Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Assigning proc_owner privilege to particular user in RBAC
Operating Systems Solaris Assigning proc_owner privilege to particular user in RBAC Post 303036164 by jim mcnamara on Monday 17th of June 2019 06:25:02 PM
Old 06-17-2019
Short answer to risk: yes. Not secure. That privilege means your power user reads the entire command line for ANY process, sometimes privileged processes get started something like this:
Code:
/path/to/foobar  jon/password

The power user can get environment variables inside the process with pargs -e, so if the secure user has a password embedded in an environment variable the power user can see it.
That power user may under some circumstances also read some of the /proc files for other processes.

Sounds like a security problem to me. You will have to be certain that nowhere are there system scripts that require passwords passed to them or have them in a login variable or an envirionment variable, for example.

This privilege would be good on a development machine, not so good on a production box.

How to assign and un-assign
Turn off for user
Code:
usermod -K 'defaultpriv=basic,!proc_info' user

Turn on for user:
Code:
usermod -K 'defaultpriv=basic,proc_info' user

The difference is just a single ! character
This User Gave Thanks to jim mcnamara For This Post:
sb200
 

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Write privilege for user

Is it possible to grant write privileges to a user on a directory with out having to add the user to a group or make the user the owner of the directory? My background is in Windows and in Windows you can grant specific privileges to a user without having to put the user in a group or making the... (3 Replies)
Discussion started by: here2learn
3 Replies

2. UNIX for Advanced & Expert Users

RBAC: create a user to shut the server

Hi, I have created a user to shutdown the server using RBAC. Here are my steps: 1. roleadd -u 1000 -g 10 -d /home/stopsys -m stopsys 2. passwd stopsys 3. edit /etc/security/prof_attr to include: Shut:::able to shut the server: 4. modrole -P Shut stopsys 5. useradd -u 1001 -g 10 -d... (2 Replies)
Discussion started by: chaandana
2 Replies

3. AIX

[Help] Give privilege to an ordinary user

I'm trying to give a non-root user the right to start IBM HTTP Server, the web server is listening on port 80, but for AIX, ports under 1024 are privilege ports which can be used only by root. /usr/IBMIHS/bin# ./apachectl start (13)Permission denied: make_sock: could not bind to address :::80... (1 Reply)
Discussion started by: ibmer414
1 Replies

4. Linux

Sudo user vs RBAC

Hi all, What the difference between the sudo users & RBAC when the talk of effects after doing the above comes??? any differences between them ,kindly list ?? (1 Reply)
Discussion started by: saurabh84g
1 Replies

5. Solaris

Root privilege for user

Can anyone please tell how to give root privilege to a normal user in solaris 10? (5 Replies)
Discussion started by: nicktrix
5 Replies

6. UNIX for Dummies Questions & Answers

How to create/restrict a user with to have no privilege from other group

Hello experts I am new to Unix. Env : HPUX I need to create a user say testuser such that it does not have access to file/directories from the other group i.e the last 3 digits . How do I do that. Reason for such a request :- I have an existing user oracle which has default umask... (3 Replies)
Discussion started by: simonsimon
3 Replies

7. AIX

User Privilege

How to assign superuser privilege to an ordinary user temporarily (1 Reply)
Discussion started by: udtyuvaraj
1 Replies

8. AIX

sudo - User privilege specification

I am planning to implement sudo for users. Under , it looks I have to put the users who need to have sudo access: What are the recommended for users? I don't think I need to give the ALL privilege (i.e ) to AIX users. I'd like to know the commonly used privilege specification for sudo... (9 Replies)
Discussion started by: Daniel Gate
9 Replies

9. Shell Programming and Scripting

Create user with different privilege

Hi , I want to create 3 different user with below privilege in Solaris and Linux. 1) Read Only 2)Read and Write Only 3) Admin user Can you guys help me on this . (3 Replies)
Discussion started by: Naveen Pathak
3 Replies

LEARN ABOUT CENTOS

passwd

PASSWD(5)						     Linux Programmer's Manual							 PASSWD(5)

NAME

       passwd - password file

DESCRIPTION

       The  /etc/passwd  file  is  a  text file that describes user login accounts for the system.  It should have read permission allowed for all
       users (many utilities, like ls(1) use it to map user IDs to usernames), but write access only for the superuser.

       In the good old days there was no great problem with this general read permission.  Everybody could read the encrypted passwords,  but  the
       hardware  was  too  slow  to  crack a well-chosen password, and moreover the basic assumption used to be that of a friendly user-community.
       These days many people run some version of the shadow password suite, where /etc/passwd has an 'x' character in the password field, and the
       encrypted passwords are in /etc/shadow, which is readable by the superuser only.

       If  the	encrypted password, whether in /etc/passwd or in /etc/shadow, is an empty string, login is allowed without even asking for a pass-
       word.  Note that this functionality may be intentionally disabled in applications, or configurable  (for  example  using  the  "nullok"	or
       "nonull" arguments to pam_unix.so).

       If the encrypted password in /etc/passwd is "*NP*" (without the quotes), the shadow record should be obtained from an NIS+ server.

       Regardless  of  whether	shadow	passwords are used, many system administrators use an asterisk (*) in the encrypted password field to make
       sure that this user can not authenticate him- or herself using a password.  (But see NOTES below.)

       If you create a new login, first put an asterisk (*) in the password field, then use passwd(1) to set it.

       Each line of the file describes a single user, and contains seven colon-separated fields:

	      name:password:UID:GID:GECOS:directory:shell

       The field are as follows:

       name	   This is the user's login name.  It should not contain capital letters.

       password    This is either the encrypted user password, an asterisk (*), or the letter 'x'.  (See pwconv(8) for an explanation of 'x'.)

       UID	   The privileged root login account (superuser) has the user ID 0.

       GID	   This is the numeric primary group ID for this user.	(Additional groups for the user are defined in the system group file;  see
		   group(5)).

       GECOS	   This  field	(sometimes called the "comment field") is optional and used only for informational purposes.  Usually, it contains
		   the full username.  Some programs (for example, finger(1)) display information from this field.

		   GECOS stands for "General Electric Comprehensive Operating System", which was renamed to GCOS when GE's large systems  division
		   was	sold to Honeywell.  Dennis Ritchie has reported: "Sometimes we sent printer output or batch jobs to the GCOS machine.  The
		   gcos field in the password file was a place to stash the information for the $IDENTcard.  Not elegant."

       directory   This is the user's home directory: the initial directory where the user is placed after logging in.	The value in this field is
		   used to set the HOME environment variable.

       shell	   This  is  the  program to run at login (if empty, use /bin/sh).  If set to a nonexistent executable, the user will be unable to
		   login through login(1).  The value in this field is used to set the SHELL environment variable.

FILES

       /etc/passwd

NOTES

       If you want to create user groups, there must be an entry in /etc/group, or no group will exist.

       If the encrypted password is set to an asterisk (*), the user will be unable to login using login(1), but may still login using	rlogin(1),
       run  existing  processes  and  initiate new ones through rsh(1), cron(8), at(1), or mail filters, etc.  Trying to lock an account by simply
       changing the shell field yields the same result and additionally allows the use of su(1).

SEE ALSO

       login(1), passwd(1), su(1), getpwent(3), getpwnam(3), crypt(3), group(5), shadow(5)

COLOPHON

       This page is part of release 3.53 of the Linux man-pages project.  A description of the project, and information about reporting bugs,  can
       be found at http://www.kernel.org/doc/man-pages/.

Linux								    2012-05-03								 PASSWD(5)
All times are GMT -4. The time now is 07:07 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy