IBM Support

IBM Java for AIX Reference: RBAC privileged process and the Environment variables

Education


Abstract

IBM Java for AIX Reference: RBAC privileged process and the Environment variables

Content

 

The purpose of this document is to explain the impact of a process with Elevated Role Based Access control (RBAC) privileges on the user Environment variables.

Overview
Details

 

Definition

The Enhanced Role Based Access Control (RBAC) in AIX v6 and above allows privileges to be assigned to processes to give them certain attributes to gain certain security privileges.  These assigned privileges allow the process to bypass privileged operation restrictions.

 

 

Environment Variables

For a process configured with RBAC elevated privileges, following list of environment variables in the user's environment are either ignored or reset:

LIBPATH

NLSPATH

LD_LIBRARY_PATH

LDR_PRELOAD

This is the basic AIX security behavior and default behavior by design.


However, a hardcoded LIBPATH would not be affected by any SUID or RBAC elevated privileges.
The LIBPATH environment variable can be hardcoded into executables. Refer to the compiler documentation for the specific option to use.


 

Security Issue

The behavior of LIBPATH being ignored/reset is not specific to RBAC. It happens any time a process's privileges are elevated; the most well-known example of this being when an executable has the SUID bit set.

It is a severe security issue if the above environment variables are not ignored.  For example,  a non-root user can utilize elevated privileges to specify LIBPATH to point to a malicious copy of a regular library, and the library can then execute with the elevated privileges causing serious damage to the system -- like affect critical data, system and network security etc.


 

Section 4

 

 

Section 5

 

 

Section 6

 

 

Section 7

 

 

Section 8

 

 

Section 9

 

 

Section 10

 

 

Section 11

 

 

Section 12

 

 

Section 13

 

 

Section 14

 

 

Section 15

 

 

Section 16

 

 

Section 17

 

 

Section 18

 

 

Section 19

 

 

Section 20

 

 


Contact IBM Support


If, after reading and following the above instructions, further assistance is required, please complete the following steps:

1. Confirm that you have review and completed all of the above steps.

2. Contact IBM and open a new IBM service request (i.e., a new IBM PMR).

3. Collect and upload data as per the data collection procedures noted in the above sections or package and upload the current data and details by following the instructions on this web page:


IBM Java for AIX MustGather: How to upload diagnostic data and testcases to IBM

 
Document Type: Technical Document
Content Type: Reference
Hardware: All Power
Operating System: AIX Version6 and above
IBM Java: All Java Versions
Author(s): Rama Tenjarla
Reviewer(s): NA
[{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG9NGS","label":"IBM Java"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

More support for:
IBM Java

Software version:
Version Independent

Operating system(s):
AIX

Document number:
716045

Modified date:
30 June 2018

UID

ibm10716045

Manage My Notification Subscriptions