ITEM: BG6805L

How to Permit Access to SNA Commands to a non-root, non-system USER

THE PROBLEM:

User is getting error 0513-019 when he tries to start the sna
subsystem as a non-root user. System informs him that he must be root or
member of group 'system' for this to work. He wants the non-root person
charged with SNA administration to have access to the sna set of commands:
starting and stopping the subsystem, link stations, and sessions;
viewing the status of sna; starting and stopping traces, formatting them,
and the like. By default these commands, with the exception of
formatting traces and logs and viewing the status of SNA, are available
only to 'root' or a member of the 'system' group. Customer wants to permit
access to the SNA commands but not the more wide-ranging capabilities
associated with 'root' or 'system'. Is there a way to grant root-like
access to this person ONLY for the SNA functions?

This is basically an AIX security issue, not an AIXSNA issue.
Please see InfoExplorer for details on the commands mentioned below.
Please read "System Security Guidelines" in InfoExplorer before
making any of the changes mentioned below.

BACKGROUND INFO:
----------------

All of the SNA commands to manipulate the sna subsystem are in/usr/bin.

\# cd /usr/bin
\# ls *sna*

chsnaobj lssnaobj rmsnapw snaca_dlu.cfg snasub
chsnapw migratesna sna snacomp verifysna
exportsna mksnaobj sna3270lu snaevent xsna
gensnakey mksnapw sna_command snaformat
helpsnaobj qrysnaobj sna_display snagwlus
importsna rmsnaobj snaca_5250.cfg snalu0lus

You could create a new group (maybe aixsna), make the aixsna admin
a member or this group and then change group ownership of the various
sna commands to 'aixsna'. Note that 'system' group members would
no longer be able to issue these commands.

You could allow a non-root, not-system, user to execute any command
by changing executable permission for the "other" users of that command
with the chmod command but this would apply to all other users.

You could allow a person who is not root or a member of the system group
to use these commands by setting the 'sticky bit'. This can be
done if root does the following:

\# cd /usr/bin
\# chmod u+s *sna*

This effectively allows 'other' users to execute these commands 'as if'
they were root. The permissions previously restricted to the root
user will now be available to all other users for these commands.

If you just want permission to start and stop the subsystem, links,
and sessions, then you need only set the permissions to files 'sna'
and 'sna_command'. File 'sna' is a script that takes as arguments
flags which are interpreted by sna_command to perform the required
function.

Either option allows the 'aixsna administrator' to do sna commands.

The corresponding smit commands will also be accessible to the user
by making these changes. If all the commands were permitted, everything
in smit would be available to this user.

One potential problem with this relates to allowing *anyone*
to execute SNA commands. If you change the group ownership from
system to, say aixsna (i.e defined a group called 'aixsna'), add the SNA
Administrator to this group, and then change the permissions to grant
setuid capability, it will NOT work without additional changes
(described below).

The Group ID of this newly added group will NOT be Zero, since the System
group is assigned this group id by default. Also, TWO GROUPS CANNOT
SHARE THE SAME GROUP ID. If the sna commands above were assigned
group ownership of aixsna
\# chgrp aixsna *sna*
and this group id WAS set to zero, a member of the sna group would be
able to perform SNA commands, but this effectively makes 'aixsna' group
the defacto 'system' group for all AIX functions and commands.
If this aixsna group does not have group id of zero,
the following error will occur:
0513-019: System Resource Controller requires that you be
running as root or be part of the group system

SOLUTION:
----------
When you run sna commands, the system look at the uid and gid and if
at least one is not 0, they will not run.

If the command is looking at the EFFECTIVE uid, you can try this:

\# chmod 4750 sna (set suid root)
\# chmod 4750 sna_command
\# ls -l sna sna_command

This also disables permissions for others
-rwsr-x--- 1 root system 1200 Aug 21 1774 sna.
-rwsr-x--- 1 root system 571954 Aug 21 1774 sna_command

Then do an acledit on these two file to set extented permissions on, and
permit the group you want to execute. The aclfile looks like:

BEFORE MODIFICATION:
--------------------
attributes: SUID SGID
base permissions
owner(root): rwx
group(sna): r-x
others: r-x
extended permissions
disabled

AFTER MODIFICATION:
------------------
attributes: SUID
base permissions
owner(root): rwx
group(system): r-x
others: ---

extended permissions
enabled
permit r-x g:groupname

Note you can do u:user if you do not wish to define a group.

You will have to do this for both files. If you want ALL of the
sna commands mentioned above permitted to this user, perform the
above step for all of those files.

You can test this by logging in as an ordinary user and the doing
\# su - user
(where 'user is member of the aixsna group).
Then try running the sna command. You must set the permissions
on the sna_commands as well before you try it.

If both sna and sna_command have perms of 4750 and externded permissions
enabled for the user or group, that user will be able to manipulate the
aixsna subsystem.
...
You can also use chown (change owner) or chgrp (change group) on any
file or executable. The id command will return user id and group id
information for any AIX user.
Please read "System Security Guidelines" in InfoExplorer.
...
Of course simply adding the aixsna administrator to the "system" group is
the simplest way to allow that person to issue aixsna commands.
...

Support Line: How to Permit Access to SNA Commands to a non-root, non-system USER ITEM: BG6805L

Dated: May 1996 Category: N/A

This HTML file was generated 99/06/24~13:30:22

Comments or suggestions?
Contact us