Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: rbac and execution attributes (uid and euid)
Operating Systems Solaris rbac and execution attributes (uid and euid) Post 302473576 by deadeyes on Sunday 21st of November 2010 12:42:08 PM
Old 11-21-2010
Sorry for not being clear enough.

In both cases it is about /usr/sbin/auditd and what uid and euid they will be running with.

The output I paste is from the command:
profiles -l auser

In the first case there is:
All: *
in front of the other lines.

In the second case the All: * is not there.
I have seen these as examples and I don't understand why they say that in the case of All: * being there, that the euid and uid would be those of the logged in role (so the role uid). And in the case of All:* not being there the uid and euid would be 0.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

To:blowtorch - Setuid uid/euid issue

Hi, Its a shell script. rws by root, r_s by group named "other" and r_x by all others. How can i set the uid from inside a setuid program. please let me know. Also I dont have a c compiler on the system. Thanks Reply With Quote (0 Replies)
Discussion started by: 0ktalmagik
0 Replies

2. UNIX for Advanced & Expert Users

Setuid Program with (-rwsr-sr-x 1 root other ) UID/EUID issue

Hi, I have a program with the following suid setup -rwsr-sr-x 1 root other 653 Aug 16 17:00 restart_server It basically starts up a service that has to be started by root. I just want the normal users to be able to restart the service using the script above. But when the... (7 Replies)
Discussion started by: 0ktalmagik
7 Replies

3. Solaris

Rbac

I am trying to let user asillitoe su to the godbrook role to execute commands. I have editted files as follows: user_attr: asillito::::type=normal;roles=godbrook godbrook::::type=role;profiles=Gadbrook,All prof_attr: Gadbrook:::Allow root commands to be used by godbrook: exec_attr:... (0 Replies)
Discussion started by: chrisdberry
0 Replies

4. Solaris

EUID set for all non-root users

We have a Solaris box. I noticed that whenever any non-root user logins into the box and issues the command id the output is (for example) uid=42568(sam) gid=1245(sam) euid=0(root) egid=2(bin). I have not given any privileges to anyone explicitly. When I issued ls -l in the /usr/bin directory I... (1 Reply)
Discussion started by: chrisanto_2000
1 Replies

5. Red Hat

euid and egid frpm proc

hi, can anyone tell me where can i find euid and egid from /proc file system in RHEL 4? i read stat file, but i got only uid and gid, and cudnot find any entry regarding euid and egid.please suggest... thanks, sanjay (2 Replies)
Discussion started by: sanjaykhuntia
2 Replies

6. Solaris

RBAC Help

do i have to create a new account to add a role? i want the sysadmin login i have 3 users on my systems sysadmin secman oc01 also 3 profiles SA (goes t0 sysadmin account) SSO (goes to secman account) LMICS (goes to oc01 account) the user accounts are located in /h/USERS/local the... (4 Replies)
Discussion started by: deaconf19
4 Replies

7. AIX

RBAC in 5.3 Question

I would like to use the Role Based access control to granulize some of the administration of AIX systems in our organization. Across the company we will be using aix 5.3. One of these roles will only have the access to make, change and delete users, something similar to ManageAllUsers. The thing... (1 Reply)
Discussion started by: dgaixsysadm
1 Replies

8. Solaris

rbac problem.

Hi all! On backup server with contab my script worked, but one command don't fine to be executed: bash-3.00$ scp itadmin@172.17.0.44:/export/backups/* /bckp1/opencms/bcp_`date +%Y%m%d`/ www-zone.cfg 100%... (0 Replies)
Discussion started by: sotich82
0 Replies

9. UNIX for Advanced & Expert Users

Help with can't get execution attributes

Hi Gurus, I am trying to create a FS using SVM but system is throwing the following error. newfs /dev/md/rdsk/d1002 newfs: construct a new file system /dev/md/rdsk/d1002: (y/n)? y /usr/sbin/clri: can't get execution attributes (1 Reply)
Discussion started by: rama krishna
1 Replies

10. UNIX for Dummies Questions & Answers

Changing the user id or euid of the shell itself

Hi all, Ok, bear with me on this one, I am a bit new to Unix and it might take me a little bit of time to articulate my question. I know that every process has a user id and an effective user id. This seems to include the shell itself, because when I type 'ps', I see 'bash' listed as a... (2 Replies)
Discussion started by: oddthingy
2 Replies

LEARN ABOUT X11R4

exec_attr

exec_attr(4)                                                                                                                          exec_attr(4)

NAME

       exec_attr - execution profiles database

SYNOPSIS

       /etc/security/exec_attr

       /etc/security/exec_attr  is  a  local  database that specifies the execution attributes associated with profiles. The exec_attr file can be
       used with other sources for execution profiles, including the exec_attr NIS map and NIS+ table. Programs use the  getexecattr(3SECDB)  rou-
       tines to access this information.

       The  search  order for multiple execution profile sources is specified in the /etc/nsswitch.conf file, as described in the nsswitch.conf(4)
       man page. The search order follows the entry for prof_attr(4).

       A profile is a logical grouping of authorizations and commands that is interpreted by a profile shell to form a secure  execution  environ-
       ment. The shells that interpret profiles are pfcsh, pfksh, and pfsh. See the pfsh(1) man page. Each user's account is assigned zero or more
       profiles in the user_attr(4) database file.

       Each entry in the exec_attr database consists of one line of text containing seven fields separated by colons (:). Line continuations using
       the backslash (fR) character are permitted. The basic format of each entry is:

              name:policy:type:res1:res2:id:attr

       name

           The name of the profile. Profile names are case-sensitive.

       policy

           The  security  policy that is associated with the profile entry. The valid policies are suser (standard Solaris superuser) and solaris.
           The solaris policy recognizes privileges (see privileges(5)); the suser policy does not.

           The solaris and suser policies can coexist in the same exec_attr database, so that Solaris releases prior to the  current  release  can
           use the suser policy and the current Solaris release can use a solaris policy. solaris is a superset of suser; it allows you to specify
           privileges in addition to UIDs. Policies that are specific to the current release of Solaris or  that  contain  privileges  should  use
           solaris. Policies that use UIDs only or that are not specific to the current Solaris release should use suser.

       type

           The type of object defined in the profile. The only valid type is cmd.

       res1

           Reserved for future use.

       res2

           Reserved for future use.

       id

           A string that uniquely identifies the object described by the profile. For a profile of type cmd, the id is either the full path to the
           command or the asterisk (*) symbol, which is used to allow all commands. An asterisk that replaces the filename component in a pathname
           indicates all files in a particular directory.

           To  specify arguments, the pathname should point to a shell script that is written to execute the command with the desired argument. In
           a Bourne shell, the effective UID is reset to the real UID of the process when the effective UID is less than 100 and not equal to  the
           real  UID. Depending on the euid and egid values, Bourne shell limitations might make other shells preferable. To prevent the effective
           UIDs from being reset to real UIDs, you can start the script with the -p option.

           #!/bin/sh -p

       attr

           An optional list of semicolon-separated (;) key-value pairs that describe the security attributes to apply to the  object  upon  execu-
           tion.  Zero  or  more  keys  may  be specified. The list of valid key words depends on the policy enforced. The following key words are
           valid: euid, uid, egid, gid, privs, and limitprivs.

           euid and uid contain a single user name or a numeric user ID. Commands designated with euid run with the effective UID indicated, which
           is  similar  to  setting  the setuid bit on an executable file. Commands designated with uid run with both the real and effective UIDs.
           Setting uid may be more appropriate than setting the euid on privileged shell scripts.

           egid and gid contain a single group name or a numeric group ID. Commands designated with egid run with  the  effective  GID  indicated,
           which  is  similar to setting the setgid bit on a file. Commands designated with gid run with both the real and effective GIDs. Setting
           gid may be more appropriate than setting guid on privileged shell scripts.

           privs contains a privilege set which will be added to the inheritable set prior to running the command.

           limitprivs contains a privilege set which will be assigned to the limit set prior to running the command.

           privs and limitprivs are only valid for the solaris policy.

       Example 1: Using Effective User ID

       The following example shows the audit command specified in the Audit Control profile to execute with an effective user ID of root(0):

       Audit Control:suser:cmd:::/usr/sbin/audit:euid=0

       /etc/nsswitch.conf

       /etc/user_attr

       /etc/security/exec_attr

CAVEATS

       When deciding which authorization source to use (see ), keep in mind that NIS+ provides stronger authentication than NIS.

       Because the list of legal keys is likely to expand, any code that parses this database must be written to ignore  unknown  key-value  pairs
       without error. When any new keywords are created, the names should be prefixed with a unique string, such as the company's stock symbol, to
       avoid potential naming conflicts.

       The following characters are used in describing the database format and must be escaped with a backslash if used as data: colon (:),  semi-
       colon (;), equals (=), and backslash (fR).

       auths(1),  profiles(1),  roles(1),  sh(1),  makedbm(1M), getauthattr(3SECDB), getauusernam(3BSM), getexecattr(3SECDB), getprofattr(3SECDB),
       getuserattr(3SECDB), kva_match(3SECDB), auth_attr(4), prof_attr(4), user_attr(4), privileges(5)

                                                                    25 Feb 2005                                                       exec_attr(4)
All times are GMT -4. The time now is 09:40 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy