topic Re: RBAC question in Operating System - HP-UX

RBAC question

Records Management — Fri, 15 Oct 2010 17:14:42 GMT

I'm trying to set up an authorization within RBAC that would allow a user to delete files within a specific directory that he doesn't own.

I can make it work if I just remove the directory itself. But it fails if I have the associated command as follows:

/usr/bin/rm /var/test/bscan2/*

As soon as it tries to run the command, it expands the "*". Then it fails as the command line is no longer a match for the original command.

$ privrun -v /usr/bin/rm /var/test/bscan2/*
privrun: user vendor intends to execute command /usr/bin/rm
privrun: input entry: '/usr/bin/rm:/var/test/bscan2/test :(,):///:dflt:dflt::'
privrun: no matching cmd found in cmd_priv database

I have a feeling that it will not work with the wildcard. Am I right, or am I setting it up wrong?

Re: RBAC question

Viktor Balogh — Sat, 16 Oct 2010 11:30:08 GMT

Hi,

You could make an RBAC for the command "chown -R dirname". After that, with a succesful chown operation the user could delete the files as his own files. Call it as a workaround, I think this should work as chown -R doesn't require wildcards.

Regards,
Viktor

Re: RBAC question

VK2COT — Mon, 18 Oct 2010 20:52:22 GMT

Hello,

Show us the results of the following commands:

# authadm list

# roleadm list

# rbacdbchk

Be aware that when assigning an authorization
that contains the asterisk â *â character, you
must surround the wildcard character with
quotes to prevent shell interpretation.

The operations specified in /etc/rbac/auths
file must be fully-qualified and cannot use
wildcards. But, the objects can be be
specified with a wildcard using the asterisk
character (*). Authorizations that contain
wildcard operations are validated using a
match operation. At least one operation must
match the wildcard to assign the
authorization to the role.

Cheers,

VK2COT