Hello All,

One small question, we use YUM on AIX to keep our open source tools up to date.

I like to make YUM AIX RBAC aware, but not I can't because YUM checks if the user UID=0 (root). So we have to use sudo, to overcome this issue.

Now my question: Who maintains the YUM tool for AIX ?

I would like to ask the maintainer to put in a flag that does not check if the UID=0. Without this check I start to make YUM RBAC aware and if I am done, then a user can switch to the right role to run YUM.

Security audits like traceability with we can achieve with RBAC, and not with sudo.

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank
Den Bosch
+31 (0) 6 53 27 15 71
------------------------------

#AIXOpenSource

Hi Christian,

Sorry for the delay.

To run YUM under RBAC we need to find out set of privileges required for non-root users and assign the role.
We collected the list of YUM commands which run transactions like
install, erase, update, clean, distribution-synchronization, history, reinstall, shell (commands like install, erase etc.), upgrade

Below set of command seems to make YUM work under RBAC.

mkauth yumauth1
setsecattr -c accessauths=yumauth1 innateprivs=PV_DAC_R,PV_DAC_X,PV_PROC_SIG,PV_NET_PORT,PV_DAC_W,PV_DAC_O,PV_NET_CNTL,PV_FS_CHOWN,PV_AU_PROC,PV_KER_CONF,PV_AU_ADD,PV_AZ_ROOT secflags=FSF_EPS euid=0 /opt/freeware/bin/yum
mkrole authorizations=yumauth1 yumrole1
mkuser yumuser1
chuser roles=yumrole1 default_roles=yumrole1 yumuser1
setkst


su - yumuser1
/opt/freeware/bin/yum <yum command>


The one issue with this is that when unprivileged user uses yum
then in that case the error message is not descriptive at all why it failed

For example...

Transaction Test Succeeded
Running Transaction
grep-3.3-1.ppc was supposed to be installed but is not!


Here is the sample output
-----------------------------

Without RBAC:

# su - yumuser1
$ yum install grep
You need to be root to perform this command.
$

With RBAC:

# su - yumuser1
$ /opt/freeware/bin/yum install grep
AIX_Toolbox | 2.6 kB 00:00:00
AIX_Toolbox_beta | 2.5 kB 00:00:00
AIX_Toolbox_noarch | 2.5 kB 00:00:00
Setting up Install Process
Package grep-3.4-1.ppc already installed and latest version
Nothing to do

$ /opt/freeware/bin/yum erase grep
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package grep.ppc 0:3.4-1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================================================
Removing:
grep ppc 3.4-1 @AIX_Toolbox 1.2 M

Transaction Summary
============================================================================================================================================================================================================================
Remove 1 Package

Installed size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Erasing : grep-3.4-1.ppc 1/1

Removed:
grep.ppc 0:3.4-1

Complete!
$ /opt/freeware/bin/yum install grep
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package grep.ppc 0:3.4-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================================================
Installing:
grep ppc 3.4-1 AIX_Toolbox 496 k

Transaction Summary
============================================================================================================================================================================================================================
Install 1 Package

Total download size: 496 k
Installed size: 496 k
Is this ok [y/N]: y
Downloading Packages:
grep-3.4-1.aix6.1.ppc.rpm | 496 kB 00:00:00
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : grep-3.4-1.ppc 1/1

Installed:
grep.ppc 0:3.4-1

Complete!

------------------------------
SANGAMESH
------------------------------

Original Message:
Sent: Fri April 02, 2021 01:37 AM
From: Christian Sonnemans
Subject: Making YUM AIX RBAC aware ?

Hello All,

One small question, we use YUM on AIX to keep our open source tools up to date.

I like to make YUM AIX RBAC aware, but not I can't because YUM checks if the user UID=0 (root). So we have to use sudo, to overcome this issue.

Now my question: Who maintains the YUM tool for AIX ?

I would like to ask the maintainer to put in a flag that does not check if the UID=0. Without this check I start to make YUM RBAC aware and if I am done, then a user can switch to the right role to run YUM.

Security audits like traceability with we can achieve with RBAC, and not with sudo.

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank
Den Bosch
+31 (0) 6 53 27 15 71
------------------------------

#AIXOpenSource

Hello SANGAMESH,

Thanks you very much to help me with this. I did almost exact the same but did not got it working.
By reading your authorisations more carefully I See now i missed this one euid=0. I will test this again upcomming Friday.
I will let you know the outcome.

Thanks for your reply I appreciate this!

Greetings Christian Sonnemans.

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank
------------------------------

Original Message:
Sent: Wed April 28, 2021 07:26 AM
From: SANGAMESH MALLAYYA
Subject: Making YUM AIX RBAC aware ?

Hi Christian,

Sorry for the delay.

To run YUM under RBAC we need to find out set of privileges required for non-root users and assign the role.
We collected the list of YUM commands which run transactions like
install, erase, update, clean, distribution-synchronization, history, reinstall, shell (commands like install, erase etc.), upgrade

Below set of command seems to make YUM work under RBAC.

mkauth yumauth1
setsecattr -c accessauths=yumauth1 innateprivs=PV_DAC_R,PV_DAC_X,PV_PROC_SIG,PV_NET_PORT,PV_DAC_W,PV_DAC_O,PV_NET_CNTL,PV_FS_CHOWN,PV_AU_PROC,PV_KER_CONF,PV_AU_ADD,PV_AZ_ROOT secflags=FSF_EPS euid=0 /opt/freeware/bin/yum
mkrole authorizations=yumauth1 yumrole1
mkuser yumuser1
chuser roles=yumrole1 default_roles=yumrole1 yumuser1
setkst


su - yumuser1
/opt/freeware/bin/yum <yum command>


The one issue with this is that when unprivileged user uses yum
then in that case the error message is not descriptive at all why it failed

For example...

Transaction Test Succeeded
Running Transaction
grep-3.3-1.ppc was supposed to be installed but is not!


Here is the sample output
-----------------------------

Without RBAC:

# su - yumuser1
$ yum install grep
You need to be root to perform this command.
$

With RBAC:

# su - yumuser1
$ /opt/freeware/bin/yum install grep
AIX_Toolbox | 2.6 kB 00:00:00
AIX_Toolbox_beta | 2.5 kB 00:00:00
AIX_Toolbox_noarch | 2.5 kB 00:00:00
Setting up Install Process
Package grep-3.4-1.ppc already installed and latest version
Nothing to do

$ /opt/freeware/bin/yum erase grep
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package grep.ppc 0:3.4-1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================================================
Removing:
grep ppc 3.4-1 @AIX_Toolbox 1.2 M

Transaction Summary
============================================================================================================================================================================================================================
Remove 1 Package

Installed size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Erasing : grep-3.4-1.ppc 1/1

Removed:
grep.ppc 0:3.4-1

Complete!
$ /opt/freeware/bin/yum install grep
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package grep.ppc 0:3.4-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================================================
Installing:
grep ppc 3.4-1 AIX_Toolbox 496 k

Transaction Summary
============================================================================================================================================================================================================================
Install 1 Package

Total download size: 496 k
Installed size: 496 k
Is this ok [y/N]: y
Downloading Packages:
grep-3.4-1.aix6.1.ppc.rpm | 496 kB 00:00:00
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : grep-3.4-1.ppc 1/1

Installed:
grep.ppc 0:3.4-1

Complete!

------------------------------
SANGAMESH

Original Message:
Sent: Fri April 02, 2021 01:37 AM
From: Christian Sonnemans
Subject: Making YUM AIX RBAC aware ?

Hello All,

One small question, we use YUM on AIX to keep our open source tools up to date.

I like to make YUM AIX RBAC aware, but not I can't because YUM checks if the user UID=0 (root). So we have to use sudo, to overcome this issue.

Now my question: Who maintains the YUM tool for AIX ?

I would like to ask the maintainer to put in a flag that does not check if the UID=0. Without this check I start to make YUM RBAC aware and if I am done, then a user can switch to the right role to run YUM.

Security audits like traceability with we can achieve with RBAC, and not with sudo.

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank
Den Bosch
+31 (0) 6 53 27 15 71
------------------------------

#AIXOpenSource

Hello SANGAMESH,
Tried it again but cannot get it working, i store the authorization on ldap and also the role see script below.
when i switch to the yumrole I now got the following error message this for every command i use with yum

swrole yumrole

password:

yum repolist

ImportError: No module named site

script that i use to create everything on stored on ldap i uploaded in a text file now. Maybe it's possible for you to tell me what i do wrong ?

Greetings Christian Sonnemans.

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank
------------------------------

Original Message:
Sent: Wed April 28, 2021 10:38 AM
From: Christian Sonnemans
Subject: Making YUM AIX RBAC aware ?

Hello SANGAMESH,

Thanks you very much to help me with this. I did almost exact the same but did not got it working.
By reading your authorisations more carefully I See now i missed this one euid=0. I will test this again upcomming Friday.
I will let you know the outcome.

Thanks for your reply I appreciate this!

Greetings Christian Sonnemans.

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank

Original Message:
Sent: Wed April 28, 2021 07:26 AM
From: SANGAMESH MALLAYYA
Subject: Making YUM AIX RBAC aware ?

Hi Christian,

Sorry for the delay.

To run YUM under RBAC we need to find out set of privileges required for non-root users and assign the role.
We collected the list of YUM commands which run transactions like
install, erase, update, clean, distribution-synchronization, history, reinstall, shell (commands like install, erase etc.), upgrade

Below set of command seems to make YUM work under RBAC.

mkauth yumauth1
setsecattr -c accessauths=yumauth1 innateprivs=PV_DAC_R,PV_DAC_X,PV_PROC_SIG,PV_NET_PORT,PV_DAC_W,PV_DAC_O,PV_NET_CNTL,PV_FS_CHOWN,PV_AU_PROC,PV_KER_CONF,PV_AU_ADD,PV_AZ_ROOT secflags=FSF_EPS euid=0 /opt/freeware/bin/yum
mkrole authorizations=yumauth1 yumrole1
mkuser yumuser1
chuser roles=yumrole1 default_roles=yumrole1 yumuser1
setkst


su - yumuser1
/opt/freeware/bin/yum <yum command>


The one issue with this is that when unprivileged user uses yum
then in that case the error message is not descriptive at all why it failed

For example...

Transaction Test Succeeded
Running Transaction
grep-3.3-1.ppc was supposed to be installed but is not!


Here is the sample output
-----------------------------

Without RBAC:

# su - yumuser1
$ yum install grep
You need to be root to perform this command.
$

With RBAC:

# su - yumuser1
$ /opt/freeware/bin/yum install grep
AIX_Toolbox | 2.6 kB 00:00:00
AIX_Toolbox_beta | 2.5 kB 00:00:00
AIX_Toolbox_noarch | 2.5 kB 00:00:00
Setting up Install Process
Package grep-3.4-1.ppc already installed and latest version
Nothing to do

$ /opt/freeware/bin/yum erase grep
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package grep.ppc 0:3.4-1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================================================
Removing:
grep ppc 3.4-1 @AIX_Toolbox 1.2 M

Transaction Summary
============================================================================================================================================================================================================================
Remove 1 Package

Installed size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Erasing : grep-3.4-1.ppc 1/1

Removed:
grep.ppc 0:3.4-1

Complete!
$ /opt/freeware/bin/yum install grep
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package grep.ppc 0:3.4-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================================================
Installing:
grep ppc 3.4-1 AIX_Toolbox 496 k

Transaction Summary
============================================================================================================================================================================================================================
Install 1 Package

Total download size: 496 k
Installed size: 496 k
Is this ok [y/N]: y
Downloading Packages:
grep-3.4-1.aix6.1.ppc.rpm | 496 kB 00:00:00
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : grep-3.4-1.ppc 1/1

Installed:
grep.ppc 0:3.4-1

Complete!

------------------------------
SANGAMESH

Original Message:
Sent: Fri April 02, 2021 01:37 AM
From: Christian Sonnemans
Subject: Making YUM AIX RBAC aware ?

Hello All,

One small question, we use YUM on AIX to keep our open source tools up to date.

I like to make YUM AIX RBAC aware, but not I can't because YUM checks if the user UID=0 (root). So we have to use sudo, to overcome this issue.

Now my question: Who maintains the YUM tool for AIX ?

I would like to ask the maintainer to put in a flag that does not check if the UID=0. Without this check I start to make YUM RBAC aware and if I am done, then a user can switch to the right role to run YUM.

Security audits like traceability with we can achieve with RBAC, and not with sudo.

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank
Den Bosch
+31 (0) 6 53 27 15 71
------------------------------

#AIXOpenSource

Hi Christian ,
        Please try the below steps and let me know if you are able to resolve things: This is basically because python is trying to get the site.py  and it is not able to find it.
when you login as root or in the /etc/environments
please add the following to the beginning of the PATH environment variable 
For Eg:
PATH=/opt/freeware/bin:/opt/freeware/lib/python2.7:/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java8_64/jre/bin:/usr/java8_64/bin

NOTE: /opt/freeware/bin:/opt/freeware/lib/python2.7: needs to be added at the beginning of the PATH variable due to the search order.


------------------------------
AJAY KINI
------------------------------

Original Message:
Sent: Fri April 30, 2021 05:09 AM
From: Christian Sonnemans
Subject: Making YUM AIX RBAC aware ?

Hello SANGAMESH,
Tried it again but cannot get it working, i store the authorization on ldap and also the role see script below.
when i switch to the yumrole I now got the following error message this for every command i use with yum

swrole yumrole

password:

yum repolist

ImportError: No module named site

script that i use to create everything on stored on ldap i uploaded in a text file now. Maybe it's possible for you to tell me what i do wrong ?

Greetings Christian Sonnemans.

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank

Original Message:
Sent: Wed April 28, 2021 10:38 AM
From: Christian Sonnemans
Subject: Making YUM AIX RBAC aware ?

Hello SANGAMESH,

Thanks you very much to help me with this. I did almost exact the same but did not got it working.
By reading your authorisations more carefully I See now i missed this one euid=0. I will test this again upcomming Friday.
I will let you know the outcome.

Thanks for your reply I appreciate this!

Greetings Christian Sonnemans.

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank

Original Message:
Sent: Wed April 28, 2021 07:26 AM
From: SANGAMESH MALLAYYA
Subject: Making YUM AIX RBAC aware ?

Hi Christian,

Sorry for the delay.

To run YUM under RBAC we need to find out set of privileges required for non-root users and assign the role.
We collected the list of YUM commands which run transactions like
install, erase, update, clean, distribution-synchronization, history, reinstall, shell (commands like install, erase etc.), upgrade

Below set of command seems to make YUM work under RBAC.

mkauth yumauth1
setsecattr -c accessauths=yumauth1 innateprivs=PV_DAC_R,PV_DAC_X,PV_PROC_SIG,PV_NET_PORT,PV_DAC_W,PV_DAC_O,PV_NET_CNTL,PV_FS_CHOWN,PV_AU_PROC,PV_KER_CONF,PV_AU_ADD,PV_AZ_ROOT secflags=FSF_EPS euid=0 /opt/freeware/bin/yum
mkrole authorizations=yumauth1 yumrole1
mkuser yumuser1
chuser roles=yumrole1 default_roles=yumrole1 yumuser1
setkst


su - yumuser1
/opt/freeware/bin/yum <yum command>


The one issue with this is that when unprivileged user uses yum
then in that case the error message is not descriptive at all why it failed

For example...

Transaction Test Succeeded
Running Transaction
grep-3.3-1.ppc was supposed to be installed but is not!


Here is the sample output
-----------------------------

Without RBAC:

# su - yumuser1
$ yum install grep
You need to be root to perform this command.
$

With RBAC:

# su - yumuser1
$ /opt/freeware/bin/yum install grep
AIX_Toolbox | 2.6 kB 00:00:00
AIX_Toolbox_beta | 2.5 kB 00:00:00
AIX_Toolbox_noarch | 2.5 kB 00:00:00
Setting up Install Process
Package grep-3.4-1.ppc already installed and latest version
Nothing to do

$ /opt/freeware/bin/yum erase grep
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package grep.ppc 0:3.4-1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================================================
Removing:
grep ppc 3.4-1 @AIX_Toolbox 1.2 M

Transaction Summary
============================================================================================================================================================================================================================
Remove 1 Package

Installed size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Erasing : grep-3.4-1.ppc 1/1

Removed:
grep.ppc 0:3.4-1

Complete!
$ /opt/freeware/bin/yum install grep
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package grep.ppc 0:3.4-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================================================
Installing:
grep ppc 3.4-1 AIX_Toolbox 496 k

Transaction Summary
============================================================================================================================================================================================================================
Install 1 Package

Total download size: 496 k
Installed size: 496 k
Is this ok [y/N]: y
Downloading Packages:
grep-3.4-1.aix6.1.ppc.rpm | 496 kB 00:00:00
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : grep-3.4-1.ppc 1/1

Installed:
grep.ppc 0:3.4-1

Complete!

------------------------------
SANGAMESH

Original Message:
Sent: Fri April 02, 2021 01:37 AM
From: Christian Sonnemans
Subject: Making YUM AIX RBAC aware ?

Hello All,

One small question, we use YUM on AIX to keep our open source tools up to date.

I like to make YUM AIX RBAC aware, but not I can't because YUM checks if the user UID=0 (root). So we have to use sudo, to overcome this issue.

Now my question: Who maintains the YUM tool for AIX ?

I would like to ask the maintainer to put in a flag that does not check if the UID=0. Without this check I start to make YUM RBAC aware and if I am done, then a user can switch to the right role to run YUM.

Security audits like traceability with we can achieve with RBAC, and not with sudo.

------------------------------
Christian Sonnemans
Tactical Unix system engineer
De Volksbank
Den Bosch
+31 (0) 6 53 27 15 71
------------------------------

#AIXOpenSource