Unable to set ACLs on sulog - need to grant read permission to a normal user on AIX 6.1


 
Thread Tools Search this Thread
Operating Systems AIX Unable to set ACLs on sulog - need to grant read permission to a normal user on AIX 6.1
# 1  
Old 10-30-2019
Unable to set ACLs on sulog - need to grant read permission to a normal user on AIX 6.1

Hi,

I need to grant read permission to a normal user on sulog file on AIX 6.1.

As root I did acledit sulog and aclget shows "extended permissions" as "enabled" and normal user "splunk" has read permissions. When I try to access sulog as splunk user it won't allow and
Code:
aclget

for splunk user shows" extended permissions" as "disabled". Please advise, thanks!!

Code:
splunk@TESTAIX61(/var/adm)#  uname -a
AIX TESTAIX61 1 6 00CACC954C00
splunk@TESTAIX61(/var/adm)#  oslevel -s
6100-09-12-1838
splunk@TESTAIX61(/var/adm)#
root@TESTAIX61(/var/adm)#  acledit sulog
Should the modified ACL be applied? (yes) or (no) yes
root@TESTAIX61(/var/adm)#   aclget sulog
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    enabled
    permit   r-x     u:splunk
root@TESTAIX61(/var/adm)#  su - splunk
splunk@TESTAIX61(/home/splunk)#  tail /var/adm/sulog
/var/adm/sulog: Permission denied
splunk@TESTAIX61(/home/splunk)#  id
uid=228(splunk) gid=206(splunk) groups=1(staff)
splunk@TESTAIX61(/home/splunk)#  cd /var/adm
splunk@TESTAIX61(/var/adm)#  aclget sulog
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    disabled
    permit   r-x     u:splunk
splunk@TESTAIX61(/var/adm)#

# 2  
Old 10-30-2019
Perhaps /var not mounted "ACL compliant"? I tried to remount /var with "acl" option, it throws "Invalid mount option"..
# 3  
Old 11-03-2019
have you tried to give splunk just read and not execute permissions ?
# 4  
Old 11-03-2019
Thanks zxmaus for your reply. I think i tried that as well in my first attempt. However I tried it again but no luck. It's almost shocking that there is no working/proved documentation anywhere about AIX ACLs.

Code:
root@TESTAIX61(/var/adm)#  EDITOR=/usr/bin/vi; export EDITOR
root@TESTAIX61(/var/adm)#  acledit sulog
Should the modified ACL be applied? (yes) or (no) yes
root@TESTAIX61(/var/adm)#  id splunk
uid=228(splunk) gid=206(splunk) groups=1(staff)
root@TESTAIX61(/var/adm)#  aclget sulog
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    enabled
    permit   r--     u:splunk
    permit   r--     g:splunk
root@TESTAIX61(/var/adm)#  su - splunk
splunk@TESTAIX61(/home/splunk)#  pwd
/home/splunk
splunk@TESTAIX61(/home/splunk)# id
uid=228(splunk) gid=206(splunk) groups=1(staff)
splunk@TESTAIX61(/home/splunk)# tail /var/adm/sulog
/var/adm/sulog: Permission denied
splunk@TESTAIX61(/home/splunk)# aclget /var/adm/sulog
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    disabled
    permit   r--     u:splunk
    permit   r--     g:splunk
splunk@TESTAIX61(/home/splunk)#

# 5  
Old 11-03-2019
do you have rbac enabled ?
try to put user and group into the same line
Code:
permit    r--  u:splunk, g:splunk

These 2 Users Gave Thanks to zxmaus For This Post:
# 6  
Old 11-03-2019
Thanks again zxmaus. Smilie still no luck.

Yes, RBAC enabled on our AIX machines. I noticed that once I enable ACLs, aclget shows it enabled and the moment I login as splunk user, then extended permissions immediately get disabled. Please see below wherein I continuously monitored ACL permissions on one putty session and logged in as splunk user on another putty session which immediately disabled ACLs. (I trimmed most of "enabled" part of the screen log).

Surprisingly, If I already logged in as splunk user before running acledit then splunk user is able to read sulog file but not after I logged in as splunk in another putty session.

It looks like one of the user login profiles doing this change? Is it normal in RBAC environment? I pasted .profile and /etc/profile in the end.

Please advise, thanks again for your patience.

Code:
root@TESTAIX61(/)#  oslevel -s
6100-09-12-1838
root@TESTAIX61(/)#
root@TESTAIX61(/)#  lsattr -El sys0 -a enhanced_RBAC
enhanced_RBAC true Enhanced RBAC Mode True
root@TESTAIX61(/)#
root@TESTAIX61(/)#  acledit /var/adm/sulog
Should the modified ACL be applied? (yes) or (no) yes
root@TESTAIX61(/)#  while true; do
> date ; sleep 3
> aclget /var/adm/sulog
> done
Mon Nov  4 03:10:15 GMT 2019
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    enabled
    permit   r--     u:splunk,g:splunk
Mon Nov  4 03:10:18 GMT 2019
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    enabled
    permit   r--     u:splunk,g:splunk
Mon Nov  4 03:11:50 GMT 2019
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    disabled
    permit   r--     u:splunk,g:splunk
Mon Nov  4 03:11:53 GMT 2019
^C
root@TESTAIX61(/)#

Code:
splunk@TESTAIX61(/home/splunk)#  cat .profile


PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:$HOME/bin:/usr/bin/X11:/sbin:.

export PATH

if [ -s "$MAIL" ]           # This is at Shell startup.  In normal
then echo "$MAILMSG"        # operation, the Shell checks
fi                          # periodically.
splunk@TESTAIX61(/home/splunk)#  cat /etc/profile

trap "" 1 2 3
readonly LOGNAME

MAIL=/usr/spool/mail/$LOGNAME
MAILMSG="[YOU HAVE NEW MAIL]"

TERM_DEFAULT=lft
TERM=`termdef`
TERM=${TERM:-$TERM_DEFAULT}

if [ "$LC_MESSAGES" = "C@lft" -a "$TERM" != "lft" ]
then
        unset LC_MESSAGES
fi

export LOGNAME MAIL MAILMSG TERM

PS1="$(whoami)@$(hostname|cut -d'.' -f1)(\$PWD)# "
export PS1

trap 1 2 3
set -o vi
export HISTCONTROL=ignorespace
stty erase ^?
splunk@TESTAIX61(/home/splunk)#  pwd
/home/splunk
splunk@TESTAIX61(/home/splunk)#


Last edited by prvnrk; 11-03-2019 at 11:41 PM..
# 7  
Old 11-04-2019
I have not worked with RBAC ever, so all is just guessing, but I think that is your issue here. Can you find out if the root user is actually allowed in RBAC to set ACLs? If he is not, add that permission.
I am wondering as well if it would not be easier to just somehow allow splunk via rbac to read these files?
This User Gave Thanks to zxmaus For This Post:
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. AIX

Assign read write permission to the user for specific dir and it's sub dir and files in AIX

I have searched this quite a long time but couldn't find the right method for me to use. I need to assign read write permission to the user for specific directories and it's sub directories and files. I do not want to use ACL. I do not want to assign user the same group of that directories too.... (0 Replies)
Discussion started by: blinkingdan
0 Replies

2. UNIX and Linux Applications

Permission ERROR: Unable to load the User's Hive

Hi all, Please help me solving the error that i get when i trigger the job from autosys. The job is failing after going to restart start and it is throwing an "exit code:128". Please help me understand whats this exit code and how to overcome this. And when i check the logs its giving me an... (4 Replies)
Discussion started by: Bharath V
4 Replies

3. Shell Programming and Scripting

set only some command & scripts permission to a particular user

hi, i am new in unix.......i am using bash and i want to create a user which has only some command and scripts permission.........is it possible? thanx (1 Reply)
Discussion started by: rakeshtomar82
1 Replies

4. UNIX for Dummies Questions & Answers

grant sudo permission

Hi all, I have to grant sudo permission to a user. I have searched online and find that /etc/sudoers file needs to be changed with visudo command. As i am new to linux, this is not clear to me. Can anybody take an example and show me how exactly this done. Thanks in advance! (2 Replies)
Discussion started by: lramsb4u
2 Replies

5. UNIX for Dummies Questions & Answers

unable to set user home dir

I created a new user and changed their home directory to /export/home/mydir/ I verified in the passwd file that the home directory is set to the above and that owner of that directory is the new user and yet when I log in as that user I get the following message: No directory! Logging in with... (14 Replies)
Discussion started by: some_one
14 Replies

6. AIX

Unable to set remote printer in AIX

Hi all, I am a beginner in AIX. I am facing a problem with remote printing in AIX. HP laser jet 1320 printer is connected to a printer server (PCI Mini - 100U3), which is configured as remote printer from AIX server. But I am not able to print from the AIX server by using "lp -d... (0 Replies)
Discussion started by: Rainy
0 Replies

7. AIX

Normal User Unable to Login Through AIX CDE

When we as normal user try to login, the session startup terminates and we are presented with the login screen.The root user is able to login without any problem.I can log in to the Aix server as normal user through telnet & using xmanager but not directly through server terminal .The Aix version... (1 Reply)
Discussion started by: ranadeep
1 Replies

8. UNIX for Dummies Questions & Answers

MySQL GRANT permission.

Hi, I'm one of a server administrators. I've the linux root account but I don't know the root password of MySQL (Server version: 5.0.32). I want to GRANT ALL PRIVILEGES to my MySQL account without changing the MySQL's root password. How can I do so? (0 Replies)
Discussion started by: mjdousti
0 Replies

9. AIX

To find RAM Size in AIX as normal user?

Hi, Am jus trying to find the Total RAM Size of a AIX m/c (in MB)..svmon works perfectly for a superuser...But i want to achive this as a normal user...Please help me out with correct command.. Best Regards, Muthukumaran.M (3 Replies)
Discussion started by: muthukumaran13
3 Replies

10. UNIX for Advanced & Expert Users

Other than root user .Normal user is unable to create files

Hi all, I am using Sun Solaris 9 .In this system normal users unable to create files from the command line.I added these users in bin,adm and even root group i found them unable to create a file. (1 Reply)
Discussion started by: mallesh
1 Replies
Login or Register to Ask a Question