Originally posted by: AntonioCarlos
Hi,
I've create an RBAC role to permit some user kill process.
Following the configuration.
root@:/
-
mkauth auth_teste
root@:/
-
setsecattr -c accessauths=auth_teste innateprivs=PV_PROC_SIG /usr/bin/kill
root@:/
-
mkrole authorizations=auth_teste role_test
root@:/
-
setkst
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel Domains Table.
I've a user test with this parameters
-
lsuser test
test id=203 pgrp=staff groups=staff home=/home/test shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=files OR LDAP logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 fsize_hard=-1 roles=role_test
Trying to kill a process with uset test it doesn't work
test@:/home/test $ id
uid=203(test) gid=1(staff)
test@:/home/test $ swrole role_test
test's Password:
test@:/home/test $ rolelist -ea
role_test auth_teste
test@:/home/test $ ps -ef|grep dd
userA 12583002 16580822 44 17:41:52 pts/2 0:01 dd if=/dev/zero of=/dev/null count=10000000
test 13828202 10551506 0 17:41:56 pts/1 0:00 grep dd
userA 16580822 20709518 65 17:41:52 pts/2 0:02 dd if=/dev/zero of=/dev/null count=10000000
test@:/home/test $ kill 12583002
kill: 12583002: Permission denied.
test@:/home/test $ kill 16580822
kill: 16580822: Permission denied.
test@:/home/test Using tracepriv -e I did not identify any other privilege than PV_PROC_SIG
I'm using AIX 7100-01-01-1141
#AIX-Forum