AIX

 View Only
  • 1.  Running the diag command by a normal user.

    Posted Mon January 10, 2022 07:17 AM
    Hi

    How can a normal user run the diag command on AIX 7.1?
    Which roles should it have to run this command?

    Thanks.


    ------------------------------
    Sajad Asadi
    ------------------------------


  • 2.  RE: Running the diag command by a normal user.

    Posted Mon January 10, 2022 07:47 AM
    Hi, this is from the diag man page:

    Security
    Access Control: Only the root user can run this command.
    Privilege Control: System group.

    So, I don't think it will run for other users, unless they're sudoers.

    ------------------------------
    DARADICS CSABA
    ------------------------------



  • 3.  RE: Running the diag command by a normal user.

    Posted Thu January 13, 2022 11:14 AM
    If you look into enhanced RBAC, there is a sysop role which can run diagnostics.  Of course, it may grant more than you'd like.

    https://www.ibm.com/docs/en/aix/7.2?topic=roles-predefined

    ------------------------------
    Dave Nordgren
    ------------------------------



  • 4.  RE: Running the diag command by a normal user.

    Posted Tue January 11, 2022 03:57 AM
    If enhanced RBAC is switched on (it is by default since AIX 6.1), the user needs the following authorization to run diag:

    #lssecattr -c /usr/sbin/diag
    /usr/sbin/diag accessauths=aix.system.config.diag innateprivs=PV_AZ_ROOT,PV_DAC_R,PV_DAC_X,PV_KER_ACCT,PV_KER_RAC,PV_PROC_PRIV,PV_PROC_TIMER,PV_SU_UID inheritprivs=PV_AU_PROC,PV_AZ_CHECK,PV_AZ_ROOT,PV_DAC_O,PV_DAC_R,PV_DAC_W,PV_DAC_X,PV_DEV_CONFIG,PV_DEV_LOAD,PV_FS_CHOWN,PV_KER_ACCT,PV_KER_RAC,PV_KER_RAS,PV_NET_CNTL,PV_NET_PORT,PV_NET_RAWSOCK,PV_PROC_PRIO,PV_PROC_PRIV,PV_PROC_SIG,PV_TCB,PV_TP_SET,PV_SU_UID secflags=FSF_EPS

    This authorization is in roles SysConfig and sysop:
    #lsrole ALL | grep aix.system.config.diag
    SysConfig authorizations=aix.system.boot.create,aix.system.config.bindintcpu,aix.system.config.console,aix.system.config.date,aix.system.config.diag,aix.system.config.dlpar,aix.system.config.inittab,aix.system.config.io,aix.system.config.kext,aix.system.config.mode,aix.system.config.perf,aix.system.config.rset,aix.system.config.uname,aix.system.config.write,aix.system.stat,aix.wpar,aix.system.config.artex rolelist= groups= visibility=1 screens=* dfltmsg=System Configuration Administration msgcat=role_desc.cat msgnum=10 msgset=1 auth_mode=INVOKER id=10
    sysop authorizations=aix.system.boot,aix.system.config.diag,aix.system.stat,aix.device.monitor,aix.device.config.printer,aix.device.stat.printer,aix.proc.status rolelist= groups= visibility=1 screens=* dfltmsg=System Operator msgcat=role_desc.cat msgnum=17 msgset=1 auth_mode=INVOKER id=18

    So you can add onee of the roles to your user:

    #chuser roles=sysop user1

    or:

    #chuser roles=sysop default_roles=sysop user1


    Check if enhanced RBAC is switched on:

    #lsattr -El sys0 -a enhanced_RBAC -F value
    true




    ​​​

    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------