RBAC: No Turning Back: Remove the group security! PDF Print E-mail
User Rating: / 1
PoorBest 
Written by Michael Felt   

No Turning Back: "Remove" Security Group

When I first started this series I said my next article would show what happens when remove the standard "RWX" permissions for a group. I was expecting to remove all the permissions for both AIX groups system and security. After researching what might go wrong I decided working with only the security group would be easier to understand.

Why not both groups? In short, understanding one group might be difficult if you are not used to evaluating DAC permission bits. And it turns out the group security has only 5 SGID programs - which makes explaining what and why some programs are broken "possible".

On your test server, preferably a fresh install and only rootvg installed - run the following commands:

# lspv
hdisk0 00c39b8d9375b375 rootvg active
# find / -group security -exec chmod g-rwx {} \;
0481-014 chmod: not all requested changes were made to /proc/3080378/object/a.out
0481-014 chmod: not all requested changes were made to /proc/3080378/object/jfs2.10.5.169723

nosecurity.png

# ls -ld /etc/security
drwx------ 11 root security 4096 May 28 07:12 /etc/security

Still as root, make a new user (e.g., michael) and login. Normal commands work fine - because a regular user is not in the group security and is not affected by files and directories that work when in the group security. The commands that will fail are those that put someone into the group security (meaning they expect files to be readable via group permissions).

# find / -group security -perm -2000 -ls
102 32 -r-x--Sr-x 1 root security 31948 Feb 1 2011 /usr/bin/chfn
105 64 -r-x--Sr-x 1 root security 65440 Feb 1 2011 /usr/bin/chgrpmem
129 34 -r-x--Sr-x 1 root security 34334 Feb 1 2011 /usr/bin/chsh
693 26 -r-x--Sr-x 1 root security 26298 Feb 1 2011 /usr/bin/smitacl
169849 68 -r-x--Sr-x 1 root security 68830 Feb 1 2011 /usr/sbin/lsgroup


AIX Version 6
Copyright IBM Corporation, 1982, 2010.
login: michael
michael's Password
:

Normal commands work fine:

$ tail -3 /etc/passwd
esaadmin:*:10:0::/var/esa:/usr/bin/ksh
sshd:*:202:201::/var/empty:/usr/bin/ksh
michael:!:203:1::/home/michael:/usr/bin/ksh
$ grep staff /etc/group
staff:!:1:ipsec,esaadmin,sshd,michael

But commands relying on security membership fail - ths one because it cannot read files in the directory /etc/security.

$ lsgroup staff
3004-686 Group "staff" does not exist.

In short, regular users are mostly unaffected - but some commands will need RBAC adjustments to work, and/or role assignment before they will work as expected.

More to come!

 
< Prev   Next >
60 queries executed
1
SET sql_mode = 'MYSQL40'
2 SELECT folder, element, published, params FROM jos_mambots WHERE published >= 1 AND access <= 0 AND folder = 'system' ORDER BY ordering
3 SELECT template FROM jos_templates_menu WHERE client_id = 0 AND ( menuid = 0 OR menuid = 311 ) ORDER BY menuid DESC LIMIT 1
4 DELETE FROM jos_session WHERE ( ( time < '1550627200' ) AND guest = 0 AND gid > 0 ) OR ( ( time < '1550627200' ) AND guest = 1 AND userid = 0 )
5 SELECT COUNT(*) FROM jos_stats_agents WHERE agent = 'Unknown' AND type = 0
6 UPDATE jos_stats_agents SET hits = ( hits + 1 ) WHERE agent = 'Unknown' AND type = 0
7 SELECT COUNT(*) FROM jos_stats_agents WHERE agent = 'Unknown' AND type = 1
8 UPDATE jos_stats_agents SET hits = ( hits + 1 ) WHERE agent = 'Unknown' AND type = 1
9 SELECT COUNT(*) FROM jos_stats_agents WHERE agent = 'com' AND type = 2
10 UPDATE jos_stats_agents SET hits = ( hits + 1 ) WHERE agent = 'com' AND type = 2
11 SELECT * FROM jos_menu WHERE id = 311
12 SELECT a.*, u.name AS author, u.usertype, cc.name AS category, s.name AS section, g.name AS groups, s.published AS sec_pub, cc.published AS cat_pub, s.access AS sec_access, cc.access AS cat_access, s.id AS sec_id, cc.id as cat_id FROM jos_content AS a LEFT JOIN jos_categories AS cc ON cc.id = a.catid LEFT JOIN jos_sections AS s ON s.id = cc.section AND s.scope = 'content' LEFT JOIN jos_users AS u ON u.id = a.created_by LEFT JOIN jos_groups AS g ON a.access = g.id WHERE a.id = 509 AND ( a.state = 1 OR a.state = -1 ) AND ( a.publish_up = '0000-00-00 00:00:00' OR a.publish_up <= '2019-02-20 03:01' ) AND ( a.publish_down = '0000-00-00 00:00:00' OR a.publish_down >= '2019-02-20 03:01' ) AND a.access <= 0
13 SELECT a.id FROM jos_content AS a WHERE a.catid = 51 AND a.state = 1 AND a.access <= 0 AND ( a.state = 1 OR a.state = -1 ) AND ( a.publish_up = '0000-00-00 00:00:00' OR a.publish_up <= '2019-02-20 03:01' ) AND ( a.publish_down = '0000-00-00 00:00:00' OR a.publish_down >= '2019-02-20 03:01' ) ORDER BY a.created DESC
14 SELECT ROUND( v.rating_sum / v.rating_count ) AS rating, v.rating_count FROM jos_content AS a LEFT JOIN jos_content_rating AS v ON a.id = v.content_id WHERE a.id = 509
15 UPDATE jos_content SET hits = ( hits + 1 ) WHERE id = '509'
16 SELECT hits FROM jos_core_log_items WHERE time_stamp = '2019-02-20' AND item_table = '#__content' AND item_id = '509'
17 INSERT INTO jos_core_log_items VALUES ( '2019-02-20', '#__content', '509', 1 )
18 SELECT folder, element, published, params FROM jos_mambots WHERE access <= 0 AND folder = 'content' ORDER BY ordering
19 SELECT value FROM jos_bookmarks_prefs WHERE userid = '-1' AND category = 'params' AND name = 'urlkey'
20 SELECT value FROM jos_bookmarks_prefs WHERE userid = '-1' AND category = 'params' AND name = 'snapshotactiv'
21 SELECT value FROM jos_bookmarks_prefs WHERE userid = '-1' AND category = 'params' AND name = 'snapshotother'
22 SELECT id FROM jos_mambots WHERE element = 'mosbookmarks' AND folder = 'content'
23 SELECT * FROM jos_mambots WHERE id = '32'
24 SELECT name, value FROM jos_bookmarks_prefs WHERE userid = '-1' AND category = 'params' ORDER BY name
25 SELECT c.id, c.parent FROM jos_bookmarks_categories as c WHERE c.id = -1
26 SELECT * FROM jos_bookmarks_columns WHERE category='' AND custom='0'
27 SELECT * FROM jos_bookmarks_columns WHERE category='' ORDER BY ordering
28 SELECT * FROM jos_bookmarks_columns WHERE category='admin'
29 SELECT * FROM jos_bookmarks_columns WHERE category='admin' ORDER BY ordering
30 SELECT id FROM jos_mambots WHERE element = 'plugin_jw_allvideos' AND folder = 'content'
31 SELECT * FROM jos_mambots WHERE id = '27'
32 SELECT id FROM jos_mambots WHERE element = 'plugin_jw_allvideos' AND folder = 'content'
33 SELECT * FROM jos_mambots WHERE id = '27'
34 SELECT id FROM jos_mambots WHERE element = 'plugin_jw_allvideos' AND folder = 'content'
35 SELECT * FROM jos_mambots WHERE id = '27'
36 SELECT id FROM jos_mambots WHERE element = 'plugin_jw_allvideos' AND folder = 'content'
37 SELECT * FROM jos_mambots WHERE id = '27'
38 SELECT a.* FROM jos_components AS a WHERE ( a.admin_menu_link = 'option=com_syndicate' OR a.admin_menu_link = 'option=com_syndicate&hidemainmenu=1' ) AND a.option = 'com_syndicate'
39 SELECT m.id FROM jos_modules AS m WHERE m.module = 'mod_rssfeed' AND m.published = 1
40 SELECT id, title, module, position, content, showtitle, params FROM jos_modules AS m INNER JOIN jos_modules_menu AS mm ON mm.moduleid = m.id WHERE m.published = 1 AND m.access <= 0 AND m.client_id != 1 AND ( mm.menuid = 0 OR mm.menuid = 311 ) ORDER BY ordering
41 SELECT id FROM jos_menu WHERE link = 'index.php?option=com_search' AND published = 1
42 SELECT m.*, sum(case when p.published=1 then 1 else 0 end) as cnt FROM jos_menu AS m LEFT JOIN jos_menu AS p ON p.parent = m.id WHERE m.menutype='rt_splitSuckerFish' AND m.published='1' AND m.access <= '0' GROUP BY m.id ORDER BY m.parent, m.ordering
43 SELECT m.* FROM jos_menu AS m WHERE menutype='rt_splitSuckerFish' AND m.published='1'
44 SELECT * FROM jos_banner WHERE showBanner=1
45 SELECT id FROM jos_mambots WHERE element = 'mosbookmarks' AND folder = 'content'
46 SELECT * FROM jos_mambots WHERE id = '32'
47 SELECT name, value FROM jos_bookmarks_prefs WHERE userid = '-1' AND category = 'params' ORDER BY name
48 SELECT c.id, c.parent FROM jos_bookmarks_categories as c WHERE c.id = -1
49 SELECT * FROM jos_bookmarks_columns WHERE category='' AND custom='0'
50 SELECT * FROM jos_bookmarks_columns WHERE category='' ORDER BY ordering
51 SELECT * FROM jos_bookmarks_columns WHERE category='admin'
52 SELECT * FROM jos_bookmarks_columns WHERE category='admin' ORDER BY ordering
53 SELECT id FROM jos_mambots WHERE element = 'plugin_jw_allvideos' AND folder = 'content'
54 SELECT * FROM jos_mambots WHERE id = '27'
55 SELECT id FROM jos_mambots WHERE element = 'plugin_jw_allvideos' AND folder = 'content'
56 SELECT * FROM jos_mambots WHERE id = '27'
57 SELECT id FROM jos_mambots WHERE element = 'plugin_jw_allvideos' AND folder = 'content'
58 SELECT * FROM jos_mambots WHERE id = '27'
59 SELECT id FROM jos_mambots WHERE element = 'plugin_jw_allvideos' AND folder = 'content'
60 SELECT * FROM jos_mambots WHERE id = '27'