Document Information
More support for:
IBM Java
Software version:
Version Independent
Operating system(s):
AIX
Document number:
716045
Modified date:
30 June 2018
UID
ibm10716045