Creating a RBAC role to run a command in AIX

Answer

In AIX 6.1 and up the Enhanced RBAC (Role Based Access Control) can be used to create a specific role to run one or more AIX commands, and assign that role to a user. This allows a normal user account special privileges without having to become root or use another utility, such as sudo.

1. First determine which command the user wants to run.

In our example we're going to allow the user to run the /usr/sbin/mklv command, which creates logical volumes.

2. Does the command exist in the privileged command database?

If the command is in the privileged command database /etc/security/privcmds then we can list out the security attributes of that program. We're specifically going to list the access authorizations necessary to run the program. It's very likely that the command is in the privcmds database, as over 900 system commands already exist there.

# lssecattr -c -a accessauths /usr/sbin/mklv

/usr/sbin/mklv accessauths=aix.lvm.manage.create


3. Is there a role with the appropriate access authorizations already?
Check for an existing role that might be used instead of having to create one.
# lsrole ALL | grep aix.lvm.manage.create

This came back with nothing, so no current role exists with that specific authorization. As authorizations are hierarchical in nature, we could search for one that encompasses more LVM operations.

# lsrole ALL | grep aix.lvm.manage
<nothing>

# lsrole ALL | grep aix.lvm

FSAdmin authorizations=aix.fs.manage.change,aix.fs.manage.create,aix.fs.manage.debug,aix.fs.manage.defrag,aix.fs.manage.dump,aix.fs.manage.list,aix.fs.manage.mount,aix.fs.manage.quota,aix.fs.manage.recover,aix.fs.manage.remove,aix.fs.manage.snapshot,aix.fs.manage.unmount,aix.fs.object,aix.lvm rolelist= groups= visibility=1 screens=* dfltmsg=File System Administration msgcat=role_desc.cat msgnum=7 msgset=1 auth_mode=INVOKER id=7

So there is a role called FSAdmin that could be assigned to a user. If this contains too many authorizations we can create a new role for just the specific authorization we wish to give.


4. Create our custom role
We'll make a role with a name, and a default message letting future users know what the role does, and assigning that authorization to the role.

# mkrole dfltmsg="Allow creation of logical volumes" authorizations="aix.lvm.manage.create" lvcreate

Update the kernel tables with this new role

# setkst
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel  Domains Table.

5. Now we can assign this role to a user
To assign the role to the user, change the user's roles attribute:

# chuser roles=lvcreate bob

We can also set "default_roles" user attribute so the role is automatically applied upon login. That way they don't need to use the /usr/bin/swrole command to switch into it.

Either set the role specifically or use the "ALL" keyword to apply all assigned roles:

# chuser roles=lvcreate default_roles=lvcreate bob
or
# chuser roles=lvcreate default_roles=ALL bob


6. Test to see if the role was assigned
If we log in as bob we can see if the role was assigned to the account:
$ rolelist -a
lvcreate   aix.lvm.manage.create

7. Switch into a new role session
If the role was assigned to the user but not set as a default role (or the keyword ALL was not used for the default roles) the user needs to switch into it:
# swrole lvcreate
bob's password: <password>

8. Check if the role has been enabled now
# rolelist -e
lvcreate   aix.lvm.manage.create

Now test if the command works for the user:

$ mklv -y mylv testvg 20
mylv

9. Exit out of the role session
If the role was not set as a default role, the user can exit the role-enabled session back to their normal work environment.
$ exit
$ rolelist -e
rolelist: 1420-062 There is no active role set.