topic Re: Command Permission Matrix in Operating System - HP-UX

Command Permission Matrix

Joanne Keegan — Thu, 11 Oct 2001 00:55:31 GMT

Hi Everyone,

This may appear to be a strange thing to ask, but I am working on a security review project and am building a Sys Admin task matrix, listing the type of tasks that are done, and the lowest level of access that is required. For example, a user within the user group may be able to execute the bdf command, but not reboot the system. I have looked for documentation on this, but haven't found anything.

Does anyone have such a matrix and are willing to share it? It'll save me alot of time - instead of having to check permissions/ownership for each task.

I do award points! And will definitely be appreciative of any help.

With Regards,

Jo

Re: Command Permission Matrix

Sridhar Bhaskarla — Thu, 11 Oct 2001 01:03:09 GMT

By default you can't create groups that can do only a certain number of 'root' tasks.

There is a software called SEOS before but now called e-Trust by Computer Associates that can be used to specify the way we control the accesses. For ex., bdf command may be exexuted by one ordinary user not "root". !!! Reboot can be performed by a security administrator but not a super user. Also we can restrict the permissions on different files for different user. In fact, SEOS intercepts certain system calls and reacts based on a set of rules that are customizable. I guess it may help you lot.

Is this what you are asking?

-Sridhar

Re: Command Permission Matrix

Sridhar Bhaskarla — Thu, 11 Oct 2001 01:07:06 GMT

Joe,

I am jealous of NT in this particular aspect. We don't have groups like powerusers, backup administrators in HP by default unfortunately.
It could either be super users or ordinary users. However, you can still do it by setting setuid bits, but that is not advisable and will introduce more security risks. You gotta to a lot of work. Try out the above software.

-Sri

Re: Command Permission Matrix

Michael Tully — Thu, 11 Oct 2001 01:27:12 GMT

Hi,

If you already hadn't thought of it perhaps the 'sudo' tool will able to do this.

Here are the links:

Source
http://www.courtesan.com/sudo/

Execs:
http://hpux.connect.org.uk/

HTH
-Michael

Re: Command Permission Matrix

Animesh Chakraborty — Thu, 11 Oct 2001 02:05:33 GMT

Hi,
Yoy may consider using rsh shell.Restricted version of the POSIX or Bourne shell command
interpreter. Sets up a login name and execution
environment whose capabilities are more controlled
(restricted) than normal user shells.

You can define what are the commands a user can use in his/her home directory.

Thanks
Animesh

Re: Command Permission Matrix

Santosh Nair_1 — Thu, 11 Oct 2001 07:56:16 GMT

I think what Joanne is asking for is a list of commands that an operator would use normally and the lowest access level that they would need in order to use the command. For example, fuser and swapinfo can only be executed by root by default, so you would need root privs to run those commands (I know there are ways around this but this just an example).

Joanne, most commands can be run with a non-root account for read-only access. But things that modify the system, such as the lvcreate, pvcreate, ifconfig, etc. need root access. I've never come across a comprehensive list of these commands and their associated access levels though.

-Santosh

Re: Command Permission Matrix

Wodisch — Thu, 11 Oct 2001 08:17:24 GMT

Hello Joanne,

this is a rather interesting but perhaps a
little "doomed" task you have...
The reason is (in my opinion), that you could
modify a lot of the configuratio to permit
"least privileges", but then you are completly
*different* from the main-stream HPUX, and
perhaps even not supported, any longer. E.g.
you could modify the ACL for "swinstall" in a
way that a plain user could install and remove
software, but the HPRC will be lost on any
problem then, as they will not even think about
someone doing this...
Same for group-permissions instead of SUID,
file- and directory- permissions, and such.
All this IS needed, but *we* (who do this) are
kind of "left on our own", then :-(
Still, we might get such a list over time and
effort from all of us (I do not expect much in
that direction from hp, as that would have a
dramatic kost impact on their products, their
quality testing, and all - everything they
would have to change then).

Just my ?0.02,
Wodisch

Re: Command Permission Matrix

Joanne Keegan — Thu, 11 Oct 2001 18:15:26 GMT

Thank-you to all that replied to my question. From what you have said, it confirms what I thought - unfortunately.

Michael - I am looking at sudo. I will check out the sites you mentioned to ensure I have the latest version.

Santosh & Wodisch - Thank-you for your help. I agree with what you both wrote.

I have been working on a task matrix and by doing this, it is evident that it is not a simple job. If anyone is interested in what I come up with, let me know (joanne.keegan@nzdf.mil.nz), and I'll post it for comments/refinement, etc.

I do not intend to change the system to a state where it is no longer "mainstream" HPUX and unsupportable.

Regards,

Jo

Re: Command Permission Matrix

Jerrie Womeldorf — Tue, 06 Nov 2001 04:46:19 GMT

On Solaris the is a set of commands you can use with the sudo option, these are groups you can set up for certain users.