Login or Register to Ask a Question and Join Our Community


Solaris

rbac and execution attributes (uid and euid)

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris rbac and execution attributes (uid and euid)
# 1  
Old 11-21-2010
rbac and execution attributes (uid and euid)
Hi all,

I have a question to see if I understand the euid and uid attributes correctly for rbac (/etc/security/exec_attr):

Code:
All:
*
Audit Control:
/etc/init.d/audit euid=0, egid=3
/etc/security/bsmconv uid=0
/etc/security/bsmunconv uid=0
/usr/sbin/audit euid=0
/usr/sbin/auditconfig euid=0
/usr/sbin/auditd uid=0

If a role with a profile shell is running /usr/sbin/auditd, then what would the effective and real uid be?

As far as I understand they would be: uid=0 euid=0

Is this correct?
Or are there other factors that I should take into account?

Thanks in advance!
# 2  
Old 11-21-2010
Yes, you are right. This comes from exec_attr documentation (man pages section 4: File Formats - Sun Microsystems)
Code:
euid and uid contain a single user name or a numeric user ID. Commands designated with 
euid run with the effective UID indicated, which is similar to setting the setuid bit on 
an executable file. Commands designated with uid run with both the real and effective 
UIDs. Setting uid may be more appropriate than setting the euid on privileged shell scripts.

# 3  
Old 11-21-2010
Quote:
Originally Posted by bartus11
Yes, you are right. This comes from exec_attr documentation (man pages section 4: File Formats - Sun Microsystems)
Code:
euid and uid contain a single user name or a numeric user ID. Commands designated with 
euid run with the effective UID indicated, which is similar to setting the setuid bit on 
an executable file. Commands designated with uid run with both the real and effective 
UIDs. Setting uid may be more appropriate than setting the euid on privileged shell scripts.

Thanks for your quick reply.

So the All: * does not matter?

So this would have the same uid and euid when the program is executed?
Audit Control:
/etc/init.d/audit euid=0, egid=3
/etc/security/bsmconv uid=0
/etc/security/bsmunconv uid=0
/usr/sbin/audit euid=0
/usr/sbin/auditconfig euid=0
/usr/sbin/auditd uid=0
(both are output from profiles -l username)
# 4  
Old 11-21-2010
What do you mean by "All: * does not matter"? Also I don't understand your second question... If you are asking if executables listed in your post will all have same uid and euid when being run, then no, they won't. In case of executables with euid entry, the uid will be the same as uid of the user that run them, while the euid will be set to "0". Entries with uid entry will have both uid and euid set to the value specified ("0" in this case), regardless of who is running the program.
# 5  
Old 11-21-2010
Sorry for not being clear enough.

In both cases it is about /usr/sbin/auditd and what uid and euid they will be running with.

The output I paste is from the command:
profiles -l auser

In the first case there is:
All: *
in front of the other lines.

In the second case the All: * is not there.
I have seen these as examples and I don't understand why they say that in the case of All: * being there, that the euid and uid would be those of the logged in role (so the role uid). And in the case of All:* not being there the uid and euid would be 0.
# 6  
Old 11-22-2010
From what I recall, the "All: *" entry is used to indicate that any executables not listed in exec_attr will be run as if RBAC wasn't in use at all - of course user has to have proper system rights to execute that file (proper ownership of the file, or setuid bit set).
This User Gave Thanks to bartus11 For This Post:
deadeyes
# 7  
Old 11-22-2010
Quote:
Originally Posted by bartus11
From what I recall, the "All: *" entry is used to indicate that any executables not listed in exec_attr will be run as if RBAC wasn't in use at all - of course user has to have proper system rights to execute that file (proper ownership of the file, or setuid bit set).
So the All:* has no priority over what is coming after it?

Thanks for your time man!

Edit:
I found this:
Code:
Those sites that customize roles should closely check the order of the  rights profiles that are assigned to the role. The system does not  prevent someone from typing multiple occurrences of the same command.  The attributes that are assigned to the first occurrence of a command in  a rights profile take precedence and all subsequent occurrences are ignored.

However I am not sure if this is when you configure this command in 2 different profiles assigned to a user or if this is when you configure this command 2 times for one profile.
Last edited by deadeyes; 11-22-2010 at 05:24 AM..
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Changing the user id or euid of the shell itself

Hi all, Ok, bear with me on this one, I am a bit new to Unix and it might take me a little bit of time to articulate my question. I know that every process has a user id and an effective user id. This seems to include the shell itself, because when I type 'ps', I see 'bash' listed as a... (2 Replies)
Discussion started by: oddthingy
2 Replies

2. UNIX for Advanced & Expert Users

Help with can't get execution attributes

Hi Gurus, I am trying to create a FS using SVM but system is throwing the following error. newfs /dev/md/rdsk/d1002 newfs: construct a new file system /dev/md/rdsk/d1002: (y/n)? y /usr/sbin/clri: can't get execution attributes (1 Reply)
Discussion started by: rama krishna
1 Replies

3. Solaris

rbac problem.

Hi all! On backup server with contab my script worked, but one command don't fine to be executed: bash-3.00$ scp itadmin@172.17.0.44:/export/backups/* /bckp1/opencms/bcp_`date +%Y%m%d`/ www-zone.cfg 100%... (0 Replies)
Discussion started by: sotich82
0 Replies

4. AIX

RBAC in 5.3 Question

I would like to use the Role Based access control to granulize some of the administration of AIX systems in our organization. Across the company we will be using aix 5.3. One of these roles will only have the access to make, change and delete users, something similar to ManageAllUsers. The thing... (1 Reply)
Discussion started by: dgaixsysadm
1 Replies

5. Solaris

RBAC Help

do i have to create a new account to add a role? i want the sysadmin login i have 3 users on my systems sysadmin secman oc01 also 3 profiles SA (goes t0 sysadmin account) SSO (goes to secman account) LMICS (goes to oc01 account) the user accounts are located in /h/USERS/local the... (4 Replies)
Discussion started by: deaconf19
4 Replies

6. Red Hat

euid and egid frpm proc

hi, can anyone tell me where can i find euid and egid from /proc file system in RHEL 4? i read stat file, but i got only uid and gid, and cudnot find any entry regarding euid and egid.please suggest... thanks, sanjay (2 Replies)
Discussion started by: sanjaykhuntia
2 Replies

7. Solaris

EUID set for all non-root users

We have a Solaris box. I noticed that whenever any non-root user logins into the box and issues the command id the output is (for example) uid=42568(sam) gid=1245(sam) euid=0(root) egid=2(bin). I have not given any privileges to anyone explicitly. When I issued ls -l in the /usr/bin directory I... (1 Reply)
Discussion started by: chrisanto_2000
1 Replies

8. Solaris

Rbac

I am trying to let user asillitoe su to the godbrook role to execute commands. I have editted files as follows: user_attr: asillito::::type=normal;roles=godbrook godbrook::::type=role;profiles=Gadbrook,All prof_attr: Gadbrook:::Allow root commands to be used by godbrook: exec_attr:... (0 Replies)
Discussion started by: chrisdberry
0 Replies

9. UNIX for Advanced & Expert Users

Setuid Program with (-rwsr-sr-x 1 root other ) UID/EUID issue

Hi, I have a program with the following suid setup -rwsr-sr-x 1 root other 653 Aug 16 17:00 restart_server It basically starts up a service that has to be started by root. I just want the normal users to be able to restart the service using the script above. But when the... (7 Replies)
Discussion started by: 0ktalmagik
7 Replies

10. UNIX for Dummies Questions & Answers

To:blowtorch - Setuid uid/euid issue

Hi, Its a shell script. rws by root, r_s by group named "other" and r_x by all others. How can i set the uid from inside a setuid program. please let me know. Also I dont have a c compiler on the system. Thanks Reply With Quote (0 Replies)
Discussion started by: 0ktalmagik
0 Replies
Login or Register to Ask a Question