ITEM: BG6805L

How to Permit Access to SNA Commands to a non-root, non-system USER



THE PROBLEM:

User is getting error 0513-019 when he tries to start the sna
subsystem as a non-root user.  System informs him that he must be root or 
member of group 'system' for this to work.  He wants the non-root person
charged with SNA administration to have access to the sna set of commands:
starting and stopping the subsystem,  link stations, and sessions; 
viewing the status of sna; starting and stopping traces, formatting them, 
and the like.  By default these commands, with the exception of 
formatting traces and logs and viewing the status of SNA, are available 
only to 'root' or a member of the 'system' group. Customer wants to permit 
access to the SNA commands but not the more wide-ranging capabilities 
associated with 'root' or 'system'.  Is there a way to grant root-like 
access to this person ONLY for the SNA functions?

This is basically an AIX security issue, not an AIXSNA issue.
Please see InfoExplorer for details on the commands mentioned below.
Please read "System Security Guidelines" in InfoExplorer before 
making any of the changes mentioned below.

BACKGROUND INFO:
----------------

All of the SNA commands to manipulate the sna subsystem are in/usr/bin.

\# cd /usr/bin
\# ls *sna*

chsnaobj        lssnaobj        rmsnapw         snaca_dlu.cfg   snasub
chsnapw         migratesna      sna             snacomp         verifysna
exportsna       mksnaobj        sna3270lu       snaevent        xsna
gensnakey       mksnapw         sna_command     snaformat
helpsnaobj      qrysnaobj       sna_display     snagwlus
importsna       rmsnaobj        snaca_5250.cfg  snalu0lus

You could create a new group (maybe aixsna), make the aixsna admin
a member or this group and then change group ownership of the various
sna commands to 'aixsna'.  Note that 'system' group members would
no longer be able to issue these commands.

You could allow a non-root, not-system, user to execute any command
by changing executable permission for the "other" users of that command 
with the chmod command but this would apply to all other users.

You could allow a person who is not root or a member of the system group
to use these commands by setting the 'sticky bit'.  This can be
done if root does the following:

   \# cd /usr/bin
   \# chmod u+s *sna*

This effectively allows 'other' users to execute these commands 'as if'
they were root.   The permissions previously restricted to the root 
user will now be available to all other users for these commands. 

If you just want permission to start and stop the subsystem, links,
and sessions, then you need only set the permissions to files 'sna'
and 'sna_command'.  File 'sna' is a script that takes as arguments
flags which are interpreted by sna_command to perform the required
function. 

Either option allows the 'aixsna administrator' to do sna commands.

The corresponding smit commands will also be accessible to the user
by making these changes.  If all the commands were permitted, everything
in smit would be available to this user.

One potential problem with this relates to allowing *anyone*
to execute SNA commands.  If you change the group ownership from 
system to, say aixsna (i.e defined a group called 'aixsna'), add the SNA 
Administrator to this group, and then change the permissions to grant 
setuid capability, it will NOT work without additional changes 
(described below).  

The Group ID of this newly added group will NOT be Zero, since the System
group is assigned this group id by default. Also, TWO GROUPS CANNOT
SHARE THE SAME GROUP ID.  If the sna commands above were assigned
group ownership of aixsna 
   \# chgrp aixsna *sna*
and this group id WAS set to zero, a member of the sna group would be 
able to perform SNA commands,  but this effectively makes 'aixsna' group 
the defacto 'system' group for all AIX functions and commands.
If this aixsna group does not have group id of zero,
the following error will occur:
 0513-019: System Resource Controller requires that you be
running as root or be part of the group system

SOLUTION:
----------
When you run sna commands, the system look at the uid and gid and if
at least one is not 0, they will not run.

If the command is looking at the EFFECTIVE uid, you can try this:

   \# chmod 4750 sna (set suid root)
   \# chmod 4750 sna_command 
   \# ls -l sna sna_command

This also disables permissions for others
-rwsr-x---   1 root     system      1200 Aug 21 1774  sna.
-rwsr-x---   1 root     system    571954 Aug 21 1774  sna_command

Then do an acledit on these two file to set extented permissions on, and 
permit the group you want to execute. The aclfile looks like:

BEFORE MODIFICATION:
--------------------
attributes: SUID SGID
base permissions
    owner(root):  rwx
    group(sna):  r-x
    others:  r-x
extended permissions
    disabled

AFTER MODIFICATION:
------------------
attributes: SUID
base permissions
    owner(root):  rwx
    group(system):  r-x
    others:  ---

extended permissions
    enabled
    permit   r-x     g:groupname 

Note you can do u:user if you do not wish to define a group.

You will have to do this for both files.  If you want ALL of the 
sna commands mentioned above permitted to this user, perform the
above step for all of those files.

You can test this by logging in as an ordinary user and the doing
   \# su - user 
(where 'user is member of the aixsna group).
Then try running the sna command. You must set the permissions
on the sna_commands as well before you try it. 

If both sna and sna_command have perms of 4750 and externded permissions
enabled for the user or group, that user will be able to manipulate the 
aixsna subsystem.
 ...
You can also use chown (change owner) or chgrp (change group) on any
file or executable.  The id command will return user id and group id
information for any AIX user.
Please read "System Security Guidelines" in InfoExplorer.
...
Of course simply adding the aixsna administrator to the "system" group is
the simplest way to allow that person to issue aixsna commands.
...


Support Line: How to Permit Access to SNA Commands to a non-root, non-system USER ITEM: BG6805L
Dated: May 1996 Category: N/A
This HTML file was generated 99/06/24~13:30:22
Comments or suggestions? Contact us