View Only
  • 1.  Running the diag command by a normal user.

    Posted Mon January 10, 2022 07:17 AM

    How can a normal user run the diag command on AIX 7.1?
    Which roles should it have to run this command?


    Sajad Asadi

  • 2.  RE: Running the diag command by a normal user.

    Posted Mon January 10, 2022 07:47 AM
    Hi, this is from the diag man page:

    Access Control: Only the root user can run this command.
    Privilege Control: System group.

    So, I don't think it will run for other users, unless they're sudoers.


  • 3.  RE: Running the diag command by a normal user.

    Posted Thu January 13, 2022 11:14 AM
    If you look into enhanced RBAC, there is a sysop role which can run diagnostics.  Of course, it may grant more than you'd like.

    Dave Nordgren

  • 4.  RE: Running the diag command by a normal user.

    Posted Tue January 11, 2022 03:57 AM
    If enhanced RBAC is switched on (it is by default since AIX 6.1), the user needs the following authorization to run diag:

    #lssecattr -c /usr/sbin/diag

    This authorization is in roles SysConfig and sysop:
    #lsrole ALL | grep aix.system.config.diag
    SysConfig authorizations=aix.system.boot.create,aix.system.config.bindintcpu,aix.system.config.console,,aix.system.config.diag,aix.system.config.dlpar,aix.system.config.inittab,,aix.system.config.kext,aix.system.config.mode,aix.system.config.perf,aix.system.config.rset,aix.system.config.uname,aix.system.config.write,aix.system.stat,aix.wpar,aix.system.config.artex rolelist= groups= visibility=1 screens=* dfltmsg=System Configuration Administration msgnum=10 msgset=1 auth_mode=INVOKER id=10
    sysop authorizations=aix.system.boot,aix.system.config.diag,aix.system.stat,aix.device.monitor,aix.device.config.printer,aix.device.stat.printer,aix.proc.status rolelist= groups= visibility=1 screens=* dfltmsg=System Operator msgnum=17 msgset=1 auth_mode=INVOKER id=18

    So you can add onee of the roles to your user:

    #chuser roles=sysop user1


    #chuser roles=sysop default_roles=sysop user1

    Check if enhanced RBAC is switched on:

    #lsattr -El sys0 -a enhanced_RBAC -F value


    Andrey Klyachkin