- 论坛徽章:
- 1
|
继《AIX 6 RBAC学习记录一》,本文专注于分析:要使某用户能运行某命令,需要分配给他什么样的角色。
3、查看“运行某命令”所需要的角色(命令在RBAC特权命令数据库中)
CMD=cfgmgr #此处写cfgmgr、/usr/sbin/cfgmgr都可以
x() {
CMD=`which $1`|| return
AUTH=`lssecattr -c -a accessauths $CMD | awk -F= '{print $2}'`
[[ a$AUTH == a ]] && return
#将AUTH=aix.system.boot.create变成AUTH=aix.system.boot.create|aix.system.boot,|aix.system.boot$|aix.system,|aix.system$
PAUTH=${AUTH%.*}
AUTH="${AUTH}|${PAUTH},|${PAUTH}$"
PAUTH=$(echo $PAUTH | grep
\\..*\\
.)
while [ a$PAUTH != a ]; do
PAUTH=${PAUTH%.*}
AUTH="${AUTH}|${PAUTH},|${PAUTH}$"
PAUTH=$(echo $PAUTH | grep
\\..*\\
.)
done
ROLES=`lsrole -a authorizations ALL | egrep "$AUTH"|awk '{print $1}'`
echo "## You can use one of these following commands to make one user has privilege to run command $CMD :"
for i in $ROLES; do
echo "## chuser roles=$i USERNAME"
done
}
x $CMD
命令结果示例:
# CMD=bosboot
# x() {
> CMD=`which $1`|| return
> AUTH=`lssecattr -c -a accessauths $CMD | awk -F= '{print $2}'`
> [[ a$AUTH == a ]] && return
>
> #将AUTH=aix.system.boot.create变成AUTH=aix.system.boot.create|aix.system.boot,|aix.system.boot$|aix.system,|aix.system$
> PAUTH=${AUTH%.*}
> AUTH="${AUTH}|${PAUTH},|${PAUTH}$"
> PAUTH=$(echo $PAUTH | grep
\\..*\\
.)
> while [ a$PAUTH != a ]; do
> PAUTH=${PAUTH%.*}
> AUTH="${AUTH}|${PAUTH},|${PAUTH}$"
> PAUTH=$(echo $PAUTH | grep
\\..*\\
.)
> done
>
> ROLES=`lsrole -a authorizations ALL | egrep "$AUTH"|awk '{print $1}'`
> echo "## You can use one of these following commands to make one user has privilege to run command $CMD :"
> for i in $ROLES; do
> echo "## chuser roles=$i USERNAME"
> done
> }
# x $CMD
## You can use one of these following commands to make one user has privilege to run command /usr/sbin/bosboot :
## chuser roles=SysBoot USERNAME
## chuser roles=SysConfig USERNAME
#
相关命令:
# lssecattr -c -a accessauths ALL | grep '/cfgmgr '
/usr/sbin/cfgmgr accessauths=aix.device.config
# lsrole -a authorizations ALL
AccountAdmin authorizations=aix.security.group,aix.security.user
BackupRestore authorizations=aix.fs.manage.backup,aix.fs.manage.restore
DomainAdmin authorizations=aix.security.kerberos,aix.security.ldap,aix.security.nis,aix.security.pki
FSAdmin authorizations=aix.fs.manage.change,aix.fs.manage.create,aix.fs.manage.debug,aix.fs.manage.defrag,aix.fs.manage.dump,aix.fs.manage.list,aix.fs.manage.mount,aix.fs.manage.quota,aix.fs.manage.recover,aix.fs.manage.remove,aix.fs.manage.snapshot,aix.fs.manage.unmount,aix.fs.object,aix.lvm
SecPolicy authorizations=aix.security.audit,aix.security.auth,aix.security.cmd,aix.security.config,aix.security.device,aix.security.file,aix.security.kst,aix.security.network,aix.security.proc,aix.security.role,aix.security.passwd,aix.security.su,aix.security.tcb,aix.security.tsd
SysBoot authorizations=aix.system.boot.create,aix.system.boot.halt,aix.system.boot.info,aix.system.boot.reboot,aix.system.boot.shutdown
SysConfig authorizations=aix.system.boot.create,aix.system.config.bindintcpu,aix.system.config.console,aix.system.config.date,aix.system.config.diag,aix.system.config.dlpar,aix.system.config.inittab,aix.system.config.io,aix.system.config.kext,aix.system.config.mode,aix.system.config.perf,aix.system.config.rset,aix.system.config.uname,aix.system.config.write,aix.system.stat,aix.wpar
isso authorizations=aix.device,aix.fs.chroot,aix.fs.manage.export,aix.fs.stat,aix.network,aix.proc.fuser,aix.proc.ipc,aix.proc.status,aix.proc.trace
sa authorizations=aix.system.config.acct,aix.system.config.cron,aix.system.config.src,aix.system.install
so authorizations=aix.proc.kill,aix.ras,aix.system.config.init,aix.system.config.wlm
# lsrole -a authorizations ALL | grep aix.device.config
# lsrole -a authorizations ALL | grep aix.device
isso authorizations=aix.device,aix.fs.chroot,aix.fs.manage.export,aix.fs.stat,aix.network,aix.proc.fuser,aix.proc.ipc,aix.proc.status,aix.proc.trace
# lsrole -f -a authorizations ALL | grep aix.device,
isso authorizations=aix.device,aix.fs.chroot,aix.fs.manage.export,aix.fs.stat,aix.network,aix.proc.fuser,aix.proc.ipc,aix.proc.status,aix.proc.trace
# chuser roles=isso mawt
# su - mawt
$ cfgmgr
ksh: cfgmgr: cannot execute
$ swrole ALL
mawt's Password:
$ cfgmgr
$ rolelist -e
isso Information System Security Officer
$
说明:如果设置CMD=lsof,会得到这样的报错:“"/usr/sbin/lsof" does not exist in the privileged command database.”,第4部分专门解决这个问题。
按此方法分配的角色通常还允许用户执行其它的命令,要查看此角色所能执行的所有命令,可以用第2部分的方法;要避免用户可以执行过多命令的问题,同样可以使用第4部分的方法。
4、查看“运行某命令”所需要的角色(命令不在RBAC特权命令数据库中)
CMD=lsof
x() {
CMD=$1
DATE=`date '+%Y-%m-%d'`
#判断命令是否是symbolic link,如果是则获取其对应的真实全路径文件名
readlink()
{
CMD=`which $1` || return
ls -l $CMD | grep -q '^l'
if [ $? != 0 ]; then
echo $CMD
return
fi
DIR1=`dirname $CMD`
CMD1=`ls -l $CMD | awk '{print $NF}'`
DIR2=`dirname $CMD1`
CMD2=`basename $CMD1`
DIR3=`cd $DIR1;cd $DIR2;pwd`
CMD=${DIR3}"/"${CMD2}
ls -l $CMD | grep -q '^l' && readlink $CMD
echo $CMD
}
CMD=`readlink $CMD`
echo "## The old modes of $CMD is:"
ls -l $CMD
echo "\n## You can use these following commands, if you want to put $CMD into RBAC privileged command database:"
echo chmod g-rwxs,o-rwxs $CMD
echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt"
echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix"
echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix.commands"
echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix.commands."`basename $1`
tracepriv $1 1>/dev/null 2>&1
PVS=`tracepriv $1 2>&1 1>/dev/null | grep PV | xargs |sed 's/ /,/g'`
echo setsecattr -c innateprivs=$PVS accessauths=mwt.aix.commands.`basename $1` $CMD
echo mkrole authorizations=mwt.aix.commands.`basename $1` dfltmsg=\"CREATED BY MWT, AT $DATE\" cmd_$1
echo setkst
echo "## chuser roles=cmd_$1 USERNAME"
}
x $CMD
命令结果示例:
# CMD=lsof
# x() {
> CMD=$1
> DATE=`date '+%Y-%m-%d'`
>
> #判断命令是否是symbolic link,如果是则获取其对应的真实全路径文件名
> readlink()
> {
> CMD=`which $1` || return
> ls -l $CMD | grep -q '^l'
> if [ $? != 0 ]; then
> echo $CMD
> return
> fi
> DIR1=`dirname $CMD`
> CMD1=`ls -l $CMD | awk '{print $NF}'`
> DIR2=`dirname $CMD1`
> CMD2=`basename $CMD1`
> DIR3=`cd $DIR1;cd $DIR2;pwd`
> CMD=${DIR3}"/"${CMD2}
> ls -l $CMD | grep -q '^l' && readlink $CMD
> echo $CMD
> }
>
> CMD=`readlink $CMD`
> echo "## The old modes of $CMD is:"
> ls -l $CMD
> echo "\n## You can use these following commands, if you want to put $CMD into RBAC privileged command database:"
> echo chmod g-rwxs,o-rwxs $CMD
> echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt"
> echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix"
> echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix.commands"
> echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix.commands."`basename $1`
>
> tracepriv $1 1>/dev/null 2>&1
> PVS=`tracepriv $1 2>&1 1>/dev/null | grep PV | xargs |sed 's/ /,/g'`
> echo setsecattr -c innateprivs=$PVS accessauths=mwt.aix.commands.`basename $1` $CMD
> echo mkrole authorizations=mwt.aix.commands.`basename $1` dfltmsg=\"CREATED BY MWT, AT $DATE\" cmd_$1
> echo setkst
> echo "## chuser roles=cmd_$1 USERNAME"
> }
# x $CMD
## The old modes of /opt/freeware/sbin/lsof is:
-rwxr-sr-x 1 root system 129630 Feb 3 2006 /opt/freeware/sbin/lsof
## You can use these following commands, if you want to put /opt/freeware/sbin/lsof into RBAC privileged command database:
chmod g-rwxs,o-rwxs /opt/freeware/sbin/lsof
mkauth dfltmsg="CREATED BY MWT, AT 2008-12-01" mwt
mkauth dfltmsg="CREATED BY MWT, AT 2008-12-01" mwt.aix
mkauth dfltmsg="CREATED BY MWT, AT 2008-12-01" mwt.aix.commands
mkauth dfltmsg="CREATED BY MWT, AT 2008-12-01" mwt.aix.commands.lsof
setsecattr -c innateprivs=PV_PROC_PRIV,PV_KER_ACCT,PV_NET_CNTL,PV_NET_PORT accessauths=mwt.aix.commands.lsof /opt/freeware/sbin/lsof
mkrole authorizations=mwt.aix.commands.lsof dfltmsg="CREATED BY MWT, AT 2008-12-01" cmd_lsof
setkst
## chuser roles=cmd_lsof USERNAME
#
相关命令:
for i in `lssecattr -c -a ALL`; do (ls -e $i | grep ^-......r.-); done
for i in `lssecattr -c -a ALL`; do (ls -e $i | grep ^-........x); done
rmrole cmd_lsof
rmauth mwt.aix.commands.lsof
# cat /usr/include/sys/priv.h | grep PV_MAC_OVRRD
#define PV_MAC_OVRRD 191 /* Bypass MAC restrictions for files */
# lspriv -v | grep PV_MAC_OVRRD
PV_MAC_OVRRD Allows a process to bypass MAC restrictions for files flagged as being exempt from MAC.
#
# tracepriv lsof 2>&1 1>/dev/null | grep PV
PV_DAC_O PV_PROC_PRIV
PV_TCB PV_KER_ACCT
PV_NET_CNTL PV_NET_PORT
# tracepriv lsof 2>&1 1>/dev/null | grep PV
PV_PROC_PRIV PV_KER_ACCT
PV_NET_CNTL PV_NET_PORT
# tracepriv lsof 2>&1 1>/dev/null | grep PV | xargs |sed 's/ /,/g'
PV_PROC_PRIV,PV_KER_ACCT,PV_NET_CNTL,PV_NET_PORT
#
# ls -l `which lsof`
lrwxrwxrwx 1 root system 28 Oct 31 14:56 /usr/sbin/lsof -> ../../opt/freeware/sbin/lsof
# ls -l /opt/freeware/sbin/lsof
-rwxr-sr-x 1 root system 129630 Feb 3 2006 /opt/freeware/sbin/lsof
# chmod o-rx /usr/sbin/lsof
# ls -l /opt/freeware/sbin/lsof
-rwxr-s--- 1 root system 129630 Feb 3 2006 /opt/freeware/sbin/lsof
#
说明:此部分也适用于已位于RBAC特权命令数据库中的命令(如:cfgmgr、bosboot),这样可以避免第3部分出现的分配角色后用户可以执行过多命令的问题。
========================================================================
任何形式的转载,请写明出处:
email:
beginner@yeah.net
blog:
http://www.aixchina.net/?1865
http://www.cublog.cn/u/739/
========================================================================
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/739/showart_1674519.html |
|
免费注册
发表于 2008-12-01 16:53