HPE Community
Operating System - HP-UX
1826785 Members
1560 Online
109702 Solutions
New Discussion

Command Permission Matrix

 
SOLVED
Go to solution
Joanne Keegan
Regular Advisor

‎10-10-2001 05:55 PM

‎10-10-2001 05:55 PM

Command Permission Matrix

Hi Everyone,

This may appear to be a strange thing to ask, but I am working on a security review project and am building a Sys Admin task matrix, listing the type of tasks that are done, and the lowest level of access that is required. For example, a user within the user group may be able to execute the bdf command, but not reboot the system. I have looked for documentation on this, but haven't found anything.

Does anyone have such a matrix and are willing to share it? It'll save me alot of time - instead of having to check permissions/ownership for each task.

I do award points! And will definitely be appreciative of any help.

With Regards,

Jo
0 Kudos
Reply
8 REPLIES 8
Sridhar Bhaskarla
Honored Contributor

‎10-10-2001 06:03 PM

‎10-10-2001 06:03 PM

Re: Command Permission Matrix

By default you can't create groups that can do only a certain number of 'root' tasks.

There is a software called SEOS before but now called e-Trust by Computer Associates that can be used to specify the way we control the accesses. For ex., bdf command may be exexuted by one ordinary user not "root". !!! Reboot can be performed by a security administrator but not a super user. Also we can restrict the permissions on different files for different user. In fact, SEOS intercepts certain system calls and reacts based on a set of rules that are customizable. I guess it may help you lot.

Is this what you are asking?

-Sridhar
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎10-10-2001 06:07 PM

‎10-10-2001 06:07 PM

Re: Command Permission Matrix

Joe,

I am jealous of NT in this particular aspect. We don't have groups like powerusers, backup administrators in HP by default unfortunately.
It could either be super users or ordinary users. However, you can still do it by setting setuid bits, but that is not advisable and will introduce more security risks. You gotta to a lot of work. Try out the above software.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Michael Tully
Honored Contributor

‎10-10-2001 06:27 PM

‎10-10-2001 06:27 PM

Re: Command Permission Matrix

Hi,

If you already hadn't thought of it perhaps the 'sudo' tool will able to do this.

Here are the links:

Source
http://www.courtesan.com/sudo/

Execs:
http://hpux.connect.org.uk/

HTH
-Michael
Anyone for a Mutiny ?
0 Kudos
Reply
Animesh Chakraborty
Honored Contributor

‎10-10-2001 07:05 PM

‎10-10-2001 07:05 PM

Re: Command Permission Matrix

Hi,
Yoy may consider using rsh shell.Restricted version of the POSIX or Bourne shell command
interpreter. Sets up a login name and execution
environment whose capabilities are more controlled
(restricted) than normal user shells.

You can define what are the commands a user can use in his/her home directory.

Thanks
Animesh
Did you take a backup?
0 Kudos
Reply
Santosh Nair_1
Honored Contributor

‎10-11-2001 12:56 AM

‎10-11-2001 12:56 AM

Solution

Re: Command Permission Matrix

I think what Joanne is asking for is a list of commands that an operator would use normally and the lowest access level that they would need in order to use the command. For example, fuser and swapinfo can only be executed by root by default, so you would need root privs to run those commands (I know there are ways around this but this just an example).

Joanne, most commands can be run with a non-root account for read-only access. But things that modify the system, such as the lvcreate, pvcreate, ifconfig, etc. need root access. I've never come across a comprehensive list of these commands and their associated access levels though.

-Santosh
Life is what's happening while you're busy making other plans
Reply
Wodisch
Honored Contributor

‎10-11-2001 01:17 AM

‎10-11-2001 01:17 AM

Re: Command Permission Matrix

Hello Joanne,

this is a rather interesting but perhaps a
little "doomed" task you have...
The reason is (in my opinion), that you could
modify a lot of the configuratio to permit
"least privileges", but then you are completly
*different* from the main-stream HPUX, and
perhaps even not supported, any longer. E.g.
you could modify the ACL for "swinstall" in a
way that a plain user could install and remove
software, but the HPRC will be lost on any
problem then, as they will not even think about
someone doing this...
Same for group-permissions instead of SUID,
file- and directory- permissions, and such.
All this IS needed, but *we* (who do this) are
kind of "left on our own", then :-(
Still, we might get such a list over time and
effort from all of us (I do not expect much in
that direction from hp, as that would have a
dramatic kost impact on their products, their
quality testing, and all - everything they
would have to change then).

Just my ?0.02,
Wodisch
Reply
Joanne Keegan
Regular Advisor

‎10-11-2001 11:15 AM

‎10-11-2001 11:15 AM

Re: Command Permission Matrix

Thank-you to all that replied to my question. From what you have said, it confirms what I thought - unfortunately.

Michael - I am looking at sudo. I will check out the sites you mentioned to ensure I have the latest version.

Santosh & Wodisch - Thank-you for your help. I agree with what you both wrote.

I have been working on a task matrix and by doing this, it is evident that it is not a simple job. If anyone is interested in what I come up with, let me know (joanne.keegan@nzdf.mil.nz), and I'll post it for comments/refinement, etc.

I do not intend to change the system to a state where it is no longer "mainstream" HPUX and unsupportable.

Regards,

Jo
0 Kudos
Reply
Jerrie Womeldorf
Occasional Advisor

‎11-05-2001 08:46 PM

‎11-05-2001 08:46 PM

Re: Command Permission Matrix

On Solaris the is a set of commands you can use with the sudo option, these are groups you can set up for certain users.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.