IBM Support

AIX Security: How to extend special file permissions with RBAC or ACLs

How To


Summary

RBAC does not work for 'cat, csum, tail' and related commands. How can I extend user access for restricted files?

Objective

Role-based access control (RBAC) can extend permissions for files, but there are limitations to the permissions.  There are other methods to allow users to view or perform operations on a restricted file.
NOTE: The functionality of RBAC is beyond the scope of this document. Refer to the following documents for RBAC details:

Steps

The following example creates a test directory and file, with rwx permissions for owner 'root', and group 'security'.
# mkdir  /secureDir
# touch /secureDir/secureFile
# chown -R root.security /secureDir
# chmod -R 770 /secureDir
# ls -al secureDir
total 8
drwxr-x---    2 root     security        256 Mar 18 10:49 .
drwxr-xr-x   25 root     system         4096 Mar 18 10:49 ..
-rwxr-x---    1 root     security          0 Mar 18 10:49 secureFile
In the next step, RBAC will be tested:
# mkauth testauth
# mkrole authorizations=testauth testrole
# setkst
# chuser roles=testrole testuser
# setsecattr -f writeauths=testauth /secureDir/secureFile
Next, the user will try to access the file:
# login testuser
# swrole testrole
 
# pvi /secureDir/secureFile -->OK
# vi /secureDir/secureFile
"/secureDir/secureFile" The file access permissions do not allow the specified action.
 
# cat /secureDir/secureFile
cat: 0652-050 Cannot open /secureDir/secureFile.
SOLUTION:
The RBAC writeauths or readauths authorities for a file grant ONLY pvi edit capabilities. There are three options to access to the file:
A) Add the user to the 'security' group:
# usermod -G security testuser
B) Change DAC (Discretionary Access Control) for directory/file:
# chmod 777 /secureDir/secureFile (allow read/write)
or 
# chmod 755 /secureDir/secureFile (allow read)
C) Extend ACL permissions:
C.1 Add rxw ACL for the directory:
# acledit  /secureDir
  
   extended permissions
    enabled
    permit   rwx     u:testuser
   
--> Should the modified ACL be applied? (yes) or (no) yes
C.2) Next, add rwx ACL for the file:
# acledit  /secureDir/secureFile
    extended permissions
    enabled
    permit   rw-     u:testuser
--> Should the modified ACL be applied? (yes) or (no) yes
RESULT:
The user can view, edit, or execute the file.

Additional Information

SUPPORT

If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  

1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2. Capture any logs or data relevant to the situation.

3. Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4. Provide a clear, concise description of the issue.

 - For guidance, see: Working with IBM AIX Support: Describing the problem.

5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.

 - For guidance, see: Working with IBM AIX Support: Collecting snap data

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzgAAA","label":"Commands"},{"code":"a8m50000000L0QLAA0","label":"Role Based Access Control"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
06 September 2023

UID

ibm16433581

Page Feedback