Re: Command Permission Matrix

Joanne Keegan · ‎10-10-2001

Hi Everyone,

This may appear to be a strange thing to ask, but I am working on a security review project and am building a Sys Admin task matrix, listing the type of tasks that are done, and the lowest level of access that is required. For example, a user within the user group may be able to execute the bdf command, but not reboot the system. I have looked for documentation on this, but haven't found anything.

Does anyone have such a matrix and are willing to share it? It'll save me alot of time - instead of having to check permissions/ownership for each task.

I do award points! And will definitely be appreciative of any help.

With Regards,

Jo

Sridhar Bhaskarla · ‎10-10-2001

By default you can't create groups that can do only a certain number of 'root' tasks.

There is a software called SEOS before but now called e-Trust by Computer Associates that can be used to specify the way we control the accesses. For ex., bdf command may be exexuted by one ordinary user not "root". !!! Reboot can be performed by a security administrator but not a super user. Also we can restrict the permissions on different files for different user. In fact, SEOS intercepts certain system calls and reacts based on a set of rules that are customizable. I guess it may help you lot.

Is this what you are asking?

-Sridhar

You may be disappointed if you fail, but you are doomed if you don't try

Sridhar Bhaskarla · ‎10-10-2001

Joe,

I am jealous of NT in this particular aspect. We don't have groups like powerusers, backup administrators in HP by default unfortunately.
It could either be super users or ordinary users. However, you can still do it by setting setuid bits, but that is not advisable and will introduce more security risks. You gotta to a lot of work. Try out the above software.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Michael Tully · ‎10-10-2001

Hi,

If you already hadn't thought of it perhaps the 'sudo' tool will able to do this.

Here are the links:

Source
http://www.courtesan.com/sudo/

Execs:
http://hpux.connect.org.uk/

HTH
-Michael

Anyone for a Mutiny ?

Animesh Chakraborty · ‎10-10-2001

Hi,
Yoy may consider using rsh shell.Restricted version of the POSIX or Bourne shell command
interpreter. Sets up a login name and execution
environment whose capabilities are more controlled
(restricted) than normal user shells.

You can define what are the commands a user can use in his/her home directory.

Thanks
Animesh

Did you take a backup?

Santosh Nair_1 · ‎10-11-2001

I think what Joanne is asking for is a list of commands that an operator would use normally and the lowest access level that they would need in order to use the command. For example, fuser and swapinfo can only be executed by root by default, so you would need root privs to run those commands (I know there are ways around this but this just an example).

Joanne, most commands can be run with a non-root account for read-only access. But things that modify the system, such as the lvcreate, pvcreate, ifconfig, etc. need root access. I've never come across a comprehensive list of these commands and their associated access levels though.

-Santosh

Life is what's happening while you're busy making other plans

Wodisch · ‎10-11-2001

Hello Joanne,

this is a rather interesting but perhaps a
little "doomed" task you have...
The reason is (in my opinion), that you could
modify a lot of the configuratio to permit
"least privileges", but then you are completly
*different* from the main-stream HPUX, and
perhaps even not supported, any longer. E.g.
you could modify the ACL for "swinstall" in a
way that a plain user could install and remove
software, but the HPRC will be lost on any
problem then, as they will not even think about
someone doing this...
Same for group-permissions instead of SUID,
file- and directory- permissions, and such.
All this IS needed, but *we* (who do this) are
kind of "left on our own", then :-(
Still, we might get such a list over time and
effort from all of us (I do not expect much in
that direction from hp, as that would have a
dramatic kost impact on their products, their
quality testing, and all - everything they
would have to change then).

Just my ?0.02,
Wodisch

Joanne Keegan · ‎10-11-2001

Thank-you to all that replied to my question. From what you have said, it confirms what I thought - unfortunately.

Michael - I am looking at sudo. I will check out the sites you mentioned to ensure I have the latest version.

Santosh & Wodisch - Thank-you for your help. I agree with what you both wrote.

I have been working on a task matrix and by doing this, it is evident that it is not a simple job. If anyone is interested in what I come up with, let me know (joanne.keegan@nzdf.mil.nz), and I'll post it for comments/refinement, etc.

I do not intend to change the system to a state where it is no longer "mainstream" HPUX and unsupportable.

Regards,

Jo

Jerrie Womeldorf · ‎11-05-2001

On Solaris the is a set of commands you can use with the sudo option, these are groups you can set up for certain users.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Command Permission Matrix

Command Permission Matrix