Originally posted by: Jack_
Hello there,
I've been told by IBM folks that I can use RBAC on AIX 6.1 to replace sudo.
I decided to give it a try and I found out that their statement is not true. At least on my environment.
Let me explain the reasons behind that:
I use a product called Quest Authentication Services(QAS) to allow users to use their windows credentials to login to AIX servers. I don´t have them defined locally. On my /etc/passwd I only have the applications accounts. When I tried to assign a role to a QAS user it didn´t work. It seems that RBAC only works with local users. Anyone out there successfully configured RBAC for non local users?
After creating a local user, in order to proceed with my tests, I found that RBAC can be used to define which command a user can run but not the flags passed to this command. As an example, I can mention the su command. On my sudo configuration I have profiles where I strictly define to each account a given user can su to. I was not able to do that with RBAC. I did assign a role that let my user to run the su command but this is it. I cannot control if the su command is going to be used to su to root or to su to my application account. Did I miss something here? Did someone successfully define which flags should be used with each command using RBAC?
Another point that I got really disappointed with RBAC was logging. It provides very little logging. You can see that a user use swrole to switch to a role but you have no idea what commands on that role were executed. Again, did I miss something here?
Can I hear your opinion about RBAC and sudo?
I will stay with sudo for the time being tough.
Thank you in advance