Bookmark and Share
RSS

Recent Posts

Getting Back to RBAC

April 11, 2017

Five years ago I was writing a lot more about RBAC—and I had a theme to "test" RBAC.

I called the theme "Never look back" and I installed a few sandbox systems and ran a few "crazy" commands to see where things broke.

Crazy command #1: find /usr -perms -4000 - exec chmod u-s {} \;
Crazy command #2: find /usr -type f -perms -2000 -exec chmod g-s {} \;

And I used (and still, generally) umask 077

The goal of the crazy commands was to remove any and all privilege escalation via the SUID/SGID mechanism of UNIX (and Linux) and replace that with RBAC mechanisms for privilege escalation. Things broke. And yes, I could have used fpm (file permission manager)—but using fpm would mean I was "looking back" because fpm would restore "things".

So yes, things broke—and I learned a lot, including that a) it can be done—where it is having a system with no applications needing any suid/sgid settings to get, when needed, privilege escalation, [MC1]and b) I never really shared my experiences.

So, the point of this blog is that I am prepared to go back, refresh my memories, and share more of my experiences when I am convinced there is an interested audience.

If you are thinking about ways to improve AIX security by replacing sudo with RBAC (or not even starting with sudo), or any other reason that indicates a real interest in learning more about how to customize RBAC for AIX, leave a comment here, tweet at @ROOTvgNET, or post on http://forums.rootvg.net. (I still see comments on the forums first because it is my homepage).

Posted April 11, 2017 | Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus